A recent article in IEEE Security & Privacy—“Teaching Authentication as a Life Skill”—detailed the results of a team of Swiss researchers and their attempts to teach authentication to high-schoolers as a ‘life skill’. Choosing to focus on high-school students because as ‘it is crucially important that security be taught at an early age, before users are faced with the full magnitude of security management tasks’, the researchers list ‘the natural constraints of both students and teachers in a typical high school’, writing that ‘high school students [are] unlikely to have a pre-existing interest in computer security [and] may also have limited knowledge of general computer science topics and be unable to strongly engage with the technical concepts underlying security concepts.’ Sound like anyone you work with? Perhaps the researchers’ findings can be put to use in teaching these new tricks to rather older dogs.
The lesson plan created for the pilot scheme comprised five self-contained activities:
- ‘creating strong passwords’, in which children experimented with password creation techniques and their impact on the time taken to crack the password;
- ‘password cracking’, in which they attempted to crack a series of password hashes;
- ‘graphical passwords’, which aimed to ‘introduce the concept that authentication does not necessarily mean passwords’;
- ‘personal knowledge questions’, which explained the dangers of using personal knowledge in authentication questions (e.g. ‘what is your mother’s maiden name?’); and
- ‘biometric authentication’, in which the students created silicone models of their fingerprints in order to bypass the authentication on their mobile phones.
As customers of our Mitigate internal training solution will know, the most up-to-date government guidance on authentication recommends the use of passphrases over passwords (when they must be remembered by employees, rather than stored in a password manager). Just why a passphrase can be more secure than a password is not necessarily obvious—a result of 20 years of ‘train[ing] everyone to use passwords that are hard for humans to remember, but easy for computers to guess.’ The approach used the pilot scheme of giving the children a service that guesses the time it would take to crack a password, allowing them to directly see the impact of a number of common techniques that supposedly make passwords stronger, could easily be implemented for adult users.
Similarly, government guidance is clear on the value of multi-factor authentication (MFA), where (at least) one factor is not something that must be remembered—for example, a fingerprint. The biometric lesson teaches the valuable lesson that no matter how secure one means appears to be, it will still have weaknesses, reinforcing the necessity for multiple layers of authentication. That it does so in such an engaging, Mission Impossible-style way is just a bonus. The graphical passwords lesson was also intended to encourage the students ‘to use novel password systems to help them question their assumptions surrounding text passwords’, which is another important lesson for introducing MFA.
Though the lessons were designed for high-schoolers, the skills they are attempting to instil and the methods they use to do so are relevant to everyone, regardless of age. As the authors conclude, teaching security as a ‘life skill’ in this way ‘is incredibly important to emphasize to [users] the idea that they do not have to solve the entire security problem in order to ameliorate their personal situation.’