“Lawyers Moving Past Passwords” by Sharon Nelson and John Simek was recently featured in Slaw Magazine. Slaw is a Canadian online legal magazine.
Passwords have been around since the early days of mainframe computing. Believe it or not, passwords were not originally designed to prove identity. The betting money is that computer passwords first showed up at the Massachusetts Institute of Technology in the mid-1960s in order to track time when using a mainframe computer: The Compatible Time-Sharing System (CTSS).
Today, passwords are used to help authenticate the identity of the computer user. From a security perspective, the problem is that people use crummy passwords, forget them and even reuse them across multiple systems. At the end of the day, if someone has your password, the computer doesn’t know it really isn’t you. It’s no secret that many lawyers are resistant to change. Abandoning passwords is no different. With the significant increase in remote workers, get ready for a change in how you will access your firm’s network or cloud service.
Password managers help users by generating strong and unique passwords for every account you access. Depending on the password manager you use, there may be issues with accessing the encrypted password vault across multiple devices. Many services will allow you to use your Apple, Google or Facebook passwords for access instead of creating one password specific for their service. That strikes us as a bad idea. If their service is compromised, the attacker has keys to your Facebook, Google or Apple account. You can add two-factor authentication (2FA) to increase security, but there are ways to intercept the second passcode sent by a text message.
You’ve probably heard of multi-factor authentication. A password is something you know. A second factor is something you have, such as a security key or token. A third factor is something about you – biometrics. There is a move afoot to totally ditch passwords and move to something you have and something you are.
Fast Identity Online (FIDO) are standards designed to let you dump passwords as an authentication method. The standards utilize hardware security keys and dovetail with biometrics. Think of hardware security keys as the digital equivalent of your house key. The security key plugs into a USB or Lightning port. It is a single device that works with multiple apps and websites. The key can be augmented with biometric access such as Windows Hello or Apple’s Face ID.