Hackers rarely actually break in, instead they simply log in, is a worn cliché among computer security protagonists. Hackers can and do exploit defects in software code where errors by the original authors are then manipulated to enable unintended access.

If you are a Windows, Mac, Android or iPhone user, no doubt you receive regular notices that your device should now be updated to the latest version of its host software, so as to repair newly discovered security vulnerabilities.

But if a hacker can discover or deduce the password credentials for an account, it is obviously much simpler to just log in using these and so gain access.

Passwords have been critical to protect online access to our email, online shopping carts, newspaper subscriptions, bank accounts and much more. We are strongly advised that we should never use the same password for different services, never make them too short, and never make them easy to guess. We should always change them regularly, should always use random collections of numbers and letters and punctuation marks, and should keep them private.

Awkward necessity

In short, they are incredibly inconvenient but apparently an awkward necessity for our digital lives.

Help with remembering passwords is offered by digital vaults and password managers that can administer your password portfolio on your behalf. They can synchronise passwords across the different devices you may own, and usually offer to scan the dark web looking for any compromised accounts.

However the industry, led by Google, Microsoft, Apple and others, is now rapidly moving to a 'password-less' world in which passwords can be completely avoided. The most obvious alternatives are based on biometrics, such as scanning your face or a fingerprint.

But you may baulk at major multinationals easily accumulating a huge collection of personal identity information across much of the planet, potentially invaluable to governments and police agencies alike.

Digital 'api keys'

Whatever the pros and cons of various authentication approaches for us to log in to our computers, you may not realise that software systems also make extensive use of passwords. These are in the form of digital 'api keys' to gain access to databases and other software services across the web.

These authentication credentials are not at all intended to be remembered by humans, and so usually take the form of lengthy collections of letters and numbers, randomly generated as needed.

Unlike a login password which identifies a particular user, they instead identify a particular software application, component or subsystem that may in fact be used by very many human users.

For example, if a particular app on your smart device uses a Google map – such as a taxi-hailing app, or a courier or food delivery app – the app must present its api key to Google’s mapping service each time the app is run and regardless of which particular user happens to be running the app. The api key is set when the app was built, and is used by Google to verify legitimate use of its mapping service by an authorised app.

Digital keys are routinely used within application software to access payment services, databases, and other web services.

While Google does not charge app developers for integrating its mapping service into their apps, some software services offered over the web to developers do charge for their use. The api key is then critical to authenticating and charging the relevant app owner, who may then recover the cost by charging app fees to end users.

Thankfully when you use an app, you do not need to know these various internal api keys in addition to your own personal passwords. Nevertheless, the keys must appear somewhere deep within the system, and are a potential security vulnerability. If a hacker discovers such a digital secret, they can potentially script software to explore a service and any data which it may have accumulated, or run up costs for fraudulent use.

Not unusual

Software developers frequently work in teams, and may also reuse software published in open source by the community in software repositories. It is not unusual to find api keys and authentication credentials unintentionally published within software source code.

Fortunately for software developers, there are a number of tools which can scan the source code, searching for keys and credentials associated with particular web-based services, and generate an appropriate warning if discovered.

But in the same way that users are being encouraged to go 'password-less' and rely instead on other authentication mechanisms, innovation may ultimately displace the need for api keys, so removing authentication vulnerabilities and also avoiding the need for scanning and detection tools.

A more sophisticated approach might use a two-stage or even a multistage handshake, and perhaps only be run in full when an app is installed or updated.

Digital authentication is an intriguing innovation space because of the counter-measures, and counter-counter-measures continuously being conceived by the good and bad guys alike. 

This article first appeared in The Irish Times on November 18, 2021.

Author: Dr Chris Horn, former president of Engineers Ireland, is the co-founder, CEO and chairman of IONA Technologies, industry expert on Irish technology development, trends, and business. As an honorary Doctor of Science from Trinity College Dublin and former TCD lecturer in computer science, Dr Horn is at the forefront of the Irish high-tech debate.