Making Authentication Child's Play - A Primary School Approach
06 October, 2021, by Stephen Swann
My first foray into computing came about when my school started a computing club. I had access to a ZX 81 and a BBC Micro. Soon after, Santa Claus delivered a ZX Spectrum 48k. My life would never be the same.
When powering on the ZX Spectrum, I was presented with a fairly blank screen into which I could start issuing commands. Normally, that meant typing LOAD "", inserting a cassette tape into a cassette player, hitting play, and waiting for 2/3 minutes for a game to load (or fail to load as often happened). Yes, I am that old.
At no point did I have to "log on" to anything. There was no connectivity to anything, so it hardly mattered. That continued to be the case when PCs became commonplace. My first PC at work was a Honeywell AT with a huge 512kb of RAM, no hard drive, and a 5.25" floppy disk drive into which I would load a floppy containing a copy of MS-DOS. No logon required.
Even with the introduction of Windows (the first version I used was Windows 2.0), there was no logon.
In fact, logon requirements only really arrived in a home setting with the advent of modems and connecting to online services. (For interest, my first modem that actually worked consistently was a US Robotics 14.4 Sportster.) Connecting to services now required a User ID and a Password and more than a quarter of a century later, we are still using those things. (For many people, they may even be using the password they were first assigned by AOL which from what I recall was imprinted on their floppy disks or CDs!)
Identification v Authentication
Teaching very young children how to use technology may require that we also ask those children to identify themselves to applications. This isn't necessarily a authentication/security issue because very young children are probably not accessing applications which will store super-sensitive information.
Instead, identification is more about personalising the experience for the child - maybe with a "Hi there Olivia, how are you today" style introductory message.
As such, for very young children, it's a matter of them being able to identify themselves to a system but young children don't want to have to remember passwords. Actually - nobody wants to remember passwords! So how should they identify themselves in a manner which is trustworthy and frictionless?
Asking them to select their favourite colour the first time they use a service and then asking them to select that each time they "identify" themselves sounds like a simple and easily understood approach to the problem. Except children change their minds about things like favourite colour. To be honest, I don't know that I know what my favourite colour is, or who my favourite actor/actress is, or what my favourite book is - these are all subject to change even in my intransigent world.
Even asking for personal information like the name of their pet is fraught with danger. Pets die after all, and no teacher wants to deal with a sobbing child who is being asked for their dead pet's name during a logon sequence.
Selecting random images as part of a registration process and using those to identify yourself on subsequent logons has been shown to work well. For very young children, shoulder surfing isn't so much of a problem and therefore the mechanism shouldn't be considered insecure. But as they grow up, that problem becomes a little more real.
Password Complexity v Passwordless
Older children may want to hack into a classmate's application in order to copy homework. It's unlikely most of the time, but it could happen. Short & weak identification only logon systems are no longer appropriate for older children so it may be time to:
- Enforce password use
- Enforce a mixture of character types, alpha/numeric/special
- Enforce a mixture of lower and upper case characters
But every attempt to make a password more complex makes it more likely that they will write their password down somewhere. And don't forget, children are absolutely useless at keeping secrets!
For the older children, maybe it is time to go passwordless?
For most of us, the concept of passwordless authentication means using an authenticator app on our smart phone; using some other physical device to generate a one time passcode; or using a FIDO2 compliant USB key.
But children aren't allowed smart phones in many schools and other physical devices are likely to be cost prohibitive (never mind the issue of children losing or forgetting to bring them to school).
Where does that leave us? Face recognition or finger-printing is certainly doable but would parents have concerns over how that biometric information was being stored?
It's no wonder that passwords haven't gone away yet! The alternatives bring their own set of challenges. Given those challenges, maybe what we should be doing is thinking about changing our mindset around passwords. Passwords are evil. But maybe pass phrases are acceptable?
We know we will struggle to remember a password made up of 16 upper/lower case characters, numbers and non-alphanumeric characters. Every time we add to our complexity rules, we make life harder for our users and actually reduce security. But a passphrase which ditches upper/lower case requirements and ditches the need for numbers or non-alphanumeric characters could be easy to remember, and is actually no less complex!
Take for example a passphrase made up of just three words, i.e. safely mining brain. All of a sudden, this is something that could be remembered; would be hard to guess; and is lengthy enough to be problematic for even the most powerful of computers to crack.
Passwordless authentication is definitely something we should strive for, regardless of the user community. There are challenges when it comes to children, but they aren't insurmountable. What we need to do right now, however, is forget about the notion that password complexity rules that enforce the use of numeric and non-alphanumeric characters are helping, and start working on how we can make access simpler for everyone.
NOTE: safely.mining.brain is the entrance to Belfast City Hall according to what3words.com.