Level of Assurance: are we approaching a limit?

I’ve had several conversations this week that related to what’s commonly referred to as “level of assurance”: how confident we can be that an account or other information about an on-line user actually relates to the person currently sitting at the keyboard. Governments may be concerned with multiple forms of documentary proof but I suspect that for most common uses in the education sector that may be over-complicating things. So long as the link between a human and their account is made by a traditional, static, password, and provided that password achieves a pretty basic (though still by no means universal) level of non-guessability, it seems to me that the main factor affecting level of assurance may well be how the user behaves with their password.

Once we improve beyond passwords that are open to simple or brute-force guessing, significant threats to the integrity of the link between the human and their account are password sharing and phishing. The risk from both of these depends almost entirely on the user’s behaviour: additional password complexity, stronger proof of real-world identity, etc. don’t help. There are plenty of anecdotes of students sharing passwords with one another, of researchers sharing certificates, and of both falling for phishing attacks. Nonetheless static passwords seem to be good enough for most purposes in both our professional and personal lives: the general level of behaviour, backed up by measures to detect and recover from account compromises, seems to produce a level of risk that both users and service providers find acceptable. The only sector that seems to have changed its standard form of authentication is banking – to access my bank account on-line I need to know a password and be in possession of a particular physical device. Using two factors to authenticate reduces the risk of compromise, even without a change in behaviour, but at some cost to users in convenience and considerable costs to the bank in providing and supporting all those hardware tokens.

If we want to reduce risk without moving to two-factor authentication, can we change users’ behaviour, or is it a limit we have to live with? The Anti-Phishing Working Group has an excellent campaign to raise awareness of phishing and help users avoid falling for it. But the prevalence of account sharing probably depends on our instinctive perception of how valuable sole use of the account is. That value may not be what we (as service providers) expect: a long time ago I was surprised to discover that what persuaded students that sharing passwords was a bad idea wasn’t giving away the ability to read files or access computers, it was handing a “friend” the ability to send a perfectly-forged e-mail to a tutor or boy/girlfriend! Nowadays we are moving towards single-sign-on, where one password gives access to all our on-line services and accounts. That’s more convenient for the user and allows service providers to quickly secure all the affected accounts once the user realises they have made a mistake. By analogy with the real world, it seems to me that increasing the number of things accessible ought to increase the perceived value of the password and make us more careful: I’m happier to lend someone the key to just my house or just my car than I would be a master key that gave access to both. I’m not aware of any recent surveys that might confirm that idea. If not, it may be that we’ve reached the human limit of what can be done with static passwords. If that’s right, then if that limit isn’t sufficient for your application you may need to look at the cost and acceptability of two-factor authentication.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *