Manthan

These days I am really worried about the security of my email account. Since the introduction of one giga byte email storages, I have become totally oblivious to the kind of stuff that is lying around in my account. Critical data like my login details at various sites and newsletters from banks, airlines etc are lying around in my email. To add to this, its insane to remember the passwords for various bank accounts/email and other accounts and one tends to repeat passwords.

People are using email as the primary method of storage of all kind of personal data. Email accounts security is something that nobody would like to compromise on. Companies like Google, Yahoo and Microsoft want consumers to be sharing and storing all their personal data on their servers but they are not doing enough to safeguard this data from theft or improper access.
For a determined hacker, if one account is compromised, it would not be that difficult to figure other accounts one has subscribed to and to find out those login details. Most websites like Yahoo mail , Gmail, AOL etc all have password reset options that will send a hyperlink to one of your email account to reset password the password. Some website even send you the password in clear text. Its kind of a chain reaction, if the wall is breached at one place all the other accounts will be compromised.

With all the hype surrounding web2.0, makes one wonder why none of the major players like Google, Yahoo or MSN haven’t thought of better means for safeguarding user data ? Shouldn’t these companies be focusing on providing better authentication models that are much more difficult to break ?

Most users will be willing to pay for better security if Yahoo Mail or Gmail came up with a paid scheme to improve security. The authentication model that comes to my mind is “Something you have and something you know” schemes( 2 factor authentication) , which is the standard for ATMs.

Imagine the case where we have an authentication model based on a USB device and a password. While logging into an account, one has to plug the USB device into the USB drive and also enter the password. This way nobody can hack your account, unless he or she has both the USB drive and the password. In order for the account to be compromised the hacker will need to have both the device and your password.

From a usability point of view, one has to just keep the device attached to the home pc or laptop, which is not a big deal. It will work the way it is working today with no change noticed by the users. While on the other hand, when a person is traveling they just have to take this device along and plug it into the computer they are using to access their account.Obviously the users can have option for going for this ultrasecure model or go for normal password authentication model.

USB devices with 128 MB ram can be bought at as low as $10 dollars, so cost is not a big hurdle. The biggest challenge is websites being able read the data from this USB device, since the security architecture of browser would prevent this from happening.

Another option is RSA secure ID token based authentication, which be slightly more expensive and bit more cumbersome to use, since users will have to key in password twice (one for the RSA token number and the standard password) but technical sounds much more doable.

Here is something real bizzare , “click here” and then look at the ad’s by google on the left of this screen. You can see ads that want to sell you products to break into someone’s email account or steal password. All this when the same companies are requesting you to trust them with your life

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.