Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Dark Reading Radio

When Will Passwords Finally Die?
Date / Time: Wednesday, March 16, 2016, 1:00 p.m. EDT/10:00 a.m. PDT
Overview:
Despite decades of new technology for authenticating the identity of the end user, most enterprises still rely on passwords as their primary method of authentication. Will the password ever be replaced? Dark Reading Executive Editor Kelly Jackson Higgins will host authentication experts Brett McDowell, Executive Director of the FIDO Alliance, and Corey Nachreiner, chief technology officer at Watch Guard Technologies, to discuss why past technology developments have failed, and what the future holds for authentication and the pesky password.


The audio player will load automatically when the radio show audio begins. Some corporate networks block the sort of streaming audio content used by this player. Please make sure you have the latest version of Adobe Flash for your Internet browser via Adobe's web site. If the player loads but you are not able to hear the live audio, you may still be able to hear the archived audio after the live program begins by returning to this page. Please try refreshing your browser a few times if you still cannot hear the audio. More Troubleshooting
Live Chat
You must login to participate in this chat. Please login.

This episode is archived, so you can come back and listen at any time, or share it with a colleague. Thank you!

We're at the top of the hour. =) I want to thank Brett McDowell and Corey Nachreiner for joining us today on Dark Reading Radio, as well as our audience. This was a great, meaty discussion of the issues and realities of passwords and authentication. 

@Kelly when W3C ratifies FIDO 2 we will see the market respond to FIDO as "standard fare" vs. "innovative/new" (which has already begun).  That work is happening in W3C here:  https://www.w3.org/2015/12/web-authentication-charter.html

Apprentice

To see a list of the FIDO Certified products visit our soon-to-be-updated-with-many-more listing here:  https://fidoalliance.org/certification/fido-certified/

Apprentice

Q for Brett and Corey: When do you see FIDO becoming standard fare for auth?

BTW, "myidiym" is simply a palindrome of "my ID" :-)

Apprentice

For more information about FIDO and Federation, regulatory issues, deployment best practices, etc. please see our set of published white papers here:  https://fidoalliance.org/specifications/additional-resources/

Apprentice

@PRcosway By "FIDO-enabled Federation" I simply mean FIDO implemenation for the authentication credentials + Federation, per existing federation standards like OpenID Connect and SAML 2.  We were very careful to not let our scope-of-work bleed out of authentication and into federation.  The layers are distinct and clean.  As an aside, many of us who drove FIDO were also involved in driving OpenID and/or SAML in the past.

Apprentice

Regarding Security Standards and FIDO vis-a-vis OpenSSL "hacks" -- You are referencing a flaw/bug in a single implementation of the SSL standard, OpenSSL.  That is apples-to-oranges for the FIDO context.  If we had only one "OpenFIDO" stack that everyone used, we would be putting the ecosystem at risk of a similar single-point-of-failure situation, but we are not.  We already have over 100 FIDO implementations that have gone through certification.

Apprentice

Thanks, @Corey. If a site doesn't do 2FA, do you just make a strong password and keep your fingers crossed?

I hadn't heard of FIDO-enable Federation before.  What is required for that beyond the FIDO spec?

Apprentice

Regarding cost of FIDO: no, there is no direct cost to adding FIDO to your website/mobile app.  The standards are free to use.  But implementing those standards requires code that someone has to write.  So there is a cost (though low since we see many open source server implementations in the market already).  What is great about FIDO-enabling your infrastructure is that you only have to do it once and you can support every modality, device, browser, etc. that complies to the standards.  This is very different from the "old school" model of adding biometrics through one-off integrations with vendor-specific solutions.

Apprentice

Sure.... I turn on two-factor for everything I can. If a public web site support it, I use it. As a security nerd, I now there are weaknesses, to say using a text-based OTP as a second shared secret, but it does add an additional significant barrier to an attacker... I also do use biometrics when I can as a prefered factor of auth on devices. It's become vary easy on mobile phones.

Apprentice

@prcosway you are correct, ideally you wouldn't have to de-provision with each application separately.  That is where FIDO-enabled Federation comes into play as a "best practice".  

Apprentice

Security standards seem like a huge help to the industry, but as we saw with SSL, a few good breaches can also create a loss of trust at an industry level. What steps is FIDO taking to ensure that this doesn't happen?

Strategist

Regarding biggest surprises from early adopters of FIDO (good and bad):  The good news is the "wow, that's it?!" phenomenon.  When you take password entry away, you make people very happy :-)    As for the bad news, I think early deployers are still trying to figure out if their FIDO credentials are a password replacement or a replacement for full MFA.  For example, my bank uses FIDO and I am a MFA user.  So I was surprised to see they still wanted a OTP from me after my FIDO authentication.  I think that is something that will go away with more experience and when these institutions can see consistently low fraud from FIDO-only credential-enabled sessions.

Apprentice

I think the answer would be better by saying, "you can easily de-provision those keys by means of an account recovery flow with each online application," instead of "that".  As a user, I need a solution that works for potentially hundreds of accounts.

Apprentice

@Corey, do you mind sharing what type auth/auths you use?

@myidiym Is there a "cost" associated with supporting FIDO that is part of the reservation of some non-adopting website owners?

 

 

@Kelly If you lose a FIDO authenticator (U2F or UAF) you can easily de-provision those keys by means of an account recovery flow with that online application (or an alternative set of credentials).  For example, Google Accounts... U2F tokens (which they call "security keys") are an option but they don't yet allow them to be your excusive credential... you still have your OTP and/or account recover flow if you lose the security key.

Apprentice

Complicated @myidiym. 

Strategist

Regarding "biggest reservations from non-adopters" I would say it is ubiquity of device-side support.  Right now FIDO U2F is supported by Chome and soon will be in FireFox.  But website know they have users with other browsers.  So it is a calcution of when to deploy... when you can reach the majority of your power users with a more secure and better UX, or when you can reach nearly everyone.

Apprentice

(looks like one for Brett!)

I see a great q from @prcosway: If I lose my FIDO U2F dongle, how do I gain access to all of my accounts that it controlled?

Great discussion all, thank you! Looking forward to continuing the dialogue!

 

Apprentice

Great interviews Kelly! 

 

Strategist

Welcome to the chat, everyone!

 

Great stuff everyone!

Author

Good point ... We need a sunset date on mag stripe too! 

Apprentice

Well, I actually miss rotary phones. But I don't think I'll miss passwords.

Author

A decade! I'm so depressed.

Strategist

What are the biggest reservations from non-adopters? And what are the biggest surprises the early adopters are finding (good and bad)

 

Strategist

If I lose my FIDO U2F dongle, how do I gain access to all of my accounts that it controlled?

Apprentice

"the only thing worse than a password is two passwords" how true!!

Apprentice

...still an improvement though.

Author

That's a great point... since a one-time passcode is ultimately a "something you know," it can be social engineered. Major weakness.

Author

This is always a hot topic. One of Dark Reading's most widely-read stories over the last two years was called 10 Top Password Managers. Clearly, enterprises and users are struggling with this every day.

Strategist

@prcosway Great point! But isn't replacing passwords easier than replacing other factors of authentication?

Author

The audio is live: If you haven't seen or heard the player, please refresh your browser window now.

Author

Yeah, I knew I wrote a story about it awhile back: 7 Reasons to Love Passwords! Aha! (Slightly tongue-in-cheek but not entirely.) http://www.darkreading.com/7-reasons-to-love-passwords/d/d-id/1315837

Author

While passwords are a "problem", isn't account/password reset an equal or bigger problem?

Apprentice

Looking forward to the chat... Authentication is the cornerstone of security.

Apprentice

Okay... I've just gotta say... there are some GOOD things about passwords too. 

Author

This should be fun! Hope to get some good news about pesky passwords.

Strategist

We'd love to have your voice in the discussion here. To take part, just type your comment into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the show starts -- I think you'll find that we're a very friendly community here! 

Author

Hey, everyone, we're glad you could join us! When the show is scheduled to start, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Author

Welcome to the show! Thank you for joining us. You can post your thoughts, comments, and questions here during the on-air part of the show as well as during our online chat after the show. 

I'm looking forward to a great show today with Brett McDowell of the Fast Identity Online (FIDO) Alliance and Corey Nachreiner, chief technology officer at WatchGuard Technologies. 

Come join our discussion about those pesky passwords and how/when we're going to say 'goodbye' to them.

Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3317
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
CVE-2013-2512
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
CVE-2021-3165
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
CVE-2021-1070
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
CVE-2021-1071
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...