Presented at the Security, Identity, and Privacy Miniconf at Linux.Conf.Au 2020, January 2020, Gold Coast, Queensland, Australia.
Abstract
Historically authentication was by username and password, perhaps with email as a password reset flow. Users often wrote down their passwords (particularly older users), and possibly they only had a few passwords and it was pretty easy to try all of them.
Modern times have proven that passwords, particularly reused passwords, are insufficient security for any slightly valuable account. So lots of people are using password managers, randomised passwords, and 2FA (hardware tokens, TOTP, etc). Some accounts also require an additional authentication flow (email, SMS) for "new device" logins. "Security Aware" users are using randomised answers to security challenge questions, perhaps also stored in their password managers.
This "security improvement" has a flip side: it's gone from being unlikely users will forget their passwords or get locked out, to being more likely users will lose access to their accounts through loss of 2FA or additional authentication paths (eg, phone number, or email), and more likely that users will struggle with lost password recovery. And there's a darker side still: if the user is incapacitated, or has passed away, often someone else close to them will need to act "on their behalf" with those accounts (for legitimate transactions, send out notifications, or just to archive the account), and will likely struggle to gain access to them without the original users full set of password manager / 2FA / etc.
How do we balance the need to improve authentication security, and reduce the simplicity of malicious account takeover, with the need for there to be a way for legitimate account use by bereaved family members, or other trusted associates? There are no easy answers here, but considering the questions is important.