Fallacy of Secrecy
Passwords have always been an integral part of any authentication system. There have been many motions against the usage of passwords with the need of replacing the passwords with more secure alternatives like smart tokens and biometrics. Still, we find that passwords are prevalent with one of the main reasons being attributed to usability. Unlike alternatives of passwords, which are based on ‘something you are’ or ‘something you have’, passwords are based on ‘something you know’. The inherent property of ‘something you know’ based authentication system is a need to keep a secret. In other approaches where we have a need to carry something around for authentication, the security lies in how well we can physically keep it safe. But as passwords reside in an intangible fortress of our mind, it provides us a feeling that this approach is truly secure considering that we can remember a truly difficult password. Most of us who are reading through this article would agree that password sharing is not a good practice and it is true in most cases. But there are situations when this fallacy of secrecy actually creates a hindrance in the path of usable security.
9th December 2018, Gerald Cotten, the young CEO of QuadrigaX, one of the largest Canadian cryptocurrency exchange firms died of Crohn’s disease. The curious aspect of this case followed a month later when the company disclosed the fact that all the cryptocurrency exchanges of the company were solely handled by Mr. Cotten from his laptop. With him being the only person with the access codes of the laptop, his untimely demise led to $190 million dollars worth of crypto coins lying dormant in the cold wallet of the laptop. Thus, the secrecy of password led a secure system to be utterly useless. This raises questions on how secure we want our system to be. A truly secure system with Mr. Cotton being the only attack surface has been a complete disaster for the company. If only Mr. Cotten had shared the password with his wife (current CEO) or would have used some other means of authentication, then this situation would have never risen.
Relating the incident back to the paper “The Quest to Replace Passwords” it is interesting and contradictory to find that the passwords have performed the best under the head of ‘Easy recovery from loss’ as compared to other authentication schemes. We always aim at creating a truly secure system but such incidences remind us of how important the dimension of usability is in considering security. And maybe in order to achieve this usability, especially in case of passwords, there might be a need to establish redundancy as against the popular belief of maintaining secrecy. We find that this secret sharing forms the core of many top business models. Coca Cola keeps its secret formula secure among a group of individuals rather than relying on a single person, even risking the fact that this might lead to multiple points of compromise. Thus, it is important to understand the criticality and the value of the entity being protected and have multiple paths for retrieval rather than securing it enough to lose it forever.