The history of lock picking can teach us a lot about better digital security

May 31, 2023

The key was invented about 6,000 years ago, and while its mechanics have changed over time, the original concept has shaped how we keep our valuables safe — physically and digitally.

"People use the physicality of locks as almost a metaphor for how we think about security in a broader context," Leigh Honeywell, a cybersecurity consultant and a professional lock picker, told Spark host Nora Young.

The door seal was an important precursor technology to what we now know as key-based locks.

"What [locks] have been from the beginning is this administrative technology that allows us to have a different style of civilization than we would have without them," said Schuyler Towne, an anthropologist and historian of security technologies.

"The moment that the first door seal was created, the possibility of trespass was codified in some societies. The first time they were implemented was a way of saying this is a private space. It might be semi-private, there might be multiple people accessing it, but if you trespass, importantly there will be a consequence to it."

Encryption, often denoted by a little padlock in a corner of the address bar, is one example of how physical locks and keys have informed our security in the digital world.

Honeywell adds that the documented history of lock picking that propelled the evolution and improvement of the physical lock and key can apply to ongoing digital security debates.

There was tension between people who wanted to improve locks by breaking them and those who made them, about the implications and benefits of publishing the vulnerabilities of physical locks.

She says the same is happening in computer security.

"So whether it's the 1700s and angry letters written to each other in the annals of lock picking journals versus today on email lists and Twitter, it's the same debate fundamentally," said Honeywell.

Towne, a two-time lock picking champion, says unlike in the physical world, cryptographers and people working on encryption are trying to protect users in an environment where our attack surface is infinite.

That attack surface has grown in parallel with the rise of the Internet of Things.

With the increased use of internet-connected devices, we've also seen the adoption of biometrics in everyday life. The keys to opening and securing our technology are actually our bodies, says Lily Hay Newman, a senior writer at WIRED.

Smartphones and computers now use fingerprint and face scans as authentication. The major draw of biometrics is that they're infallible, they can't be swapped out or forged, and they're always on you, she says.

When it comes to things like passwords or physical keys, Newman says, they can be lost, stolen, or copied, so you have to make them more complicated, like long, unique passwords or multiple locks on a door.

However, she says using parts of ourselves to secure our personal data on these devices is a double-edged sword. If someone's fingerprint, their retinal scan or heartbeat is ever compromised, that's permanent.

"These characteristics of us — they are innate, and they are largely unchangeable throughout our lives. And if someone can copy and emulate that, that really undermines the protection," she said.

Newman says Apple's face ID and touch ID, for example, addressed this risk by doing all biometric authentication locally on people's devices, so the data collected isn't stored in a cloud repository or central database that the company can access. "That way, you're not creating a situation where all the users' fingerprints and all their biometrics could be stolen at once by a bad actor."

There is an effort to diversify digital authentication, beyond biometrics, and move away from passwords.

"[While] we all clearly see the flaws of passwords and the problems that have emerged, password-based authentication is so incredibly ubiquitous that it's going to take a long time to phase out, especially because the overhead or cost of deploying it is relatively low," said Newman.

She says the passkey, a cryptographic credential tied to a user account and website that doesn't require a username or password, is a more secure alternative to password-based authentication. It reduces the risk of phishing attacks and breaches.

A hardware authentication token or hardware key, she says, is another great tool for our most valuable and most sensitive accounts, like emails and banking. It is often in the form of a thumb drive or USB that plugs into your computer — much like a door key.

"If you were managing a key ring of 500 of these thumb drives for all of your accounts, I am totally recognizing that that would not be realistic," said Newman.

While the physical key has evolved over the years, the concept behind it remains unchanged. The same can be expected, she says, as we look to the future of how we secure and access our valuables digitally.

"I always go back to the physical analogies, how different are locks and keys than they were in the Middle Ages, or how different is the lock you use on your locker compared to one someone would use on their locker at school in the 1960s," said Newman. "And from that, I think we can kind of see conceptually, there aren't a lot of changes... There are refinements and improvements over the years that make authentication or unlocking a door easier."

When it comes to physical security, Towne says there are internet-connected locking systems out there, like electromechanical locks or smart locks that can be good alternatives to manual locks. But, in addition to increasing our attack surface, there are barriers to this technology, like internet and phone access.

"I truly believe that in 50 years, the iconography for what a lock and a key are is going to remain the same," said Towne.

Written by Samraweet Yohannes. Produced by Michelle Parise, Samraweet Yohannes, and Adam Killick.