Dump User Names, Says Dartmouth Research

• By Dian Schaffhauser
• 03/25/15

The focus on coming up with unusual passwords for getting into secure sites is probably misplaced, particularly when those passwords are accompanied by user names that are all too guessable. That's what a joint academic and industry research team has come up with after nearly a year of working together on the problem of authentication.

Researchers from Dartmouth College's Institute for Security, Technology and Society (ISTS) and WWPass are testing out technology that lets companies and individuals securely manage private and confidential information while stopping fraud and identity theft. The technology was created by WWPass and is undergoing a review by the Dartmouth institute.

According to a new paper put out by the collaboration, "How To Count to Two: What 'Two Factor Authentication' Misses," the problem with schemes that rely on the use of user names and passwords for authentication is that they're only as strong as the weakest user in the network. Figuring out somebody's user name can lead cyber criminals to additional information about that individual online, which can help in figuring out what that user's password is too. Once the personal information of one user in a system is breached, the hacker can make a "lateral move" to explore more of the target network and uncover additional accounts that can be compromised. Use of this ever-growing "footprint" in the network may allow the hacker to uncover private information about "higher value targets," whose access to network resources can lead to the kind of data breaches that make the effort worthwhile for the criminal.

"When it comes to organizations trying to keep their data private, attackers always seem to win, no matter if the target is a security company like RSA or an entertainment giant like Sony, a regulated health provider like Anthem, a mass retailer like Target or Home Depot, or a leader in technology R&D like Google," said Professor Sergey Bratus, Dartmouth's lead researcher on the project. "There's even worse news: Breaches have become merely a matter of scale; it appears that if attackers can scale up their effort they win, no matter how unsophisticated they are."

WWPass is working on a mechanism that replaces this type of "two factor authentication" with an approach that uses a "passkey." An application, Web site or domain is registered with WWPass and provided with a Service Provider ID (SPID) and a digital certificate. When the user logs on to the application, the application authenticates first with WWPass. Once it has been verified, the user receives proof from WWPass that the application is legitimate. When the user completes the login by entering an access code, he or she is authenticated by WWPass, and the credential data that proves the identity of the user is sent to the application. The credential data is maintained in the cloud, where the data is encrypted, fragmented and dispersed.

"We must make it harder for attackers to select and leverage the next round of targets," said WWPass CEO Eugene Shablygin. The only way to beat "the epidemic of account breaches is to reduce this plethora of weak links by eliminating the use of usernames and passwords."

The year-long research project was funded in part by the New Hampshire Innovation Research Center (NHIRC), which provides grants for innovations created through industry and university collaborations. WWPass matched NHIRC's investment. The project is expected to conclude at the end of June 2015.