Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

11/18/2013
09:06 AM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Authentication + Mobile Phone = Password Killer

Can the smartphone free us from the drudgery of the much-despised password? There's good reason to hope.

It is arguably the Internet's most common problem: how to simplify authentication. The much-abused password is still the most prevalent way we identify ourselves -- via mobile devices and otherwise. But it's definitely showing its age.

Passwords were introduced to modern computing nearly 50 years ago. Their initial purpose was to control access to key functions on mainframe computers, and they've remained a constant up through the present day. The reason for this -- surprising as it seems -- is because, at some level, they work.  

They are also the lowest common security denominator for the online places we regularly visit.  We've all been trained by banks, credit card companies, Internet service providers, and social media sites to construct passwords or phrases of varying levels of complexity, often accompanied by additional questions to verify our memorable dates, secret words, mother's dog's maiden name, and the rest.

Passwords are the problem

The problem is that passwords can no longer scale. It's become impossible to create memorable, strong, unique passwords for the broad range of sites with which we interact, so we don't. Instead, we rely on one or a small number of strongish passwords to suit the unique and maddeningly complex rules created by websites that seem to want to make it extremely difficult to consume services and buy products.

It’s not just users who are frustrated. Though companies are eager to make authentication as streamlined as possible, commercial security tools seem to create as many problems as they purport to solve. They add costs such as hardware tokens, create steps for users, invade privacy, and could compromise the solution's security profile.

Worse, if the weakest point in a web infrastructure is the password, then there is considerable benefit in hacking these large-scale password databases. The list of compromised passwords is endless -- from LinkedIn, Yahoo, Evernote, Sony, and many more. Criminals know that, if they have your username and password from one site, there's a better than good chance it will work across other sites. The online banking account, email provider, or any other sites that you allow to build an identity for you will soon wish they didn't have it.

What's the answer? Many of you probably have had some experience with two-factor or multifactor authentication, a security technique recently adopted by Twitter, DropBox, Gmail, and others with some success. The problem with two-factor identification is that it doesn’t scale -- and for the same reason people can't be expected to recall 20-30 unique passwords. Who can remember to carry a hardware token with them all the time to log in to the dozens of sites they regularly visit? 

Smartphones to the rescue

But here's the good news. Today we all carry a mobile phone. Increasingly, in the United States and Western Europe at least, this device is likely to be a smartphone. What these devices offer is a range of ways to strongly authenticate ourselves to both the local device and to the Internet services we want to access. A good example of this is the latest Apple iPhone. We now have a fingerprint sensor (Touch ID) in a mass-market smartphone.  

This is not just about fingerprint sensors, though industry reports state that Tier 1 device manufacturers will have this feature by the end of 2014. It is about everything else that is present in smartphones. You have increasingly powerful cameras and microphones supporting voice and face recognition. You also have a range of additional capabilities -- GPS, for instance -- that can be used as part of the authentication process to determine if the user is in a normal location.

Last, but not least, is the fact that most device manufacturers have invested in secure elements and trusted execution environments. These are hardware- and software-based secure storage areas and operating systems that allow the secure creation and storage of a credential of the device. An example of this would be the TrustZone® architecture from ARM. These allow us to give a smartphone a similar level of trust as a smart card, which is crucial in meeting the business risk of payment services providers, insurance companies, and government agencies.

With all these advantages, freedom from password drudgery is no longer an impossible dream. Let's chat about how to make this vision of a secure and simple web authentication process our new reality.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/18/2013 | 9:44:36 AM
Smartphones as passwords
Phil, I love the idea of smartphones as a password killer and the idea using existing functions like cameras and GPS in the authentication processes is very exciting. Do you have examples where this is already being implemented or piloted? 
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well I dont run on MacOS, so I need to take extra precautions"
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10136
PUBLISHED: 2020-06-02
Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access cont...
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.