Security Through Obscurity (STO): History, Criticism & Risks

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

The concept of security through obscurity (STO) relies on the idea that a system can remain secure if the vulnerabilities are secret or hidden. If an attacker does not know what the weaknesses are, they cannot exploit them. The flip side is that once that vulnerability is exposed, it is no longer secure. It is commonly held that security through obscurity is only effective if used as one layer of security and not as the entire security system. STO is a controversial topic in the IT world. On its own, it is an ineffective security measure.

What is security through obscurity?

Obscurity means unknown. Security through obscurity seeks to keep a system secure by keeping knowledge of it secret. Inner mechanisms and workings of a system are kept on a “need to know” basis. If no one outside of the core group is aware of them, or the vulnerabilities, the system can remain secure. In theory, this works, but the margin of human error is wide. If there is a leak, the entire system can be compromised.

History of STO

The concept of security through obscurity has a long-standing history, with early opponents dating back to the 1850s. It involved the concept of publishing how to successfully pick a state-of-the-art lock at the time. While there was much outrage, the argument was made that people working to break in already know how and exposing flaws in the design will not actually make them more vulnerable to attack. STO has been a traditional aspect of cryptography with government agencies, such as the NSA (National Security Agency), employing cryptographers whose work was kept secret. On the opposite side, Kerckhoff’s Principle from the end of the 19th century holds that the cryptographic system should be secure as long as the key is kept secret, even if everything else about the system is well-known.

Obscurity in architecture vs. technique

Security by obscurity is in essence an insecure concept in that it means that the hidden secret, or unknown entity, is the key to unlocking the entire system. In this case, once the enemy has this key, they have access to everything. In technique, security by obscurity is an insecure concept when used in isolation. When used as part of a system’s architecture and as an independent layer, security through obscurity can be an effective security measure. For example, camouflage is a helpful security measure, but if you can see through it, it is no longer effective unless there is additional protection underneath the camouflaged layer.<

Good obscurity compared to bad obscurity

STO as the only method for protecting your assets is a bad idea, but when used in conjunction with other security measures, it can be a useful tool