You’ve likely already heard the news: more than 100 young female celebrities had racy personal photos stolen from private cloud storage accounts, and the criminals who committed the crimes are actively attempting to sell the stolen property for personal profit.
Were it not for the provocative nature of the booty these cyber pirates pilfered, the news that passwords and account credentials were obtained to thwart a login would be just another echo in the chorus of password breaches the world has been plagued with recently. However, historical precedent tells us that ignoring plagues doesn’t make them go away; it took the death of more than half the population of Europe in the 14th century to learn this lesson. Yet whether plagues are of the bubonic nature or the cyber nature, it takes active widespread change to stop them.
Not just any change, mind you.
Much of the commentary following this celebrity breach has focused on what some see as bad personal choices by the victims of these crimes. Some news anchors and editorialists go so far as to proclaim that the solution is to abstain from taking racy personal photos altogether. Sure, this may be logically sound advice, but if I may borrow from my plague reference again, it’s no more of a solution than telling 14th century Europeans to abstain from touching one another. That may work, but it ignores human nature. Rather, it was simple hygienic improvements that proved to be the more fitting solution.
Let’s be honest, human nature is also behind people's desire to take sexy selfies. It may not be something you choose to partake in, but mankind has been producing intimate private works of art for as long as we’ve had the technical ability to do so. It’s not going away.
To end the current password pandemic, we must change the fundamental architecture we currently use with online authentication.
But if people have always been creating lurid photos, why is it so dangerous to do so now? Why were the risqué photos that previous generations kept in a shoebox inside their closet so much more secure than similar photos we now store in the cloud? This seemingly simple question is at the core of this celebrity photo breach. To understand the difference, we must dissect the different security measures protecting each stash of pictures.
For argument's sake, let’s assume Marilyn Monroe had a collection of private photos in her closet that she wanted to keep hidden from the outside world. To ensure that only she could access the photos, Marilyn installed a lock on her closet door. Opening the lock required a unique metal key that only Marilyn possessed.
Had Marilyn instead grown up a millennial, that same collection of photographs would be digital. Instead of locking them in her closet, she would lock them in iCloud, Dropbox, or another online storage service. Instead of a physical key, she would utilize a password.
In these scenarios, the metal key and the password are the factors of authentication securing the photographs. On the surface, one might assume we’re implementing the same level of security in both cases – only Marilyn possesses the key, and only she knows her secret password – but one is substantially weaker than the other.
The main weakness inherent to passwords is primarily an architectural issue related to the location of the layer of authentication itself. That is, while the key to Marilyn’s closet was kept on a keychain in her purse (a location only she has access to), the login form required to access Marilyn’s online photos is placed on a form within a website (a location available to the public). It’s this important distinction that is the root problem behind the current global hacking pandemic.
Within security, we refer to this difference as in-band authentication (passwords) versus out-of-band authentication (physical keys). The latter offers superior security because it decentralizes authentication. If Marilyn were to treat the key to her closet like passwords, the key would be stored in a public place such as a library along with keys belonging to others. Would-be attackers would simply need to visit the library and try enough of those keys to bypass her security. In essence, individuals and organizations around the world are using this flawed approach to secure their most private and sensitive digital content.
To end the current password pandemic, we must change the fundamental architecture we currently use with online authentication from an in-band architecture to one that’s out-of-band. While changing something so pervasive may sound daunting, the solution is already in your pocket.
Like a traditional key, your mobile phone is a unique device solely within your possession. By shifting the layer of authentication out-of-band to the mobile devices we all already own, we can protect ourselves against the primary vulnerability inherent to passwords. By turning phones into digital keys, we not only afford ourselves the same base level of protection as their traditional metal counterparts, but we can substantially increase security by utilizing the technology already available on your smartphone.
Imagine if the metal key to your front door could utilize geo-positioning and biometry to verify the individual in possession of the key is authentic. With today’s smartphones and tablets, we can already do that.
Solutions are currently coming to market that can solve this problem. While no form of security should ever be considered invincible, it is the ethical responsibility of organizations and developers to take advantage of emerging technology and end our dependence on the broken system of passwords.
Celebrities may be the victims today, but tomorrow it may be your friends, your employees, your kids, or even you.