Back in the days of modems and character-based terminals, it was a normal practice to provide information about the previous login as part of the login sequence. This was trivially easy to implement on old-fashioned Unix, but it quickly faded from practice as graphical user interfaces became the norm. Instead of continuing this cheap and effective security practice, the world has moved on. And more loss to the world.
Multiple security failures related to logins have come to light over the last several weeks. Google has reported that their sophisticated (but unspecified) mechanisms have detected misuse of several hundred phished accounts. After a period of dissembling and vague assurances, it has now been established that the theft of seed material from RSA was instrumental in enabling the attack against Lockheed, and the status of the remaining 40,000,000 SecurID tokens remains a matter of discussion. A decade after the first feeble attempts to slurp UBS PINs, Trojans such as Zeus are stealing login factors on an industrial scale. Ultimately, no degree of authentication strength can defeat man-in-the-middle attacks against compromised endpoints. So now what?
Gartner analyst Avivah Litan makes a strong case that providers need to step up their level of fraud detection. I don’t disagree with that, but I think in the interests of defense in depth, its time to give the user some ability to monitor the status of their own account, and expect them to do so. If users were provided with information about their previous login, or better yet, logins, they would be much better prepared to detect misuse of their accounts.
I just checked Yahoo, and I can’t find anything like that. I don’t see anything like that on Facebook, and LinkedIn doesn’t tell me when I last logged in. My Recent History on Amazon does show me what books I most recently looked at, but provides no information on my login history. Gartner’s workstations run on a very common commercial operating system that is constantly asking me for my password, but I don’t remember ever being provided info on my previous login. I’ve got over 100 different logins, and the only login history I’m aware of is what appears at the bottom of a gmail page. I can’t remember the last time that any system, corporate or personal, provided me with any sort of obvious message during the login sequence.
Its time for the past to return to the present. Consumers and corporate users need to be able to defend themselves from a growing variety of increasingly simple attacks against their accounts. A cheap and simple way to enable normal people to detect some degree of account misuse would be to provide login history info, along with some explanation as to the purpose and value of reviewing it. Every login sequence on every system should pop up a message saying “You last logged into this account from IP address x.x.x.x and were logged in for a period of X”, along with a suggestion to change your password if you don’t think that’s when you last logged in.