Conventional wisdom says that simple security is an oxymoron. Good security is complex, while uncomplicated security is weak.
Whenever security is discussed, I think of Bruce Schneier. The US-based security guru describes crime and prevention forcefully. What's YOUR security profile?
Much of our everyday security practices are unconscious, notes Schneier. We do them out of habit, and don't recognize them as strategic security decisions.
When you leave your home, you lock the door, don't you? We all do. Reasons range from burglary to wandering pets, but it's a security precaution. We carry a hard token (a key) that allows us to de-encrypt the security mechanism (our door-lock) when we want to enter.
This is single-factor authentication. Anyone can use a copy of the key to enter your flat--the door won't know the difference.
Two-factor authentication (2FA) is often described as "something you know, plus something you have." The best example is the online banking system mandated by the HKMA in 2005. The hard token, a small electronic device that generates a numerical code when you press a button, is the thing you have--your username/password combination is the thing you know.
The e-channel's 2FA setup
Another example: the world-class e-channel setup used by both Hong Kong and Macau Immigration departments. ID card holders possess a hard token which contains a biometric: the card-holder's thumbprint. Presenting the token (your ID card) for scanning is the first factor--the second factor is your thumb pressed against the scanner.
This isn't a case of "something you know, plus something you have." This is a hard token produced by the Hong Kong government--an ID card that contains your unique thumbprint as identity-authenticator. The card is produced at a dedicated facility where you present yourself for identity authentication and is a world-class identifying token, with a host of anti-counterfeiting measures.
Of course, the card could be lost or stolen. But it would take an uncommon criminal to fake your thumbprint on the scanner at an Immigration checkpoint.
The system is easy and convenient to use, yet it's highly secure. The e-channel at both Hong Kong and Macau Immigration checkpoints is an exemplar of tech security deployed on a large scale to benefit ordinary citizens.
It's also a prime example of a public-sector initiative that helps drive private-sector business. Secure and streamlined passport-free travel between Hong Kong and Macau smooths transit for frequent business travelers and improves business ties.
Security now for the future
The recent massive DDoS attack against South Korean banks illustrates, yet again, the depths of intrusion possible within the cyberdrome. Our digital interconnection, it seems, leads to trench warfare on the wires. Government spokespeople spin dire tales of "cyberwarfare" and accuse nation-states of hacking, spying, DDoSing or otherwise committing digital mayhem in search of intelligence...or simply to commit evil deeds.
Is there a limit to the scale of cyberintrusion? I can't see it. But 2FA is an important component of any security strategy. Consumer services like Gmail and Apple's iCloud now offer 2FA: the second factor being an SMS message to a previously secured mobile phone number (not necessarily available in Asia, yet).
The evolution of 2FA as a simple yet effective security measure is heartening. Nothing invented by humans cannot be broken by humans, but as ever in the security world, we take our small victories and build on them.
This story, "Making security simple" was originally published by Computerworld Hong Kong.