Hacker attempting to login to system showing the need for stronger authentication and the missed opportunity by the California CA SB-372
California SB-327 and the Wake-Up Call for Stronger Authentication by Arshad Noor, CTO at StrongKey

California SB-327 and the Wake-Up Call for Stronger Authentication

While the California Consumer Privacy Act (CCPA) dominated recent headlines, a little-known bill called CA SB-327 was passed in hopes of preventing manufacturers from shipping thousands or even millions of devices with the same default password that many consumers will never change. Effectively, it mandates that anyone producing a device that connects to the internet must have a unique pre-programmed password on the manufactured device. It goes into effect on January 1, 2020. While some believe that this will provide consumers with adequate levels of security, the legislature unfortunately chose to mandate archaic 20th-century technology that has proven to be notoriously unreliable.

Passwords are the leading cause of data breaches on the internet, accounting for more than 80 percent of hacking-related breaches. This, in addition to the fact that there are bands of botnets with billions of stolen credentials to reuse against websites, presages a major security risk to consumers across the state of California.

The sooner we as a society can eliminate passwords and other forms of shared-secret authentication, such as one-time pins (OTP), knowledge-based authentication (KBA) and SMS codes, the safer we will be.

Progress is slow

Currently, progress towards the password-less goal is slim. The drafters of SB-327 chose to replace default manufacturer passwords with individual, pre-assigned passwords based on the assumption that IoT devices are unsafe because the passwords used to secure them are the problem – not passwords themselves.

The FIDO Alliance, a non-profit standards group of more than 200 companies from around the world, has been working for more than five years to eliminate passwords from the internet. They have standardized two protocols that have had dozens of implementations on the market in the past three years and are finalizing a newer version in conjunction with the World Wide Web Consortium (W3C), the standards group that defines web protocols.

If the legislature had to name a specific authentication mechanism, it would have been prudent to name a FIDO protocol in this law. The National Institute of Standards and Technology (NIST) published a draft Special Publication 800-63-3, Digital Identity Guidelines, in 2017, naming FIDO protocols as providing the highest level of assurance for authentication technology for federal use.

The NIST National Cybersecurity Center of Excellence (NCCoE) has successfully completed two projects – and is working on a third – where FIDO protocols were specifically chosen to address authentication problems for Public Safety/First Responders, as well as to mitigate the risk of e-commerce fraud. Practice guidelines have also been published by the NCCoE to assist anyone choosing to adopt this superior authentication capability.

The password-free organization

There are 13 months before the law goes into effect. There is an opportunity for  enterprising companies to move into this new niche with a better alternative for authenticating humans to devices. The vast majority of these authenticating devices need nothing more than the basic Universal 2nd Factor (U2F) protocol in password-less mode – yes, this is possible – that can register the first U2F key presented as the administrator’s key.

The device never really needs to store more than two registered keys. Manufacturers can make many assumptions about the protocol when they are designing something for their specific device. Given the price of basic U2F authenticators on e-commerce sites, manufacturers could even give away a free U2F authenticator with each $50 device to bootstrap this process. There is even open-source software that will allow device manufacturers to leverage this protocol on their device.

A new day in authentication

Though many will admit that passwords don’t keep data safe, people are reluctant to forego them because they are familiar to use. It’s the way things have always been done. But when poor and often reused passwords are responsible for the vast majority of breaches, it’s time to admit that what was meant to keep us safe in the 1960s and ’70s is actually putting us in jeopardy in the 21st century.

CCPA pioneered a strong mandate for data privacy and security in the US, and now SB-327 is focusing on securing IoT devices. However, an opportunity was missed to ditch passwords altogether and advocate for a stronger method of authentication. We don’t need to make that mistake; there’s now an option to use FIDO protocols to keep data secure.