Interactive Design and the Death of Passwords

Can you remember the last time you read about a big company getting hacked? Was it within the past year? Month? Week? Stories like this have, very unfortunately, lost their shock value over the years.

A quick—and I mean mega quick—Google search for “list of businesses that have been hacked” gave me more hits than I expected. A good number of which had occurred since the beginning of 2016. It’s only February. Why are we so vulnerable to cyber attacks? Who do we blame? Is anyone doing something to make a change? Learn how interactive design is changing how we secure ourselves online.

The Failure of the Password

For starters, our vulnerability stems from our use of passwords. Does that sound ironic? Because it is. By this point, I’m sure you’ve seen plenty of “10 Most Common Passwords Ever!” “NEVER Use These Passwords!” and “Change Your Password Before it’s Too Late!” articles floating around the click bait sites of the Internet. We get it—passwords are easy to guess. But why?

Hackers have dozens of tools at their disposal for snagging our private information. Have you seen USA’s series Mr. Robot?! No? Go do that now. It’s terrifying how easily people can worm their way into our personal computers. Phishing emails, keyloggers, infected downloads, USB malware—the list goes on.

Sophisticated computer algorithms are able to guess around 1,000 potential passwords per second during what’s called a Brute Force attack. The computer starts with hypothetical single digit passwords (a, b, c, 1, 2, 3, etc.) until it runs out of options and moves on to possible two digit passwords. Eventually, the computer stops when it hits the correct combination of letters, numbers and symbols and the password is cracked. What’s more interesting is that Brute Force attacks are practically designed to uncover “complex” passwords made up of random letters and numbers.

A little confused? XKCD can probably explain it better than I can:

Interactive_Design_xkcd-password-strength

So the real question here is how do we keep ourselves safe in a world that relies so heavily on password protection and online interaction? Plenty of companies have spotted the potential for improvement in this sector of our lives. Among the “solutions”: smart rings, single-use passwords and, my favorite, USB Keys.

The USB Key

I spoke with Ronnie Manning, a member of Yubico, to get more information about USB keys and how they work. As it turns out, we at HOW weren’t the only ones with these questions. Yubico is actively working on a page that answers frequently asked questions about USB keys and how they work. In the meantime, I’ll try to explain how this little tool uses interactive design to secure your online accounts.

Interactive_Design_7

For starters, the Yubikey (the name of Yubico’s USB key) is not your average password storage device. Unlike master password keepers like LastPass, the Yubikey and its competitors don’t actually store your personal information anywhere. Instead, it is used as a second step for identifying yourself as an account holder. This is also known as “two-factor authentication.”

Think of it like this: You open your Gmail account and you’re prompted to enter a username and password. In the past, if you messed up your password enough times, the server would prompt you to enter a Captcha code (those funky looking numbers and letters than can be tricky to read). Doing this is called a “challenge.” It’s a way for Google to know that you’re a real person trying to get into your account and not a robot that has been sent to crack a password. Computers are unable to read letters and numbers from the image file Captchas use, so by entering what you see, you’re basically saying, “Hey Google, I’m not a robot. I’m a real person with real eyes and I can tell that image says _______.”

Using Captcha images protected accounts from those Brute Force attacks I mentioned earlier. Using Captcha images as a second step for security does not, however, protect your account from someone who might already know your password. That’s where the Yubikey comes in.

Interactive_Design_2

How They Work

With a Yubikey, instead of being asked to enter a Captcha image, the server offers a different type of challenge: tapping the Yubikey device with your finger. And it’s not just when you enter your password incorrectly, it’s every time you log in. By setting a Yubikey as a second step verification tool, your account knows the key attached to it just like the tumblers in your door know the bumps of your house key. Without the proper key, the account will remain locked. When the proper key is used, it automatically makes itself known with an identifier and then inputs a 44 digit one-time password.

Interactive_Design_3

But wait, if someone steals my key can they access my information?

Nope. Nothing is stored on the key. There would be nothing to trace it back to you or your accounts unless you’ve physically written your name and address on the USB. In fact, the Yubikey is so secure that the only thing the finder of your key could do would be start using it as their own after linking it to their personal accounts.

But what if I lose or break my key? Am I locked out for good?

Nope. Thankfully companies that allow for U2F security require their users to have a back up entry for their account. This could be in the form of a one-time password sent to their mobile device or back up email address.

Yubico does, however, recommend keeping an extra key in a safe place, just like you would an extra house key or a spare care key.

If I can use my phone as a second form of verification, why should I spend money on a new USB key?

According to Ronnie, phones come with certain limitations that the Yubikey does not. For example, if your phone’s battery is dead, how will you be able to receive your one-time password? The same thing can happen if you’re in an area without cellphone service, or if you’re in an area where phones aren’t allowed.

Let’s say none of these issues apply to you. Your phone has infinite battery life, and you have the world’s greatest service that never disappears (if that’s the case, what service are you using?! Seriously, I need to know.). What the Yubikey holds above this hypothetical super phone is speed.

Any time you use your phone as a second step verification, you have to wait to receive your one-time code. Depending on how well the servers are working that day, this can take anywhere from a couple seconds to minutes. In our fast paced society, every second counts. The user of a Yubikey does not have to wait for a confirmation code. Just tap the button on the device and you’re in. With Yubico, simplicity is key (pun not intended, but definitely appreciated).

Interactive_Design_6

So does this mean companies like Google are getting rid of passwords altogether?

Ronnie says not necessarily. From Yubico’s perspective, usernames and passwords are still the first step to logging in to an account. What the USB key provides is the ability to make your passwords less complex without worrying that it could be easily guessed. The Yubikey is a form of interactive design that’s working to make our online lives simpler and more secure.


Business_Management_Interactive_designLearn creative business management skills from How University! Enroll today to learn 3 Key Steps to Focusing Your Creative Business! Ilise Benun, author, national speaker and business coach, leads the course starting February 29th. Don’t miss your chance to sign up today!

COMMENT