PayPal's better way to count authentication failures

Websites use the baseball rule to thwart authentication thieves: Three strikes and you're out. PayPal argues that there's a better way, one that customizes the rules to the user.

phishing password
Credit: Steve Traynor

Website payment systems today are pretty good at detecting bad attempts at authenticating. Things get tricky in two areas. The first is keeping track of how many bad attempts happen across different devices, browsers and IP addresses. That's critical if you want to enforce a "six authentication errors and we lock you out for two days" kind of policy. The second is trying to differentiate between someone trying to guess a password — or to use what they thought they saw while shoulder surfing — and someone who simply makes typos when quickly trying to enter the password. Is it an honest mistake or a criminal attempt?

In a patent that was awarded to PayPal on Tuesday (Aug. 2), the payments maestro has convinced federal patent people that it has come up with a way to more accurately navigate both of those authentication mine fields.

Its suggested approach is interesting. It starts with the strategy of requiring "additional security (for) users who frequently authenticate, while giving a few more attempts to user who do not frequently authenticate without significantly decreasing security."

Simply put, it's acknowledging that people who authenticate frequently — say knowledge workers who log into the secure site 50 times a day, relogging in every time they're timed out — are more likely to get their authentication right than those who only log in once a month. There is a better chance that the occasional user isn't remembering the password correctly and is thrown off by some part of the interface. Therefore, cut the occasional user more slack.

This is how the patent put it: "A user trying to authenticate to a website to access their account will have a set number of authentication attempts before the website freezes the account, the user has to do a password reset, and/or the user may have to contact the website provider to unfreeze their account. In many conventional examples, the threshold is three (3) attempts. However, the threshold is arbitrary, and does not maximize usability and security. For some users that frequent a website, three attempts are probably unnecessary. For users that may visit the website very sporadically, three attempts may not be enough. Moreover, the users that frequent the website may have more invested in their account with the website and, thus, may have more to lose from an attacker gaining access to their account that may cost the user and even the website provider more than it would for a sporadic or infrequent user."

The key part of that quote is "the threshold is arbitrary, and does not maximize usability and security." In other words, make the number of acceptable mistakes adapt to the user's history, rather than being a blanket rule for all. I hate it when patents actually make sense.

There is an underlying premise here, though, that challenges a long-held security belief. People who frequently authenticate themselves on a secure site — consider the knowledge workers referenced earlier — leave more information about themselves with every attempt. Therefore, isn't there an argument that we should give those users more slack? They may need it less (as they are less likely to get the authentication wrong) but they are also better known and are less likely to be thieves.

Let's drill down on that. The whole point behind this wrong-authentication limit is to prevent unauthorized persons from repeatedly trying password combos until they get in. It doesn't make much sense for people who have proved that they have legitimate credentials to do that.

That gets us into math. Back to the patent, which envisions "methods that determine the authentication threshold by analyzing a recentness of a successful authentication, a number of successful authentication attempts over a predetermined sequence, and a number of overall successful authentication attempts."

And if the device being used is a mobile device, there are many other ways to try and authenticate — or at the very least, to recognize that this is the same person who tried unsuccessfully to log in 20 minutes ago. The patent mentions "sensor components may include camera and imaging components, accelerometers, GPS devices (and) motion capture devices."

But arguments have merit. It's probably a good thing and a good time to rethink authentication rules and let them be more user-oriented.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon