Mathew J. Schwartz
Kill Passwords: Hassle-Free Substitute Wanted
Let's play the "who's got the most passwords?" game. Count PIN codes for mobile devices, ATM cards and, if you're European, credit cards. Then move to websites, including social networks, school records, e-commerce, banking, health insurance, ticket-buying, airlines and customer rewards.
What's your score? The average consumer today has about 25 passwords. Good luck remembering them all without writing some down.
- Continuous monitoring for government agencies
- 3 Strategies To Protect Endpoints From Risky Applications
The infuriating fact, furthermore, remains that despite our best efforts, the odds are stacked against people who must use passwords. Just one failure somewhere in a long chain of processes, involving poor encryption, crummy database security, password reuse, card skimmers with cameras or social engineers, can allow an attacker to bypass the security that passwords supposedly provide.
[ Will these new security tools really help? Read Security Tools Show Many Dots, Few Patterns. ]
In other words, passwords stink. "You would have to be living in a cave the past couple of years to not realize that passwords are next to useless as a security mechanism," said Sally Hudson, IDC's research director for identity and access management, via email.
Can passwords be replaced? Unfortunately, no one approach is going to overthrow the tyranny of password proliferation. "We're looking for a new way, we're looking for a new type of protection, and I don't think the industry has found it yet -- or at least, not just one answer," said Sean Brady, RSA's director of product marketing, speaking by phone.
In the future, however, businesses might be able to deemphasize passwords in favor of better intelligence. "Some solutions, like one-time passwords may work for certain segments, but where we think the industry is going -- not to throw around marketing terms -- but you're entering a world where notions of big data and analytics, and consuming all of the information that exists about us on the Web, and our histories, will all now be part of a risk profile," said Brady.
One proto-password-replacement example is RSA's Adaptive Authentication, which counts about 300 million end users -- largely banking customers -- and keeps a risk profile of each user (time of day they're logging in, device used, location, and so on) to determine how many different security questions the user must answer before being granted access.
But expanding that approach to the point where it might replace passwords altogether faces three big challenges. The first is "doing that in real time," Brady said. The second is accurately distinguishing between useful risk information and useless risk information -- and making sure you don't collect the latter -- and the third is automating the process enough to not create another administrative headache for information security managers.
Beyond building a better risk profile, another -- perhaps complementary -- approach is being advanced by the FIDO Alliance, which is creating an open standard that will let websites authenticate users with whatever is to hand: a biometric fingerprint reader on a user's PC, security questions, one-time passwords sent to smartphones, USB security tokens, voice recognition, two-factor authentication systems such as SecurID, Trusted Platform Modules (TPMs) built into PCs and so on. The elegance of this approach is that in the era of BYOD (bring your own device), FIDO is advancing an anything-goes, "authenticate with what you've got to hand" model.
Early FIDO participants include PayPal, Lenovo, Validity Sensors, Nok Nok Labs, Agnitio and Infineon, and they say their approach would secure every part of the authentication process, from client to server and back again. "There is no security standard today that addresses security from the ecosystem standpoint. It's not enough if you secure the client, or the server; a security link has to be end to end," said Ramesh Kesanupalli, VP of the FIDO Alliance, speaking by phone.
FIDO's backers also claim their framework would add minimal "friction" to the user experience. "Your identity and credentials remain on your device," said Sebastien Taveau, CTO of Validity Sensors and a FIDO Alliance board member, via phone. "What happens is the service provider or relaying party is going to ping you and say, 'We see that you have a FIDO token on your device; do you want to use it?'"
For everyone who might love to see passwords become extinct, the good news is that thanks to an approach such as FIDO, we may one day need fewer passwords. The bad news is that we'd still need passwords, for example to log into our PC. "I don't think passwords are going to go, even for FIDO," said Kesanupalli. "Passwords are a bootstrap to start the process."
Even so, password use could be minimized. "We'd like to kill the possibility of ever sending a password over the Internet," said Clain Anderson, director of software at Lenovo and a FIDO Alliance member, via phone. "You can still use a password on the device, but then it relies on a cryptographic handshake" to validate a user with a site, and tailors authentication requirements to the perceived level of risk. "Checking your balance is one level of authentication. But using a brokerage account to move millions of dollars? That's a different level of authentication," he said.
Could the FIDO Alliance succeed? "Yes, I think they can succeed, but like anything else in the security standards/protocol space, it depends on a number of variables," said IDC's Hudson. "How many industry heavyweights will get behind FIDO? What is the actual market demand? What other options might emerge?"
FIDO will also require technology, financial services, governments, retail giants -- and any other business or organization that needs to authenticate people online -- to cooperate and collaborate at an unprecedented scale. "Will it happen? History says no, not at the level needed, but you never know," said Hudson. "Things change."