I just read an amazing and chilling story about cloud authentication and hacking. Some guy just lost a big chunk of his digital life, because cloud authentication is not secure, or maybe even more, because cloud authentication is not enough standardized/regulated/watched. In his case (read the story, I won’t repeat it here, and it is definitely worth it), the main flaw comes from the fact that Amazon identifies your credit cards on file by the 4 last digits, and Apple requires these very digits to authenticate an iCloud user.
What? No standard on the digits that may/may not be disclosed? I couldn’t get the facts from EMV or others (if you know, I am interested), but I noticed that although the digits printed on most of my (French) credit card receipts are the same (9 digits following the pattern xxxx xx00 0000 000x), some of my receipts include the infamous 4 last digits, and an Italian receipt includes the 8 first digits. Just with these few examples, I would say that, either there is no standard about which digits to show/hide, or the standard is not applied anyway. It is not difficult to guess that this is most likely not better on Internet, and not only at Amazon.
On this particular issue, I would blame Apple, because the information they require to grant access to an iCloud account is not sufficient (e-mail, billing address, partial credit card number). In particular, Apple allows you to forget the answers to your security questions, which doesn’t sound very good.
Mat Honan recommends in his paper to move beyond passwords and to adopt two-factor authentication. This sounds sensible, and I approve this move. However, in the present case, how useful would that be? If a cloud vendor uses two-factor authentication, then there must be a procedure for lost tokens. And this procedure better be good.
Not that it’s that complicated to design a procedure that works. We can for instance rely on existing infrastructure, like the Post Office. You can request your password to be snailmailed to you in a Certified Letter, which will require in-person delivery at your home or authentication with a government ID at the post office. This works perfectly against hackers, because they are not good at physical actions that require real presence.
However, this has some trade-offs: delay and price. Changing a password online is about free and instantaneous, whereas sending a physical letter has a cost, and it will take at least one day. I am ready to accept this delay and this cost to protect my most important cloud accounts, because I have some understanding of the risks. Not everybody does.
This actually represents an interesting role for two-factor authentication tokens: end-user education. Because they are a physical object, any user will understand that a new one needs to be sent if it is lost or compromised. And although they won’t be happy, they may/should/will associate the cost and delay associated to the token replacement to the security of their account.