The User Authentication Problem

Craig Finch
Jul 24, 2017 · 3 min read

How do you know that your users are who they claim to be?

I write this article from the perspective of a web application architect. Our team is developing a web application that’s intended to benefit the average person. This application stores sensitive information, and we are morally and legally obligated to protect that data. We’re applying all of the current security best practices-data encrypted at rest and in motion, access control lists to restrict access, central logging, regular patching of underlying operating systems, and so on. Yet, even if our site were to be completely impenetrable, it would still have an enormous vulnerability: we have no idea if our users are who they claim to be.

The industry-standard process for creating an account or resetting a password on any web application is to send an email containing a unique link to your primary email account. You open the email, click the link, and create or reset your password. The problem is that we have no idea whether the person following the link is actually the person that they claim to be. The email with the unique link could have been intercepted along the way. The user’s email account could have been hacked, or maybe someone else (like a family member) knows the password. No matter how secure we make our application, our users’ information is only as secure as their email accounts-and that security is totally out of our control.

We can add a bit more security by asking one or more questions to verify a user’s identity. If we already know something about the user, such as their date of birth, we can use it to verify their identity. Birthdate verification is still the standard in the medical and pharmacy industry, but it is a very weak security measure. Considering the proliferation of personal data on social media and the number of public records available online, we should really start considering date of birth to be public knowledge. Any half-way determined hacker can work out your date of birth from your social media profiles, or from one of the many data breaches that have exposed millions of users’ personal data. Other security questions might be slightly more obscure, but they still won’t prevent someone who knows you well (such as a vengeful ex-partner) from wrecking your life online.

We can add a lot of security by offering two-factor authentication (2FA). Even if someone gets your password reset link, they won’t be able to reset it unless they also have your mobile device. Unfortunately, it isn’t realistic to require 2FA for ordinary users. Grandma and Grandpa User have enough trouble just logging in with an 8-character password. Two-factor authentication is a hassle to manage; I just upgraded to a new iPhone, and spent over an hour re-adding all my two-factor codes into Google Authenticator on the new device. Google Authenticator isn’t a workable solution in the long run. If every site supported 2FA, I would have hundreds of 2FA codes, and Authenticator’s UI would be totally unusable. Using SMS to deliver the second factor is no longer considered secure. U2F is promising, but it’s going to take years for ordinary people to change their behavior and start using a USB device every time they log into a critical application.

So, what’s the solution? Nobody has a magic bullet. Technology will evolve to make the process easier (such as the fingerprint identification on most new phones), and users will eventually change their behavior. In the meantime, there are plenty of other vulnerabilities that we have the ability to address immediately.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade