To stop security breaches, kill the username and password

You don't have to be an online security expert to know that usernames and passwords are not cutting it. It's time to completely re-think how we manage our online identities.

Tim Stevens Former editor at large for CNET Cars
Tim Stevens got his start writing professionally while still in school in the mid '90s, and since then has covered topics ranging from business process management to video game development to automotive technology.
Tim Stevens
8 min read


For decades we've been taught that, when it comes to important stuff, putting all of it in one place is a bad idea. Spread your investments around, keep copies of important documents in as many places as possible, and always, always have a backup -- multiple, if possible.

That becomes a problem when we talk about spreading our personal information all over the Internet. That, as it turns out, is a very bad idea. As I write this, we're gradually learning more about what may be the largest data breach in history: 1.2 billion records allegedly exposed, over 500 million accounts impacted, covering some 420,000 individual websites worldwide. That's very, very bad, but it all pales in comparison to the depressing knowledge that this won't be the last.

The simple truth is this: there is nothing you can do to truly protect yourself from attacks like this. Changing your passwords won't save you, because your data was probably exposed weeks or months before anyone found out. Choosing secure passwords helps, as does using different ones for every site you visit. You can also use multiple email addresses, even different physical aliases and addresses for online shopping. But, so long as the sites you use keep proving vulnerable, some segment of your data will always be at risk.

So, if there's nothing you can do to properly prevent this, is the situation hopeless? Right now, yeah, it is. But it doesn't have to stay that way. It's time for a major re-think of online authentication. It's time to stop putting our eggs in every basket, because securing all those baskets is a fool's game.

Let's say you're shopping for something. You find it at an online retailer you think you can trust, add it to your cart. You click to check out. To get the thing to you they need an address, so you type that in. You'll also need to get updates on the order, so you provide your email, and of course a password. They'll probably want a credit card, too. All that gets stored in some database somewhere.

A week or two goes by and it's time to shop for something else, something completely different. You find it at another store, add it in to another basket, and click on another checkout button. What happens next? The same exact process. Address, email, password, credit card -- all the same data, now duplicated across two retailers.

Over the years you've probably done this dozens, maybe hundreds of times, spreading your info far and wide. Some sites need more -- birth dates, Social Security numbers -- some less, each site protecting it in different ways, relying on different levels of encryption, different firewall policies, all administrated by disparate IT groups. Some are well-trained, well-staffed, and on top of their game. Some are limping by with too few people and too little knowledge.

Eventually, one of those sites is going to get compromised. It really doesn't matter which, because you've now provided some basic subset of information across them all. Any copy is as good as any other. Your data is out there, exposed.

The Internet is a web of disparate systems, networks connecting to networks, initially designed for redundancy and resiliency in the case of global war. But, when it comes to security and protecting your personal information, its structure is more like a chain: your data is only as safe as the weakest place you store it. In this most recent series of breaches, there were allegedly more than 420,000 weak links.

The solution is to stop the duplication. Kill the username and password and create a central system for managing identity and personal data. Take responsibility of managing your data out of the hands of every little retailer, Web forum, social network, and online entity out there.

This is not a new idea. Far from it. The OpenID standard, for example, is basically the same concept, and there were others before. Meanwhile, the government has proposed its own solution, lovingly titled National Strategy for Trusted Identities in Cyberspace (NSTIC). OpenID found a fair bit of success when it comes to straightforward authentication tasks, but it's never been a player when it comes to online retail. Recently, major online identity companies like Janrain and Facebook have withdrawn support. (Facebook has launched its own authentication service, Facebook Connect.)

The government's system, meanwhile, is currently in limited trials and pilot programs, mostly thanks to federal mandates. It seems almost destined to fail for one simple reason: nobody trusts the US government. NSTIC was initially proposed in 2010, before all those juicy NSA revelations. Now, any federal attempt at aggregating your personal info would be looked upon with derision -- despite the government already knowing plenty.

So, what's the solution? The core concepts proposed by the above solutions are sound: standardize and centralize the handling of online identity. Create a single mechanism for identifying who you are, a mechanism that the entire industry can develop and work to secure. Generate a centralized authentication system, a series of providers that would manage your identity similar to how ISPs currently deliver your email.

Google Authenticator Nicole Cozma/CNET

Imagine the same situation as before: you're shopping online. You find a hot new pair of shoes, click to check out. The site prompts you for an ID. It'd be something like an email address, something uniquely identifying you, but it wouldn't be anything you use for communication. You type that in and another window pops up, asking for proof that you are who you say you are. This could be a number of different forms, including a synchronized number generator running on your phone (like Google Authenticator), a physical smartcard that you slot into your computer, even a fingerprint scanner. But, never just a password. That notion, of a random string protecting all of your information, is more dated than a dial-up modem.

Once you prove you are who you say you are, you then grant access to the shopping site. The site would request what it wants, maybe your address and phone number for shipping purposes, and you would approve or deny that request. Crucially, that retailer would never store that information. It would be granted access to that data for the duration of the order, and once completed, that access would be revoked. All payments could even be handled in the same way, so that instead of you spreading your credit card number far and wide, the retailers would pass a dollar amount back to your authentication provider. It'd be then up to you to authorize the charge.

With digital orders the process gets even simpler. If there's nothing to ship there's no need to hand over any of your personal information. If an email needs sending, the retailer could pass that message on to the identifier you provided earlier, and your authentication provider would then make sure it gets passed along. If you hadn't authorized that retailer to send you messages, it would never hit your inbox.

Retailers would never need to see your email address, never see to your credit card number, and while they would have access to your physical address, they wouldn't be allowed to store it.

Isn't this creating a single point of failure?

No. This wouldn't need to be one magical server sitting in a bunker surrounded by barbed wire, armed guards, and menacing dogs with sharpened teeth and spiked collars. This would be a series of protocols and standards, developed by the industry and implemented across it. As far as your browser is concerned, it doesn't matter whether the Web page you're viewing came through Apache or IIS. And, as far as your email client is concerned, it doesn't matter whether the sender was on Gmail or a custom SMTP server.

The Internet runs on a few basic standards. This would be the development, and adoption, of a few more.

Wouldn't hackers focus all their effort on breaking this system?

Sure. However, by greatly reducing the number of places where your information is stored, and by limiting the means of access to it, the task of securing your data becomes infinitely easier. Right now, every retailer is doing things their own way, and it's painfully clear that many of them are doing a pretty poor job of it.

Would this stop all hacks?

Nope. Even if a retailer only has access to your physical address for a few days that would be enough time for a hacker to crack their systems and request it as well. And, we've seen that fingerprint scanners can be fooled and other forms of two-factor authentication defeated. Additionally, it would always be possible to set up a fake site and trick users into authenticating against it.

There will always be vulnerabilities, but implementing a system like this across the industry would reduce risk in a huge way. Stealing a username and password through a phishing attack is relatively easy. Lifting your fingerprint and creating a copy of your finger, or stealing your wallet to get your digital identification card, is an awful lot more complicated.

Aren't two-factor auth systems already providing this?

Sure, to some degree, but how many smartcards do you want to carry around? How many authenticator apps do you want to install on your phone? Even if everyone implements two-factor authentication, the same problem still exists, just under another layer of security.

Why would any retailer choose to implement this?

This definitely takes a lot of power away from retailers, but think about this: would you buy anything from an online retailer that wasn't using secure transactions? It didn't take long for the green lock signifying a valid SSL certificate to become commonplace, and once a framework was put in place, it wouldn't take long for this to do the same.

Who would pay for it?

Data breaches are expensive, and only getting more so. In 2013 the average cost of a data breach was estimated to be $3.1 million dollars. Last year, that climbed to $3.5 million. The aggregate costs from this most recent data breach are likely to number in the billions. That's more than enough incentive for the companies involved, particularly the banks, which not only eat the cost of bogus transactions, but have to print and ship and manage new credit cards every time. (There's a reason why your latest credit card feels a lot more flimsy than your last one.)

Who would implement it?

This would take a massive, industry-wide effort to implement. Developing the standards alone would likely be months, possibly years of active wrangling in some standards body or another. Then, authentication providers would need to be created, likely with banks and major online companies like Google doing the heavy lifting. Finally, the retailers would need to adopt it, a rollout that would take time and money -- but less money than yet another breach.

Is this realistic?

That depends on one thing: your continued tolerance for these breaches. Are you okay with getting a new credit card every few months, changing each and every auto-pay account every time? Are you okay with going through and swapping out passwords whenever a breach like this occurs? Are you okay with spreading your personal information far and wide and entrusting it with, well, everyone?

If so, then no, this will never happen. This isn't something the government can mandate across the industry, because it needs to be global. And, this isn't something the industry is likely to start without considerable demand, because the retailers sure do like having easy access to all of your information whenever they want it.

So, it's up to you. Let the industry know that you're done with passwords and maybe, finally, the industry will listen.