Solutions for Portable Security

Internet technology is fantastic, but I carry a certain level of anxiety which makes my web surfing less enjoyable.  The root cause of this anxiety is the fear that my personal information will be compromised.  The thought of my digital credentials being in the hands of an attacker is really quite disturbing.  Personally, I try to minimize my “web presence” so in a way I feel that this paranoia is actually healthy as it helps me maintain this goal.   However when I tally up all of the web logins I have, I realize that my presence is not as minimal as I’d thought.  What’s worse is that I don’t think I can remember all of the sites I’ve signed up to.

Have you ever wondered what kind of damage an attacker could do if they have your web credentials?  Here are some questions to consider if you care to measure your exposure.  How many web site logins do you have?  How strong are your passwords?  How many times do you reuse the same password for different sites?  Do you ever use the same password that you use as your login at work?  How many sites do you have accounts on that you can no longer remember?  Do you find yourself storing lists of user IDs and passwords so you can keep track of them?

We are taught by security professionals (and maybe common sense) that your passwords should be different for each web site, they should be complex, and you shouldn’t store them or write them down.  Obviously this isn’t practical and the problem has been recognized by the industry which has responded with new web identity paradigms such as OpenID, and InfoCard (a.k.a. CardSpace in Microsoft). 

These initiatives may take years to become widely adopted so what can we do in the meantime?  IE and Firefox offer one solution via password managers that they build into the browser.  They will remember your login credentials and automatically fill them into forms as required.   I don’t use these because I don’t trust having password vaults sitting on my machine where they are easily accessible and are ripe targets for attack (see http://www.securityfocus.com/infocus/1882 for a nice survey of password manager risks).

I have a wish.  Instead of passwords I’d like to use certificates to authenticate to all of these web sites that use self-managed credentials (i.e. the ones that let me pick my own user ID and password).  I’m not suggesting that we force everyone to use a certificate.  But if you have one, why not give you the choice?  My reasons are the following:

1) Security
2) Convenience
3) It should be easy to enable…

You’re probably thinking that I’ve gone off the deep end, especially on that last point, but hear me out.  From an identity theft perspective you can’t beat certificate authentication since there is nothing exchanged in an authentication transaction for an attacker to steal.  So right away we’ve eliminated the password problem.

I happen to carry a portable PKI token around with me all the time.  It’s built into my Stealth MXP Portable Security device.  I can easily go to VeriSign, and for a small fee, obtain a digital ID (a PKI certificate) that I can install on my device and use within IE or a portable version of Firefox which happens to be installed on my device.  The whole setup is very convenient for me (I also use a finger swipe biometric instead of a password to unlock my device) but the real bonus is the security.  My private key is generated in FIPS validated hardware, it cannot be exported, and it is protected with strong authentication.  Absolutely no one is going to be able to access this private key without my willing participation.  So I have everything I need to make my web transactions secure and convenient.

This brings us to the third point.  My argument here is that the plumbing to make this grand scheme all happen is already in place and is just waiting to be turned on.  Certificates for client side SSL authentication are supported in all major browsers and enabling client side SSL authentication in the majority of deployed web servers (Apache and Microsoft) is as easy as a setting a check box.  I know that this perspective seems a bit naïve but we are talking about unmanaged credentials. This means that service providers don’t need to change very much.  They only need to associate your digital ID that you present (and prove that you own the private key) with your account and trust the authority that issued you the certificate.  I don’t see much of a difference from their current sign up process where you create your own ID and password.  Yes, I’m ignoring details like revocation lists and exceptions (how to handle my lost device, etc) but you get the idea.

If this were in place then I’d be very happy.  I could focus my worries instead on choosing a certificate authority that had a good identity proofing process to ensure that imposters cannot apply for digital IDs in my name.  I’d also be careful not to register to a Phishing site that might want to gather other personal information.

Sadly, this wish will probably never happen.  In the meantime, I don’t want to be a sitting duck while I wait for the next web Identity Metasystem to become adopted.  I’m willing to compromise.  Instead, I’ll wish for a portable password manager that uses my MXP device to carry and secure (and possibly generate) my web passwords.  At the very least, it gives me the equivalent of two-factor authentication (ownership of the device and authentication to it), portability, and it provides strong protection for my sensitive login information.  It’s a compromise but I’m confident that this wish can happen and I’m looking forward to reducing my web anxiety.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.