Cyber Security: Alternatives to Password Management Open Authentication (OAuth)For an increasing number of websites it is possible to use your existing online accounts, such those provided by Google or Facebook, to register and log in. This approach for managing users' account details depends on an authentication mechanism called OAuth (i.e. Open Authentication). This method of checking a user's identity requires the website to ask the user's computer for some proof that the user's identity has been authenticated by the OAuth provider (e.g., Google). The user's computer first contacts the OAuth provider where the user can input their username and password. The OAuth provider provides a digitally signed token that confirms the user's identity. (The digitally signed token cannot be created or modified by anyone other than the OAuth provider). Once it receives the token all the website needs to do is to check that the signature on this token is valid to confirm the identify of the user. So using OAuth can simplify your password management because all you need to remember is the username and password for your account with the OAuth provider. However, just as with password managers, if you forget this password you will no longer have access to any of the accounts. Additionally, if an attacker gets access to this password, they will be able to access all the online systems you are able to access using your OAuth account details. So while password managers and online authentication services like OAuth can simplify the management of your online accounts, they are not complete solutions. Additional Information RequestsOften an account will ask you for other information such as date of birth, or for memorable information or answers to security questions. For official websites such as government sites, banking, or airline sites the date of birth needs to be accurate. But for most other sites you can make up your memorable security information so that these cannot be worked out from your social media pages, and the answers could be unique for each website, e.g. Mothers name, first school, favourite pet would be different every time. To keep track of all this information you could use a spreadsheet. To keep this spreadsheet secure the spreadsheet should be stored inside an encrypted folder. For this you could use VeraCrypt: Then, you only need to remember a single very strong password for the secure folder - which is a problem if you forget it or it is hacked! |
|