Operations // Identity & Access Management

Why FIDO Alliance Standards Will Kill Passwords

50%
50%

Bill Gates predicted the demise of passwords more than a decade ago. But the FIDO Alliance believes its proposed new authentication standards are a game changer that will transform the computing landscape in just three years. Phillip Dunkelberger, President & CEO of Nok Nok Labs, tells why he believes that the time is finally ripe for a password-free computing experience.

Comment  | 
Print  | 
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:14:40 PM
Couldn't happen too soon!
Phil, I doubt that there's a consumer or IT person on this planet that doesn't pray for the day that passwords will be replaced with a manageable autentication process. But what are some of the hurdles that the industry has to overcome to reach that point? Is there broadbased agreement on the FIDO standards or are there competing technologies or ideas?  
ANON1241486907214
100%
0%
ANON1241486907214,
User Rank: Apprentice
2/21/2014 | 9:56:36 AM
Re: Couldn't happen too soon!
Can imagine what technology would make private keys safe. At least with passwords, the NSA has to spend some effort in guessing or intercepting them.  Any kind of centralized system  would immediately fall prey to government security agencies, and eventually to other players.
Spaz
0%
100%
Spaz,
User Rank: Apprentice
2/22/2014 | 5:02:05 PM
Re: Couldn't happen too soon!
passwords especially corporate passwords are a complete pia. it's frustrating how the passwords have to be changed so often and how they have to fall within certain parameters eg. 8 charaters, has to containt this and that, etc. until another worthy solution is provided, we all need fingerprint readers instead. this will certainly help both the IT admins and employees as well.
SeanKelly
50%
50%
SeanKelly,
User Rank: Apprentice
2/26/2014 | 5:26:39 PM
Re: Couldn't happen too soon!
I agree with your comment on corporate passwords but I disagree strongly with the comment on fingerprints. Fingerprints are not a password replacement. Fingerprints are usernames. Fingerprints aren't secret, you leave them everywhere and you can't change them (easily) when they have been compromised. Fingerprints should never be used as passwords.
Spaz
50%
50%
Spaz,
User Rank: Apprentice
2/26/2014 | 10:46:49 PM
Re: Couldn't happen too soon!
Nothing is infallible I suppose. While I don't know the technical aspects of fingerprint readers.  Apple feels very good about fingerprint scanners and so does Samsung. They both allow you to access your device with the fingerprint scanner. I imagine that one would have to get some training in how to pick up fingerprint. You'd need to buy fingerprint kits as well. I am definitely not for retina scanners since they have a lot of radiation. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/27/2014 | 8:31:38 AM
Re: Couldn't happen too soon!
Hi Spaz! I just gor my new iPhone with the biometric fingerprint reader. So I can tell you first hand how user friendly it is. Stay tuned!
windk
50%
50%
windk,
User Rank: Apprentice
3/19/2014 | 4:29:35 PM
Re: Couldn't happen too soon!
A good fiction (but apparently soon to be non-fiction) read about this is Dave Eggers' The Circle : "The Circle, run out of a sprawling California campus, links users' personal emails, social media, banking, and purchasing with their universal operating system, resulting in one online identity and a new age of civility and transparency." (Alfred A. Knopf, 2013).
djameson910
100%
0%
djameson910,
User Rank: Apprentice
2/20/2014 | 3:22:42 PM
Stolen Device
So, if someone steals my device, they have access to all my stuff?  How does my device know me from an interloper?
DonT733
50%
50%
DonT733,
User Rank: Apprentice
3/31/2014 | 8:02:10 PM
Just wondering when the FIDO Presentation might have some more content.
In a word, the presentation just affirmed VPN certificates with passwords to unlock them.  Thanks for revisiting private password key stores for the protection of digital certificates.  Is there any more content?

Passwords are not good, there just cheap.  My MacBook Air Pro, due to flashram drives acheived 6 billion password combinations per second in August of 2013.  This pretty much means passwords less than 12 places with full complexity have less than 50/50 odds to remain uncracked in less than 90 days.  

Please send IT Auditors to me.  I want to present what I have and am offerring a voluntary pledge.  "I will never again claim that an 8 place password is an adequate security meaure."  For those that must use only numbers in their passwords, 18 places are needed to compensate for the lack of complexity.  At least, so says my Mac -- running a Windows 7 VM running John the Ripper at 6 Billion Combinations per Second, while the Mac side runs AV and edits word simultaniously.

You know, the second factor tool account password cracked and the full Pen Test Check Mate of their Domain Controller fell out rather quickly after that.

Yes, I would say that 8 place passwords are closer to public endangerment rather than InfoSec security.    

 

 

 

 

 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.