Cybersec

Medium’s Lack of Password Provides Blueprint for the Future

Passwordless login hints on future of Credential Authentication. If you haven’t realised already, Medium does not sign in with a password.

Key Points

The Pain of Passwords
Medium’s Magic Links
Future of Authentication

Sign in to Medium without the pain of passwords.

WHAT do Medium, Slack, and a car have in common? The authentication.

They access passwordlessly, done through the use of immutable and signed tokens.

Medium and Slack both use the magic links sign-in method. In the case of the car, the car key is a form of physical token.

The Pain of Password

YOU have noticed you never had to click “Forget Password” for Medium.

Medium does not use a password based authentication method for its large user base, more than 60 million. This is godsend for some chronic password forgetters.

More than just the problem of forgetting password, the single-use passcode method of authentication on Medium saves its estimated 167 employees the need for a secure password authentication architecture. In fact, if Medium were to choose to adopt a password based authentication system, it is unlikely for it to develop one on its own. Start-ups and medium-sized enterprise often use well-established third party services to save on resources, while maintaining top-notch security.

Moreover, remembering password is a pain for the user anyway. The average office worker remembers up to 191 passwords, which is well beyond the capacity of the human brain. This is why passwords tend to be easily guessable, less complex, and prone to social engineering.

Password is by now the greatest weak link of major services. 80% of breaches are the result of weak, reused or compromised password.

In banks alone, fraudulent online transactions involving credential stuffing are expected to cost $25.6 billion by 2020, according to a research by Juniper Research.

Medium’s Magic Links

MEDIUM’s login method is by the means of single-use address, where in practice, the user has to click on a link sent by Medium to his email within a limited time period to access his account.

It looks like this if you have not seen it:

Behind this seemingly innocuous password-less authentication mail is a security powerhouse.

When logging into a Medium account, a one-time token is created and signed by a central service for which a cookie is created to keep the session signed in. This token cannot be modified by the client or user in any way.

It is likely that the central service used here is Amazon web service’s Identity and Access Management, AWS IAM in short.

This is consistent with Magic Links used by Slack and many other companies. Yes, they call it magic links.

My drawing of the typical password-less sign in process | by hustlelead

In brief, magic link authentication is performing the following in order:

#1. User requests sign in to Medium.com

#2 & 3. Medium.com, hosted on AWS and IAM, calls passwordless API. AWS IAM creates a token and send it to email address stored in DB

Note: I have excluded the emails providers in the flowchart. Services include Amazon SES, Mandrill , and Twilio SendGrid.

#4. User clicks on token

#5 & 6. Medium.com calls passwordless API which creates a session & cookie

#7. Stores the cookie in browser to share session and stay signed in.

Future of Authentication

IS there a feature from the cybersecurity perspective that makes the perfect authentication method? Well, there are some contenders.

Security Principles

There are three guiding principles of authentication, which they call the triad, that is confidentiality, integrity, and availability (CIA).

Magic links passwordless authentication ranks high on availability, but does not fare well on integrity, and probably throws confidentiality out the window. The email system is stable to use and quick to access, which makes it available. However, it entrusts the email provider with the matters of integrity and confidentiality. There is no telling if a man-in-the-middle taps into the email under a sniffing attack. If the email is modified, the integrity is compromised. If the attacker gains access to Medium account or identifies the account holder, the confidentiality is compromised.

There are also another 3 types of authentication, they are:

Something you know — where passwords belong.
Something you have — where our passwordless token belongs.
Something you are — where your biometrics belongs, think you FaceID and TouchID’s.

Under this framework, authentication should have as many factors of authentication as possible to prevent single point of failure, thus referred to as multi-factored authentication (MFA). Again, passwordless authentication, as employed by magic links, does not have that feature. This means that magic link is susceptible to brute-force attacks, which lowers the integrity score.

Although Medium’s passwordless authentication does not provide maximum security in the eyes of the cyber security personnel, it has proven to be sustaining rapid growth of the past years.

Passwordless Connections from Jan 2015 — May 2016

Potentially surpassing passwords in the future as postulated.

Better Ways To Make Password Obsolete

Even though Passwordless authentication seems poised to takeover the Username/Password (UP), it does not mean that passwordless is going to.

We may recall that there is a feature of UP authentication that rings familiar to this passwordless type of sign in: the “Reset Password” email. Passwordless sign-in through email is like resetting the password of UP at every sign-in, except without the hassle of having an entry password at all. To the chronic password forgetters, this process is hardly any different.

In fact, passwordless sign-in is only as strong as the password reset process has ever been.

Fortunately, there many other authentication methods out there that are ousting passwords in web application scene.

Centralised sign on managers

Ever wish you could use the same passwords over and over without guilt?

We are seeing the rise of centralised password managers commonly referred as Single Sign-On. Company employees may have already seen this when they log onto various services like Outlook and payroll using their single work directory credentials.

Other password managers integrate web-specific requirements, common sign -in systems, password creation and reset into a single place for the user. On June 5 2020, Apple announced new release of open-source project for its iCloud Keychain password manager.

New Resources Available for Password Manager Apps - News - Apple Developer

Apple has created a new open source project to help developers of password managers collaborate to create strong…

developer.apple.com

With centralised sign on managers, users don’t have to remember multiple passwords to access services. One password to rule them all.

“Something you are” auth factor

Passwords belong to “Something you know” authentication factor, while “Something you are” usually entails certain irrefutable aspect of yourself and identity, like fingerprints.

Though not failproof, biometric data are seeing wide adoption. Something about the false reassurance?

Nonetheless, hackers were still able to crack through these protection, whereas users cannot simply change their faces or fingerprints.

New Breeds of Attack

Centralise or decentralise. Biometric or multi-factor. Password or passwordless.

“…you can count on human intelligence to break the machine”

One surest thing we can learn about the above myriad of authentication methods is that someone somewhere in the world will break it at some time.

This proves that you can count on human intelligence to break the machine — an optimistic half-glass-full kind of assurance.

As for Medium and readers data, I’d go out on a limp and say their security is handled by Amazon mostly. Suppose that Amazon gets targeted by some state-funded cyber attack campaign, or Medium(or Twitter) suffers some setbacks at its headquarters, Medium may encounter anything from a major security breach to an isolated case of data leak.

Not to mention Medium has multiple attack vectors such as mobile app and web apps.

Threat Modelling

THE defense against cyber threats boils down to understand one’s own systems. This includes knowing various attack vectors, assets, and protection measures.

From there, threat modelling helps to identify priority of assets, allocate resources for preventive measures, and devise impact mitigation strategies.

I will not discuss threat modelling for Medium, but basically, it is necessary for any company to be prepared for attacks. I’m sure Medium has its own. One cannot prevent them, but one can surely safeguard against them.

There is no one perfect defense system, just as there is no one perfect sign-on method.

“There is no one perfect defense system, just as there is no one perfect sign-on method.”

With due diligence, threat modelling done, and a solid event management and response team, small medium enterprises like Medium will be well-position to face the ever-changing world of cyber threats.

See, Batman has a Threat Model too.

References: http://www3.weforum.org/docs/WEF_Passwordless_Authentication.pdf

https://auth0.com/blog/is-passwordless-authentication-more-secure-than-passwords/

Apple’s Stolen iPhone Will Never Be Recovered

Apple’s warning to looters is laughably weightless. No, the iPhones won’t be sold for spare parts.

medium.com

Who Watches on You as You Work From Home? I Do.

That company issued phone? They know more than you think.

medium.com

URL Analysis: How to Determine Maliciousness

Tools for cyber professionals. Yes, they are free.

medium.com