01:49 PM

Kill Passwords: Hassle-Free Substitute Wanted

Passwords keep proliferating, but do new technologies and approaches offer an alternative? Maybe.

Let's play the "who's got the most passwords?" game. Count PIN codes for mobile devices, ATM cards and, if you're European, credit cards. Then move to websites, including social networks, school records, e-commerce, banking, health insurance, ticket-buying, airlines and customer rewards.

What's your score? The average consumer today has about 25 passwords. Good luck remembering them all without writing some down.

The infuriating fact, furthermore, remains that despite our best efforts, the odds are stacked against people who must use passwords. Just one failure somewhere in a long chain of processes, involving poor encryption, crummy database security, password reuse, card skimmers with cameras or social engineers, can allow an attacker to bypass the security that passwords supposedly provide.

[ Will these new security tools really help? Read Security Tools Show Many Dots, Few Patterns. ]

In other words, passwords stink. "You would have to be living in a cave the past couple of years to not realize that passwords are next to useless as a security mechanism," said Sally Hudson, IDC's research director for identity and access management, via email.

Can passwords be replaced? Unfortunately, no one approach is going to overthrow the tyranny of password proliferation. "We're looking for a new way, we're looking for a new type of protection, and I don't think the industry has found it yet -- or at least, not just one answer," said Sean Brady, RSA's director of product marketing, speaking by phone.

In the future, however, businesses might be able to deemphasize passwords in favor of better intelligence. "Some solutions, like one-time passwords may work for certain segments, but where we think the industry is going -- not to throw around marketing terms -- but you're entering a world where notions of big data and analytics, and consuming all of the information that exists about us on the Web, and our histories, will all now be part of a risk profile," said Brady.

One proto-password-replacement example is RSA's Adaptive Authentication, which counts about 300 million end users -- largely banking customers -- and keeps a risk profile of each user (time of day they're logging in, device used, location, and so on) to determine how many different security questions the user must answer before being granted access.

But expanding that approach to the point where it might replace passwords altogether faces three big challenges. The first is "doing that in real time," Brady said. The second is accurately distinguishing between useful risk information and useless risk information -- and making sure you don't collect the latter -- and the third is automating the process enough to not create another administrative headache for information security managers.

Beyond building a better risk profile, another -- perhaps complementary -- approach is being advanced by the FIDO Alliance, which is creating an open standard that will let websites authenticate users with whatever is to hand: a biometric fingerprint reader on a user's PC, security questions, one-time passwords sent to smartphones, USB security tokens, voice recognition, two-factor authentication systems such as SecurID, Trusted Platform Modules (TPMs) built into PCs and so on. The elegance of this approach is that in the era of BYOD (bring your own device), FIDO is advancing an anything-goes, "authenticate with what you've got to hand" model.

Early FIDO participants include PayPal, Lenovo, Validity Sensors, Nok Nok Labs, Agnitio and Infineon, and they say their approach would secure every part of the authentication process, from client to server and back again. "There is no security standard today that addresses security from the ecosystem standpoint. It's not enough if you secure the client, or the server; a security link has to be end to end," said Ramesh Kesanupalli, VP of the FIDO Alliance, speaking by phone.

FIDO's backers also claim their framework would add minimal "friction" to the user experience. "Your identity and credentials remain on your device," said Sebastien Taveau, CTO of Validity Sensors and a FIDO Alliance board member, via phone. "What happens is the service provider or relaying party is going to ping you and say, 'We see that you have a FIDO token on your device; do you want to use it?'"

For everyone who might love to see passwords become extinct, the good news is that thanks to an approach such as FIDO, we may one day need fewer passwords. The bad news is that we'd still need passwords, for example to log into our PC. "I don't think passwords are going to go, even for FIDO," said Kesanupalli. "Passwords are a bootstrap to start the process."

Even so, password use could be minimized. "We'd like to kill the possibility of ever sending a password over the Internet," said Clain Anderson, director of software at Lenovo and a FIDO Alliance member, via phone. "You can still use a password on the device, but then it relies on a cryptographic handshake" to validate a user with a site, and tailors authentication requirements to the perceived level of risk. "Checking your balance is one level of authentication. But using a brokerage account to move millions of dollars? That's a different level of authentication," he said.

Could the FIDO Alliance succeed? "Yes, I think they can succeed, but like anything else in the security standards/protocol space, it depends on a number of variables," said IDC's Hudson. "How many industry heavyweights will get behind FIDO? What is the actual market demand? What other options might emerge?"

FIDO will also require technology, financial services, governments, retail giants -- and any other business or organization that needs to authenticate people online -- to cooperate and collaborate at an unprecedented scale. "Will it happen? History says no, not at the level needed, but you never know," said Hudson. "Things change."

Here's hoping.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Melanie Rodier
Melanie Rodier,
User Rank: Black Belt
3/5/2013 | 4:33:58 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Getting all these entities to collaborate does sound like a long shot. Still, the idea of being able to authenticate users with whatever is at hand is a great idea. Perhaps there will be a way that innovative vendors will enable this kind of technology to gradually catch on, while bypassing a broad high-level collaboration between government institutions and others. In any case, there really has to be a better way than having to remember a multitude of passwords and answering the same types of security questions (which often do not seem secure at all) when you forget a password.
Cara Latham
Cara Latham,
User Rank: Apprentice
3/4/2013 | 2:45:18 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Unfortunately, if FIDO really does require technology, financial services, and governments to cooperate to enable a password-free system, I don't think it will work out smoothly and efficiently. When government has to be involved in anything, it is a hurry up and wait situation. The only way I see large-scale cooperation occurring is if there is regulation enacting it, and if that is the case, it will be many years before this is put into place.
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.