Today’s big tech news is the hijacking of several prominent twitter accounts. The hijack method isn’t confirmed, but it was most likely the result of a recent phishing exploit.
Twitter is very vulnerable to phishing attacks. In order for third parties to interact with a twitter account they need the authentication credentials. There are a number of useful services, Snaptweet for instance, which require your twitter user name and password to operate.
Twitter does not yet support a token-based API authentication protocol, though twitter has announced support for OAuth, but it has not been implemented yet.
Authentication is one of those internet-wide thorny problems. Not only is it a primary vector for technological security problems, but it’s vulnerable to sociological exploits as well. A technically secure application can be easily infiltrated simply by tricking a user to give you their password.
There are a number of initiatives on the internet to simplify the authentication problem, including Facebook Connect and OpenID. While “single sign-on” architectures may be ideal within an organization, like a large company or university, I think they’re inherently dangerous as a means of granting authentication potentially to any service on the internet.
I would like to see a key chain style approach to service authentication. This would have the following features:
- Would maintain unique credentials for any service, preventing users from recycling passwords.
- Would require identification for usage. Ideally this would incorporate eye or fingerprint recognition, or some other method of physically verifying the identity of the user, while falling back on a passphrase.
- Would be portable, by syncing the key chain with a mobile device or networked drive.
- Usage of the key chain away from an unregistered computer (like your home or office computers) would result in text, email, or voice mail notifications sent to points of contact. You would get alerted by unauthorized usage.
- Implementation of the key chain would be built into the browser’s architecture.
- Usage of your keychain would be logged, and you could look at a usage statement similar to a credit card statement at the end of the month.
Obviously there are a number of big tech hurdles there, but overcoming them would lead to an improvement of the security of the internet as a whole.