Operations // Identity & Access Management
11/18/2013
09:06 AM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Authentication + Mobile Phone = Password Killer

Can the smartphone free us from the drudgery of the much-despised password? There's good reason to hope.

It is arguably the Internet's most common problem: how to simplify authentication. The much-abused password is still the most prevalent way we identify ourselves -- via mobile devices and otherwise. But it's definitely showing its age.

Passwords were introduced to modern computing nearly 50 years ago. Their initial purpose was to control access to key functions on mainframe computers, and they've remained a constant up through the present day. The reason for this -- surprising as it seems -- is because, at some level, they work.  

They are also the lowest common security denominator for the online places we regularly visit.  We've all been trained by banks, credit card companies, Internet service providers, and social media sites to construct passwords or phrases of varying levels of complexity, often accompanied by additional questions to verify our memorable dates, secret words, mother's dog's maiden name, and the rest.

Passwords are the problem

The problem is that passwords can no longer scale. It's become impossible to create memorable, strong, unique passwords for the broad range of sites with which we interact, so we don't. Instead, we rely on one or a small number of strongish passwords to suit the unique and maddeningly complex rules created by websites that seem to want to make it extremely difficult to consume services and buy products.

It’s not just users who are frustrated. Though companies are eager to make authentication as streamlined as possible, commercial security tools seem to create as many problems as they purport to solve. They add costs such as hardware tokens, create steps for users, invade privacy, and could compromise the solution's security profile.

Worse, if the weakest point in a web infrastructure is the password, then there is considerable benefit in hacking these large-scale password databases. The list of compromised passwords is endless -- from LinkedIn, Yahoo, Evernote, Sony, and many more. Criminals know that, if they have your username and password from one site, there's a better than good chance it will work across other sites. The online banking account, email provider, or any other sites that you allow to build an identity for you will soon wish they didn't have it.

What's the answer? Many of you probably have had some experience with two-factor or multifactor authentication, a security technique recently adopted by Twitter, DropBox, Gmail, and others with some success. The problem with two-factor identification is that it doesn’t scale -- and for the same reason people can't be expected to recall 20-30 unique passwords. Who can remember to carry a hardware token with them all the time to log in to the dozens of sites they regularly visit? 

Smartphones to the rescue

But here's the good news. Today we all carry a mobile phone. Increasingly, in the United States and Western Europe at least, this device is likely to be a smartphone. What these devices offer is a range of ways to strongly authenticate ourselves to both the local device and to the Internet services we want to access. A good example of this is the latest Apple iPhone. We now have a fingerprint sensor (Touch ID) in a mass-market smartphone.  

This is not just about fingerprint sensors, though industry reports state that Tier 1 device manufacturers will have this feature by the end of 2014. It is about everything else that is present in smartphones. You have increasingly powerful cameras and microphones supporting voice and face recognition. You also have a range of additional capabilities -- GPS, for instance -- that can be used as part of the authentication process to determine if the user is in a normal location.

Last, but not least, is the fact that most device manufacturers have invested in secure elements and trusted execution environments. These are hardware- and software-based secure storage areas and operating systems that allow the secure creation and storage of a credential of the device. An example of this would be the TrustZone® architecture from ARM. These allow us to give a smartphone a similar level of trust as a smart card, which is crucial in meeting the business risk of payment services providers, insurance companies, and government agencies.

With all these advantages, freedom from password drudgery is no longer an impossible dream. Let's chat about how to make this vision of a secure and simple web authentication process our new reality.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
11/29/2013 | 3:19:21 PM
Re: Smartphones as passwords
SecurID and others created soft tokens for smartphones so you wouldn't have to carry around a physical token.  But there are lots of other ways a smart phone can create adaptive security measures.  Using the GPS, it knows where you are and so geolocation can be added as a double check.  You're in your office?  No need to enhance security.  Trying to access material from outside the country?  Hmm maybe we need to challenge you some more.
Alex Kane Rudansky
50%
50%
Alex Kane Rudansky,
User Rank: Apprentice
11/19/2013 | 4:43:35 PM
Healthcare
The password dilemma is seen in every industry, and has been growing in the healthcare industry with the rapid adoption of electronic health records and other technologies that deal with sensitive data and patient information. There's pushback from physicians who don't want to be required to enter multiple passwords for different systems. I can see the touch ID method as a viable option in the healthcare industry as so many docs move from desktops to mobile platforms (BYOD, etc.).
LarsA400
50%
50%
LarsA400,
User Rank: Apprentice
11/19/2013 | 5:24:30 AM
Dream is realized!
This is of course the route to go, using the mobile device as the "password killer".

Here is an example of very good implementation.

A year ago mobile bankID was launched in Sweden and it's already a big success. More and more services, especially financial (like mobile banking/insurance) and governmental/municipal services (like tax services) are using mobile bankID for authentication.

Success factors: it's very easy to use (easier than banks hardware tokens), it's very fast and it's of course very secure, banks in Sweden says it's even more secure than the special hardware tokens...

....and it's maybe the most cost effective authentication solution our there (compared with hardware tokens, OTP's via text message/special scratch cards, PC certificates, etc.).
devinlk
50%
50%
devinlk,
User Rank: Apprentice
11/18/2013 | 5:59:35 PM
Re: Smartphones as passwords
LaunchKey (a member of FIDO along with Nok Nok) has this technology avaialble today. Multi-factor authentication utilizing our smartphones is already here: https://launchkey.com/app/demo

You can log in to any site that supports OpenID or has integrated LaunchKey directly with our plugins and SDKs (like our Dashboard). Let me know if you have any quetsions.

P.S. Nice articl!e Phil!
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
11/18/2013 | 4:17:22 PM
Re: Smartphones as passwords
I love the idea of smartphone as password too, except the GPS bit scares me a bit. We already get those calls from the bank when we travel and try to do debit card purchases in an unusual locale. That's a tricky balance: you don't want someone raiding your account but you want the ATM card to work on that quick trip. Are password / ID calls next?
dblake950
50%
50%
dblake950,
User Rank: Apprentice
11/18/2013 | 11:28:58 AM
Re: Smartphones as passwords
Wow, we were just discussing the problem with passwords over the weekend around the Facebook story (http://is.gd/h1gYOb), and voila, info on another approach!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/18/2013 | 11:26:16 AM
Re: Smartphones as passwords -Woof Woof (FIDO)
Thanks for calling FIDO to our attention, Dave! Here's more on the standards and how they work
dak3
50%
50%
dak3,
User Rank: Apprentice
11/18/2013 | 11:20:01 AM
Re: Smartphones as passwords
This is a real dog of an idea. Well, FIDO, to be precise. The FIDO Alliance wants to eliminate passwords thru mobile/smartphone technology. With members like Google, MasterCard, PayPal and dozens more they've got a good chance of pulling this off.

 

But Phil knows this :), Nok Nok was a founding member.
Jamescon
50%
50%
Jamescon,
User Rank: Apprentice
11/18/2013 | 9:53:44 AM
Re: Smartphones as passwords
Killing passwords is a dream for me. All of us use dozens of websites and apps every week, each requiring its own password and user name. I don't consider the stack of legal sheets and scrap paper covered with my various user names and passwords (of course with the site name) to meet even the basic standard for infosecurity. So, anything that the mobile phone can do to eliminate passwords gets my vote.
macsgreg
50%
50%
macsgreg,
User Rank: Apprentice
11/18/2013 | 9:50:34 AM
Yes, passwords blow
Finding a way to use a mobile phone for authentication is a great idea. Users are almost always the weakest link in the security chain because users hate passwords....period.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio