If you know anything about internet security then you likely spend a lot of your time helping people improve their password hygiene.
People like moving up rankings, so let’s use that!
This post is an attempt to create an easy-to-use, visual model to help you have that conversation.
How to use this model
All models are broken, but some are useful!
The idea here is for someone in the security community—or really any security-savvy user—to use this visual to help someone with poor password hygiene.
Here are a couple of ways you can do that.
Any improvement is good. Even one step matters.
- Show Them Where They Are — The first way to use this model is to simply ask the user about their current behavior and show them where that ranks within these seven ranks. If you show them they’re down at rank 1 or 2, the combination of seeing how low they are in the chart and the color might convey some measure of concern.
- Show Them How to Move — Next, show them the various ways they can improve. As we discussed in this Twitter thread, keep in mind that you get the most benefit by moving from 4 and below to rank 5—although they still need to do the previous steps. The next big jump comes when moving from rank 7 or below to rank 8.
Where one “should” be in this hierarchy depends on your threat model.
- Visual maturity models can sometimes help people with their desire to improve.
- The highest security improvement one can get is by moving from any rank 4 and below—to Rank 5 (SMS-based 2FA).
- The second-best security improvement is moving from rank 5, 6, or 7—to Rank 8 (Passwordless).
- Try not to skip steps, i.e., it’s best to make the move to unique, quality passwords stored in a manager before you add 2FA.
I hope this helps you!
- Mar 30, 2021 — After more thinking and conversation with many in the security community, I reverted the numbering back to low-to-high instead of high-to-low. This is mostly because pretty much every other similar maturity model does the same. In other words, if there are 5 levels, level 5 is usually the best. Plus, having something be #1 implies that it can’t be improved, so if something better emerges it requires that the entire numbering system be reset rather than simply adding a new tier. Examples: CMMI, ISO, etc. Thanks to Ian L. for best making this point.
- Mar 30, 2021 — Another point to mention about “passwordless” is that if it were truly passwordless throughout the process it would likely be weaker than 2FA in most cases, but what we really mean by passwordless here is “from the perspective of the user at the moment of authenticating to something during the course of a day”. In other words, they’ve already fully authenticated to their OS, etc. to be able to use WebAuthN (for example) in the first place, so it’s not truly passwordless in most cases. But it is for the user experience at the time of a standard, daily authentication activity.
- Mar 29, 2021 — After much gnashing of teeth on Twitter, and many nice requests as well, I’ve added a higher tier for passwordless auth using technologies like WebAuthN and FIDO2. I also slightly tweaked the names of some of the boxes to make them shorter and clearer, and fixed an issue with Yubikey incorrectly being in Rank 2.
- Mar 26, 2021 — The response to this has been extraordinary, and a few people have already showed me translations into other languages! Evidently I was right in assuming that most security people have this conversation constantly, and appreciated having some sort of reference.
- Mar 25, 2021 — There are absolutely tangible differences between different “token” types. OTP is not the same as U2F is not the same as something that’s FIDO2 compliant. But for regular users I think it’s ok to combine them all into one that lives at the top of the model.
- Mar 24, 2021 — Thanks to Andrew R. Jamieson for making the suggestion to show what each rank is vulnerable to.
- Mar 24, 2021 — Someone mentioned that there are higher ranks of authentication out there, which I agree with, but this is specifically for everyday users.
- Mar 24, 2021 — We can pronounce the acronym as “Chasm”, as in, “Lets see how deep into the chasm you are…” 🙂
- Mar 25, 2021 — At the suggestion of someone on Twitter, I decided to invert the numeric scores for the levels, so 7 is worst and 1 is the best. People were saying progress makes more sense if it’s moving toward #1, and I think I agree.
- I know there’s debate about this, but even with all the recent (Spring 2021) attacks on SMS, I still consider SMS-based 2FA superior to password alone. My reasoning is simply that it requires more work for the attacker in most situations and prevents the most primitive form of credential stuffing—which is the most common type of authentication attack against accounts.
- Thanks to Troy Hunt, Anton Chuvakin, and Tim Dierks for spawning the idea for this.