Risk
3/1/2013
01:49 PM
Connect Directly
RSS
E-Mail
50%
50%

Kill Passwords: Hassle-Free Substitute Wanted

Passwords keep proliferating, but do new technologies and approaches offer an alternative? Maybe.

Let's play the "who's got the most passwords?" game. Count PIN codes for mobile devices, ATM cards and, if you're European, credit cards. Then move to websites, including social networks, school records, e-commerce, banking, health insurance, ticket-buying, airlines and customer rewards.

What's your score? The average consumer today has about 25 passwords. Good luck remembering them all without writing some down.

The infuriating fact, furthermore, remains that despite our best efforts, the odds are stacked against people who must use passwords. Just one failure somewhere in a long chain of processes, involving poor encryption, crummy database security, password reuse, card skimmers with cameras or social engineers, can allow an attacker to bypass the security that passwords supposedly provide.

[ Will these new security tools really help? Read Security Tools Show Many Dots, Few Patterns. ]

In other words, passwords stink. "You would have to be living in a cave the past couple of years to not realize that passwords are next to useless as a security mechanism," said Sally Hudson, IDC's research director for identity and access management, via email.

Can passwords be replaced? Unfortunately, no one approach is going to overthrow the tyranny of password proliferation. "We're looking for a new way, we're looking for a new type of protection, and I don't think the industry has found it yet -- or at least, not just one answer," said Sean Brady, RSA's director of product marketing, speaking by phone.

In the future, however, businesses might be able to deemphasize passwords in favor of better intelligence. "Some solutions, like one-time passwords may work for certain segments, but where we think the industry is going -- not to throw around marketing terms -- but you're entering a world where notions of big data and analytics, and consuming all of the information that exists about us on the Web, and our histories, will all now be part of a risk profile," said Brady.

One proto-password-replacement example is RSA's Adaptive Authentication, which counts about 300 million end users -- largely banking customers -- and keeps a risk profile of each user (time of day they're logging in, device used, location, and so on) to determine how many different security questions the user must answer before being granted access.

But expanding that approach to the point where it might replace passwords altogether faces three big challenges. The first is "doing that in real time," Brady said. The second is accurately distinguishing between useful risk information and useless risk information -- and making sure you don't collect the latter -- and the third is automating the process enough to not create another administrative headache for information security managers.

Beyond building a better risk profile, another -- perhaps complementary -- approach is being advanced by the FIDO Alliance, which is creating an open standard that will let websites authenticate users with whatever is to hand: a biometric fingerprint reader on a user's PC, security questions, one-time passwords sent to smartphones, USB security tokens, voice recognition, two-factor authentication systems such as SecurID, Trusted Platform Modules (TPMs) built into PCs and so on. The elegance of this approach is that in the era of BYOD (bring your own device), FIDO is advancing an anything-goes, "authenticate with what you've got to hand" model.

Early FIDO participants include PayPal, Lenovo, Validity Sensors, Nok Nok Labs, Agnitio and Infineon, and they say their approach would secure every part of the authentication process, from client to server and back again. "There is no security standard today that addresses security from the ecosystem standpoint. It's not enough if you secure the client, or the server; a security link has to be end to end," said Ramesh Kesanupalli, VP of the FIDO Alliance, speaking by phone.

FIDO's backers also claim their framework would add minimal "friction" to the user experience. "Your identity and credentials remain on your device," said Sebastien Taveau, CTO of Validity Sensors and a FIDO Alliance board member, via phone. "What happens is the service provider or relaying party is going to ping you and say, 'We see that you have a FIDO token on your device; do you want to use it?'"

For everyone who might love to see passwords become extinct, the good news is that thanks to an approach such as FIDO, we may one day need fewer passwords. The bad news is that we'd still need passwords, for example to log into our PC. "I don't think passwords are going to go, even for FIDO," said Kesanupalli. "Passwords are a bootstrap to start the process."

Even so, password use could be minimized. "We'd like to kill the possibility of ever sending a password over the Internet," said Clain Anderson, director of software at Lenovo and a FIDO Alliance member, via phone. "You can still use a password on the device, but then it relies on a cryptographic handshake" to validate a user with a site, and tailors authentication requirements to the perceived level of risk. "Checking your balance is one level of authentication. But using a brokerage account to move millions of dollars? That's a different level of authentication," he said.

Could the FIDO Alliance succeed? "Yes, I think they can succeed, but like anything else in the security standards/protocol space, it depends on a number of variables," said IDC's Hudson. "How many industry heavyweights will get behind FIDO? What is the actual market demand? What other options might emerge?"

FIDO will also require technology, financial services, governments, retail giants -- and any other business or organization that needs to authenticate people online -- to cooperate and collaborate at an unprecedented scale. "Will it happen? History says no, not at the level needed, but you never know," said Hudson. "Things change."

Here's hoping.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Melanie Rodier
50%
50%
Melanie Rodier,
User Rank: Apprentice
3/5/2013 | 4:33:58 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Getting all these entities to collaborate does sound like a long shot. Still, the idea of being able to authenticate users with whatever is at hand is a great idea. Perhaps there will be a way that innovative vendors will enable this kind of technology to gradually catch on, while bypassing a broad high-level collaboration between government institutions and others. In any case, there really has to be a better way than having to remember a multitude of passwords and answering the same types of security questions (which often do not seem secure at all) when you forget a password.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
3/4/2013 | 2:45:18 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Unfortunately, if FIDO really does require technology, financial services, and governments to cooperate to enable a password-free system, I don't think it will work out smoothly and efficiently. When government has to be involved in anything, it is a hurry up and wait situation. The only way I see large-scale cooperation occurring is if there is regulation enacting it, and if that is the case, it will be many years before this is put into place.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.