Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

11/18/2013
09:06 AM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Authentication + Mobile Phone = Password Killer

Can the smartphone free us from the drudgery of the much-despised password? There's good reason to hope.

It is arguably the Internet's most common problem: how to simplify authentication. The much-abused password is still the most prevalent way we identify ourselves -- via mobile devices and otherwise. But it's definitely showing its age.

Passwords were introduced to modern computing nearly 50 years ago. Their initial purpose was to control access to key functions on mainframe computers, and they've remained a constant up through the present day. The reason for this -- surprising as it seems -- is because, at some level, they work.  

They are also the lowest common security denominator for the online places we regularly visit.  We've all been trained by banks, credit card companies, Internet service providers, and social media sites to construct passwords or phrases of varying levels of complexity, often accompanied by additional questions to verify our memorable dates, secret words, mother's dog's maiden name, and the rest.

Passwords are the problem

The problem is that passwords can no longer scale. It's become impossible to create memorable, strong, unique passwords for the broad range of sites with which we interact, so we don't. Instead, we rely on one or a small number of strongish passwords to suit the unique and maddeningly complex rules created by websites that seem to want to make it extremely difficult to consume services and buy products.

It’s not just users who are frustrated. Though companies are eager to make authentication as streamlined as possible, commercial security tools seem to create as many problems as they purport to solve. They add costs such as hardware tokens, create steps for users, invade privacy, and could compromise the solution's security profile.

Worse, if the weakest point in a web infrastructure is the password, then there is considerable benefit in hacking these large-scale password databases. The list of compromised passwords is endless -- from LinkedIn, Yahoo, Evernote, Sony, and many more. Criminals know that, if they have your username and password from one site, there's a better than good chance it will work across other sites. The online banking account, email provider, or any other sites that you allow to build an identity for you will soon wish they didn't have it.

What's the answer? Many of you probably have had some experience with two-factor or multifactor authentication, a security technique recently adopted by Twitter, DropBox, Gmail, and others with some success. The problem with two-factor identification is that it doesn’t scale -- and for the same reason people can't be expected to recall 20-30 unique passwords. Who can remember to carry a hardware token with them all the time to log in to the dozens of sites they regularly visit? 

Smartphones to the rescue

But here's the good news. Today we all carry a mobile phone. Increasingly, in the United States and Western Europe at least, this device is likely to be a smartphone. What these devices offer is a range of ways to strongly authenticate ourselves to both the local device and to the Internet services we want to access. A good example of this is the latest Apple iPhone. We now have a fingerprint sensor (Touch ID) in a mass-market smartphone.  

This is not just about fingerprint sensors, though industry reports state that Tier 1 device manufacturers will have this feature by the end of 2014. It is about everything else that is present in smartphones. You have increasingly powerful cameras and microphones supporting voice and face recognition. You also have a range of additional capabilities -- GPS, for instance -- that can be used as part of the authentication process to determine if the user is in a normal location.

Last, but not least, is the fact that most device manufacturers have invested in secure elements and trusted execution environments. These are hardware- and software-based secure storage areas and operating systems that allow the secure creation and storage of a credential of the device. An example of this would be the TrustZone® architecture from ARM. These allow us to give a smartphone a similar level of trust as a smart card, which is crucial in meeting the business risk of payment services providers, insurance companies, and government agencies.

With all these advantages, freedom from password drudgery is no longer an impossible dream. Let's chat about how to make this vision of a secure and simple web authentication process our new reality.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/18/2013 | 9:44:36 AM
Smartphones as passwords
Phil, I love the idea of smartphones as a password killer and the idea using existing functions like cameras and GPS in the authentication processes is very exciting. Do you have examples where this is already being implemented or piloted? 
<<   <   Page 2 / 2
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.