As I was reading the article detailing Mat Honan’s multiple account compromise (read the Wired article about it), I was surprised at how easy it was to completely subvert standard security processes around user verification. The entire hack was possible because the attackers were able to gather easily attainable information about Mr. Honan and then use that information against Amazon and Apple to gain access to Mr. Honan’s accounts.
So I asked myself, “What could have been done differently? How could these processes have been changed to prevent this attack?” The trick is to find something that is easy to use, hard to forge, and uses information that is hard to discover or intercept. Here are a few of the ideas that I and others have offered. (more…)