Killing Passwords: Don’t Get A-Twitter Over ‘Digits’

At Twitter’s recently concluded first annual developer’s conference, the social networking company trumpeted what it claims is a major step on the path to killing off passwords for authentication. Called “Digits,” this is a system that mobile app developers can incorporate in their software to supposedly ease the pain of verification/authentication for newly installed apps on a user’s mobile device.

On installing a new app, a user would no longer need to establish a username/password combination nor provide an email address (which, I’m told, many younger users no longer have) in order to register the app. After downloading an app, the user simply has to enter his or her phone number, and the app will verify it by sending a text message to that number and reading it automatically. No muss, no fuss.

Of course, anyone using that mobile device would also have access to the app as if that were his phone number, unless access to the device is password/PIN protected. But, then, we haven’t exactly killed off passwords, have we? Very few apps require you to authenticate every time they’re launched -- a major security hole, in my estimation -- so the amount of time Digits saves over the life of the app (i.e., it’s used once at installation) is, essentially, none.

This should not be confused with Twitter’s (or others’) two-factor authentication (2FA) systems that use SMS messages. In those systems you need a username (or email address), a password, and a one-time-use PIN code that’s been sent to your registered phone number in order to successfully log in. That phone number is not given to the system at run-time (as it is with the Digits system) but must be entered into your user account at some point when you are already authenticated to it. Someone stealing your phone needs to know your username and password in order to even see the SMS message -- not so with Digits.

Security boffins are divided on the new service, with some arguing that it neither moves security forward nor backward. Others, though, feel it tips the usability/security scale too far towards the usability side. While passwords are considered a weak system, they do, at least, rely on a user’s personal knowledge of the choice of password/phrase. The Digits system provides no certainty that the person using the app is actually the person she claims to be.

More worrying, though, is the rise of malware that could compromise this solution. The APWG (Anti-Phishing Work Group, an industry consortium) published last year a paper (“Mobile Fraud Supplement: Mobile Crimeware and Criminal Services Market”) which noted an emerging threat called “SMS Stealer apps.” These apps, which the miscreants try to get you to download onto your mobile device, can intercept SMS texts from specific sources and send them to the attackers. So far, these malicious apps have mostly been used to allow cyber criminals to circumvent SMS-based authentication for online banking. But I’d wager we’ll soon be seeing versions that target Twitter, Google, and Facebook SMSs as well.

Digits is an “ease of use” service, which does nothing to improve security, and -- by lulling users into a false sense of security -- it makes your mobile device less secure. If security of your device is of any interest to you then strengthen the authentication you use to unlock the device. That’s your best protection.