If you're anything like me, at every family and/or friends' get-together you'll inevitably get roped into providing free IT support for everyone's shiny new devices. This made me think about how we talk to people we know about different online threats, and what to do about them.Â
For instance, the NCSC and CyberAware advise everyone to turn on two-step verification (sometimes called two-factor authentication) to protect their important accounts. Two-factor authentication (or 2FA) is increasingly available, and it generally makes services far more secure than only using passwords to authenticate. This is why we say ‘Turn on 2FA’; it's straightforward, clear guidance that most people can follow.
However, some people worry about advising others to use 2FA. They point to the ways in which it can be compromised (especially the SMS-based version), and fear that it might induce a false sense of security. They would rather steer others towards less vulnerable (but also potentially more costly and harder to use) security and privacy solutions, such as PGP or universal second factor tokens.
The same goes for Password managers. Password managers have been compromised in the past, and they will be again. So some people think it's wrong to advise others to put all their valuable password eggs in the same basket. Others are more positive about password managers (which is good), but they may not realise that many people have understandable reasons for not wanting to use them (mainly finding them too hard to use). So they are then reluctant to give advice on how to create and maintain the kind of sensible, usable passwords that people need, if they aren't going to use a Password manager.
Then there’s password quality. We get questions about our ‘three random words’ blog, asking why the NCSC suggest using passwords that aren’t as cryptographically secure as those that are generated by other methods.
And then, there's the use of biometrics to authenticate users to their phones and other personal devices - primarily, fingerprint and Face ID. These are relatively young technologies, with some well-documented vulnerabilities. Is it really right to encourage people to use them? Â
We agree that 2FA is not perfect. Neither are password managers.
Yes, there are more cryptographically secure ways of generating passwords than 'three random words'.
And absolutely, fingerprint and face sensors can be fooled.
However, the NCSC and CyberAware will continue to advise people to use 2FA, password managers, 'three random words' and biometric authentication in their personal lives, because:
Traditional password advice failed because it told us to do things that most of us simply can't do (i.e. memorise lots of long, complex passwords).
