01:49 PM

Kill Passwords: Hassle-Free Substitute Wanted

Passwords keep proliferating, but do new technologies and approaches offer an alternative? Maybe.

Let's play the "who's got the most passwords?" game. Count PIN codes for mobile devices, ATM cards and, if you're European, credit cards. Then move to websites, including social networks, school records, e-commerce, banking, health insurance, ticket-buying, airlines and customer rewards.

What's your score? The average consumer today has about 25 passwords. Good luck remembering them all without writing some down.

The infuriating fact, furthermore, remains that despite our best efforts, the odds are stacked against people who must use passwords. Just one failure somewhere in a long chain of processes, involving poor encryption, crummy database security, password reuse, card skimmers with cameras or social engineers, can allow an attacker to bypass the security that passwords supposedly provide.

[ Will these new security tools really help? Read Security Tools Show Many Dots, Few Patterns. ]

In other words, passwords stink. "You would have to be living in a cave the past couple of years to not realize that passwords are next to useless as a security mechanism," said Sally Hudson, IDC's research director for identity and access management, via email.

Can passwords be replaced? Unfortunately, no one approach is going to overthrow the tyranny of password proliferation. "We're looking for a new way, we're looking for a new type of protection, and I don't think the industry has found it yet -- or at least, not just one answer," said Sean Brady, RSA's director of product marketing, speaking by phone.

In the future, however, businesses might be able to deemphasize passwords in favor of better intelligence. "Some solutions, like one-time passwords may work for certain segments, but where we think the industry is going -- not to throw around marketing terms -- but you're entering a world where notions of big data and analytics, and consuming all of the information that exists about us on the Web, and our histories, will all now be part of a risk profile," said Brady.

One proto-password-replacement example is RSA's Adaptive Authentication, which counts about 300 million end users -- largely banking customers -- and keeps a risk profile of each user (time of day they're logging in, device used, location, and so on) to determine how many different security questions the user must answer before being granted access.

But expanding that approach to the point where it might replace passwords altogether faces three big challenges. The first is "doing that in real time," Brady said. The second is accurately distinguishing between useful risk information and useless risk information -- and making sure you don't collect the latter -- and the third is automating the process enough to not create another administrative headache for information security managers.

Beyond building a better risk profile, another -- perhaps complementary -- approach is being advanced by the FIDO Alliance, which is creating an open standard that will let websites authenticate users with whatever is to hand: a biometric fingerprint reader on a user's PC, security questions, one-time passwords sent to smartphones, USB security tokens, voice recognition, two-factor authentication systems such as SecurID, Trusted Platform Modules (TPMs) built into PCs and so on. The elegance of this approach is that in the era of BYOD (bring your own device), FIDO is advancing an anything-goes, "authenticate with what you've got to hand" model.

Early FIDO participants include PayPal, Lenovo, Validity Sensors, Nok Nok Labs, Agnitio and Infineon, and they say their approach would secure every part of the authentication process, from client to server and back again. "There is no security standard today that addresses security from the ecosystem standpoint. It's not enough if you secure the client, or the server; a security link has to be end to end," said Ramesh Kesanupalli, VP of the FIDO Alliance, speaking by phone.

FIDO's backers also claim their framework would add minimal "friction" to the user experience. "Your identity and credentials remain on your device," said Sebastien Taveau, CTO of Validity Sensors and a FIDO Alliance board member, via phone. "What happens is the service provider or relaying party is going to ping you and say, 'We see that you have a FIDO token on your device; do you want to use it?'"

For everyone who might love to see passwords become extinct, the good news is that thanks to an approach such as FIDO, we may one day need fewer passwords. The bad news is that we'd still need passwords, for example to log into our PC. "I don't think passwords are going to go, even for FIDO," said Kesanupalli. "Passwords are a bootstrap to start the process."

Even so, password use could be minimized. "We'd like to kill the possibility of ever sending a password over the Internet," said Clain Anderson, director of software at Lenovo and a FIDO Alliance member, via phone. "You can still use a password on the device, but then it relies on a cryptographic handshake" to validate a user with a site, and tailors authentication requirements to the perceived level of risk. "Checking your balance is one level of authentication. But using a brokerage account to move millions of dollars? That's a different level of authentication," he said.

Could the FIDO Alliance succeed? "Yes, I think they can succeed, but like anything else in the security standards/protocol space, it depends on a number of variables," said IDC's Hudson. "How many industry heavyweights will get behind FIDO? What is the actual market demand? What other options might emerge?"

FIDO will also require technology, financial services, governments, retail giants -- and any other business or organization that needs to authenticate people online -- to cooperate and collaborate at an unprecedented scale. "Will it happen? History says no, not at the level needed, but you never know," said Hudson. "Things change."

Here's hoping.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Melanie Rodier
Melanie Rodier,
User Rank: Black Belt
3/5/2013 | 4:33:58 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Getting all these entities to collaborate does sound like a long shot. Still, the idea of being able to authenticate users with whatever is at hand is a great idea. Perhaps there will be a way that innovative vendors will enable this kind of technology to gradually catch on, while bypassing a broad high-level collaboration between government institutions and others. In any case, there really has to be a better way than having to remember a multitude of passwords and answering the same types of security questions (which often do not seem secure at all) when you forget a password.
Cara Latham
Cara Latham,
User Rank: Apprentice
3/4/2013 | 2:45:18 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Unfortunately, if FIDO really does require technology, financial services, and governments to cooperate to enable a password-free system, I don't think it will work out smoothly and efficiently. When government has to be involved in anything, it is a hurry up and wait situation. The only way I see large-scale cooperation occurring is if there is regulation enacting it, and if that is the case, it will be many years before this is put into place.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.