Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

Why FIDO Alliance Standards Will Kill Passwords

50%
50%

Bill Gates predicted the demise of passwords more than a decade ago. But the FIDO Alliance believes its proposed new authentication standards are a game changer that will transform the computing landscape in just three years. Phillip Dunkelberger, President & CEO of Nok Nok Labs, tells why he believes that the time is finally ripe for a password-free computing experience.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
DonT733
50%
50%
DonT733,
User Rank: Apprentice
3/31/2014 | 8:02:10 PM
Just wondering when the FIDO Presentation might have some more content.
In a word, the presentation just affirmed VPN certificates with passwords to unlock them.  Thanks for revisiting private password key stores for the protection of digital certificates.  Is there any more content?

Passwords are not good, there just cheap.  My MacBook Air Pro, due to flashram drives acheived 6 billion password combinations per second in August of 2013.  This pretty much means passwords less than 12 places with full complexity have less than 50/50 odds to remain uncracked in less than 90 days.  

Please send IT Auditors to me.  I want to present what I have and am offerring a voluntary pledge.  "I will never again claim that an 8 place password is an adequate security meaure."  For those that must use only numbers in their passwords, 18 places are needed to compensate for the lack of complexity.  At least, so says my Mac -- running a Windows 7 VM running John the Ripper at 6 Billion Combinations per Second, while the Mac side runs AV and edits word simultaniously.

You know, the second factor tool account password cracked and the full Pen Test Check Mate of their Domain Controller fell out rather quickly after that.

Yes, I would say that 8 place passwords are closer to public endangerment rather than InfoSec security.    

 

 

 

 

 

 
windk
50%
50%
windk,
User Rank: Apprentice
3/19/2014 | 4:29:35 PM
Re: Couldn't happen too soon!
A good fiction (but apparently soon to be non-fiction) read about this is Dave Eggers' The Circle : "The Circle, run out of a sprawling California campus, links users' personal emails, social media, banking, and purchasing with their universal operating system, resulting in one online identity and a new age of civility and transparency." (Alfred A. Knopf, 2013).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/27/2014 | 8:31:38 AM
Re: Couldn't happen too soon!
Hi Spaz! I just gor my new iPhone with the biometric fingerprint reader. So I can tell you first hand how user friendly it is. Stay tuned!
Spaz
50%
50%
Spaz,
User Rank: Apprentice
2/26/2014 | 10:46:49 PM
Re: Couldn't happen too soon!
Nothing is infallible I suppose. While I don't know the technical aspects of fingerprint readers.  Apple feels very good about fingerprint scanners and so does Samsung. They both allow you to access your device with the fingerprint scanner. I imagine that one would have to get some training in how to pick up fingerprint. You'd need to buy fingerprint kits as well. I am definitely not for retina scanners since they have a lot of radiation. 
SeanKelly
50%
50%
SeanKelly,
User Rank: Apprentice
2/26/2014 | 5:26:39 PM
Re: Couldn't happen too soon!
I agree with your comment on corporate passwords but I disagree strongly with the comment on fingerprints. Fingerprints are not a password replacement. Fingerprints are usernames. Fingerprints aren't secret, you leave them everywhere and you can't change them (easily) when they have been compromised. Fingerprints should never be used as passwords.
Spaz
0%
100%
Spaz,
User Rank: Apprentice
2/22/2014 | 5:02:05 PM
Re: Couldn't happen too soon!
passwords especially corporate passwords are a complete pia. it's frustrating how the passwords have to be changed so often and how they have to fall within certain parameters eg. 8 charaters, has to containt this and that, etc. until another worthy solution is provided, we all need fingerprint readers instead. this will certainly help both the IT admins and employees as well.
ANON1241486907214
100%
0%
ANON1241486907214,
User Rank: Apprentice
2/21/2014 | 9:56:36 AM
Re: Couldn't happen too soon!
Can imagine what technology would make private keys safe. At least with passwords, the NSA has to spend some effort in guessing or intercepting them.  Any kind of centralized system  would immediately fall prey to government security agencies, and eventually to other players.
djameson910
100%
0%
djameson910,
User Rank: Apprentice
2/20/2014 | 3:22:42 PM
Stolen Device
So, if someone steals my device, they have access to all my stuff?  How does my device know me from an interloper?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:14:40 PM
Couldn't happen too soon!
Phil, I doubt that there's a consumer or IT person on this planet that doesn't pray for the day that passwords will be replaced with a manageable autentication process. But what are some of the hurdles that the industry has to overcome to reach that point? Is there broadbased agreement on the FIDO standards or are there competing technologies or ideas?  
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.