Unauthentication

by Bruce Schneier

In computer security, a lot of effort is spent on the authentication problem.  Whether it’s passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet.

This is important stuff, as anyone with an online bank account or remote corporate network knows.  But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you’re no longer there?  How do you unauthenticate yourself?

My home computer requires me to log out or turn my computer off when I want to unauthenticate.  This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away.  As a result, many office computers are left logged in when people go to lunch, or when they go home for the night.  This, obviously, is a security vulnerability.

The most common way to combat this is by having the system time out.  I could have my computer log me out automatically after a certain period of inactivity – five minutes, for example.  Getting it right requires some fine tuning, though.  Log the person out too quickly, and he gets annoyed; wait too long before logging him out, and the system could be vulnerable during that time.  My corporate e-mail server logs me out after 10 minutes or so, and I regularly get annoyed at my corporate e-mail system.

Some systems have experimented with a token: a USB authentication token that has to be plugged in for the computer to operate, or an RFID token that logs people out automatically when the token moves more than a certain distance from the computer.  Of course, people will be prone to just leave the token plugged in to their computer all the time; but if you attach it to their car keys or the badge they have to wear at all times when walking around the office, the risk is minimized.

That’s expensive, though.  A research project used a Bluetooth device, like a cellphone, and measured its proximity to a computer.  The system could be programmed to lock the computer if the Bluetooth device moved out of range.

Some systems log people out after every transaction.  This wouldn’t work for computers, but it can work for ATMs.  The machine spits my card out before it gives me my cash, or just requires a card swipe, and makes sure I take it out of the machine.  If I want to perform another transaction, I have to reinsert my card and enter my PIN a second time.

There’s a physical analogue that everyone can explain: door locks.  Does your door lock behind you when you close the door, or does it remain unlocked until you lock it?  The first instance is a system that automatically logs you out, and the second requires you to log out manually.  Both types of locks are sold and used, and which one you choose depends on both how you use the door and who you expect to try to break in.

Designing systems for usability is hard, especially when security is involved.  Almost by definition, making something secure makes it less usable. Choosing an unauthentication method depends a lot on how the system is used as well as the threat model.  You have to balance increasing security with pissing the users off, and getting that balance right takes time and testing, and is much more an art than a science.

Automatic logout:
http://www.schneier.com/blog/archives/2009/06/protecting_agai.html

Proximity logout:
http://www.matthew.ath.cx/projects/bluemon/

This essay originally appeared on ThreatPost.
http://threatpost.com/blogs/difficulty-un-authentication-128

Leave a comment

Your email address will not be published. Required fields are marked *