• Subscribe

Federating access – the key to improving online security?

Popular passwords should be avoided at all cost. Image courtesyIntelFreePress, Flickr (CC BY 2.0).

'Password'; '123456'; '12345678' - the top three most-used online passwords of 2011, as revealed in lists published on the web by hackers. It may not seem like an act of community spirit to highlight poor security practice by such a reckless release of our precious digital keys, but for the fact that the very same three also came top in 2012. These hackers are, relatively speaking, the good guys - publishing the passwords to alert us to the fact that maybe our passwords should be less popular than they are, rather than using them in secret to defraud us. It's surely a wake-up call: the password seems to be reaching a crisis point. But is there anything that could replace passwords as we currently use them?

Collaborating and doing science digitally raises the same security challenges as the rest of the online world - not least because many researchers are online outside of work, just like everybody else. With many people becoming overwhelmed by the growing number of web-based services they use daily, each potentially requiring its own password, the concept of a universal web identity seems like a sensible solution. In distributed computing and in grid in particular, there has been a long-standing use of certificates identifying and authorizing users to use grid services, that can be installed across a multiplicity of a user's devices. If a machine is lost or stolen, the certificate itself can be easily cancelled.

Contrast this with the wide variety of social media identities, online banking, email, desktop cloud syncing and other web-integrated services we use. If we've followed the proper advice, we'll have different, strong passwords (comprising both upper and lowercase letters, numbers, and symbols) for each one. A user finding themself the victim of device theft or a phishing attack might have to change all of these passwords individually, testing their memory to the limit just to access each service's settings, from where they can change each password. Perhaps, in an attempt to make our lives easier, we have saved all those passwords in our web browser, where they can be easily liberated by a thief, or maybe we keep them all the same: a strong password, perhaps, but one that is easily determined by a malware-installed keylogger. (For some tips on safer password techniques, take a look at CERN Security Officer Stefan Lüders's blog post on the topic.)

The many ways that password protection can be misused and abused in order to hijack an individual's entire online identity have been demonstrated in some high profile cases, a problem sometimes exacerbated by certain web services' attitudes to sending password reset codes to a different email address provided by a fraudster over the phone.

Herein lies the issue: those services that allowed access to fraudsters believed they were helping the correct hapless and forgetful web user regain access to their files - a scenario that may be all too familiar to the average user. There is a balance to be achieved, therefore, between security on the one hand, and accessibility on the other.

Services like OpenID, which gather together our online identities, perhaps haven't had the uptake that they may have deserved. De facto universal web identities that allow the use of social media credentials (Facebook and Twitter) to access a wide variety of web services have largely taken over in this area.

Much of social media's advocacy of real online personas belonging to real people stands in contrast to the early days of the online world, where anonymity ruled, but chimes well with some developers of online services for research. Roberto Barbera of the University of Catania, Italy, is the technical coordinator of the CHAIN-REDS project, which is bringing federated access to different grid services across the globe. CHAIN-REDS, led by INFN, Italy, is one of the projects trialing access using social credentials. "With the same simple sign-on, a user could access everything from their campus network via eduroam, to the entire global grid. This is tremendously powerful," says Barbera.

Simplifying access from a new user's perspective could help open up grids and academic clouds to more researchers in the currently underrepresented life sciences and humanities research communities, but it can present new security challenges. "A profound trust-relationship, such as one provided by the International Grid Trust Federation, is the single most important ingredient for CERN before authorizing external identities issued by partner institute to access CERN computing services. " says Stefan Lüders.

Post-password, biometric ID authentication based on facial or iris recognition looks likely to play some role in how we use devices in the future. Such technologies have been in place for a number of years at national border controls, and are becoming more commonplace in mobile devices. How web freedoms can be maintained in a future where our bodies become our logins and passwords is likely to be an area of intense discussion.

Read more in 'The Security Issue' of e-ScienceBriefings, which you can download here.

Join the conversation

Do you have story ideas or something to contribute?
Let us know!

Copyright © 2015 Science Node ™  |  Privacy Notice  |  Sitemap

Disclaimer: While Science Node ™ does its best to provide complete and up-to-date information, it does not warrant that the information is error-free and disclaims all liability with respect to results from the use of the information.


We encourage you to republish this article online and in print, it’s free under our creative commons attribution license, but please follow some simple guidelines:
  1. You have to credit our authors.
  2. You have to credit ScienceNode.org — where possible include our logo with a link back to the original article.
  3. You can simply run the first few lines of the article and then add: “Read the full article on ScienceNode.org” containing a link back to the original article.
  4. The easiest way to get the article on your site is to embed the code below.