Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:49 PM

Kill Passwords: Hassle-Free Substitute Wanted

Passwords keep proliferating, but do new technologies and approaches offer an alternative? Maybe.

Let's play the "who's got the most passwords?" game. Count PIN codes for mobile devices, ATM cards and, if you're European, credit cards. Then move to websites, including social networks, school records, e-commerce, banking, health insurance, ticket-buying, airlines and customer rewards.

What's your score? The average consumer today has about 25 passwords. Good luck remembering them all without writing some down.

The infuriating fact, furthermore, remains that despite our best efforts, the odds are stacked against people who must use passwords. Just one failure somewhere in a long chain of processes, involving poor encryption, crummy database security, password reuse, card skimmers with cameras or social engineers, can allow an attacker to bypass the security that passwords supposedly provide.

[ Will these new security tools really help? Read Security Tools Show Many Dots, Few Patterns. ]

In other words, passwords stink. "You would have to be living in a cave the past couple of years to not realize that passwords are next to useless as a security mechanism," said Sally Hudson, IDC's research director for identity and access management, via email.

Can passwords be replaced? Unfortunately, no one approach is going to overthrow the tyranny of password proliferation. "We're looking for a new way, we're looking for a new type of protection, and I don't think the industry has found it yet -- or at least, not just one answer," said Sean Brady, RSA's director of product marketing, speaking by phone.

In the future, however, businesses might be able to deemphasize passwords in favor of better intelligence. "Some solutions, like one-time passwords may work for certain segments, but where we think the industry is going -- not to throw around marketing terms -- but you're entering a world where notions of big data and analytics, and consuming all of the information that exists about us on the Web, and our histories, will all now be part of a risk profile," said Brady.

One proto-password-replacement example is RSA's Adaptive Authentication, which counts about 300 million end users -- largely banking customers -- and keeps a risk profile of each user (time of day they're logging in, device used, location, and so on) to determine how many different security questions the user must answer before being granted access.

But expanding that approach to the point where it might replace passwords altogether faces three big challenges. The first is "doing that in real time," Brady said. The second is accurately distinguishing between useful risk information and useless risk information -- and making sure you don't collect the latter -- and the third is automating the process enough to not create another administrative headache for information security managers.

Beyond building a better risk profile, another -- perhaps complementary -- approach is being advanced by the FIDO Alliance, which is creating an open standard that will let websites authenticate users with whatever is to hand: a biometric fingerprint reader on a user's PC, security questions, one-time passwords sent to smartphones, USB security tokens, voice recognition, two-factor authentication systems such as SecurID, Trusted Platform Modules (TPMs) built into PCs and so on. The elegance of this approach is that in the era of BYOD (bring your own device), FIDO is advancing an anything-goes, "authenticate with what you've got to hand" model.

Early FIDO participants include PayPal, Lenovo, Validity Sensors, Nok Nok Labs, Agnitio and Infineon, and they say their approach would secure every part of the authentication process, from client to server and back again. "There is no security standard today that addresses security from the ecosystem standpoint. It's not enough if you secure the client, or the server; a security link has to be end to end," said Ramesh Kesanupalli, VP of the FIDO Alliance, speaking by phone.

FIDO's backers also claim their framework would add minimal "friction" to the user experience. "Your identity and credentials remain on your device," said Sebastien Taveau, CTO of Validity Sensors and a FIDO Alliance board member, via phone. "What happens is the service provider or relaying party is going to ping you and say, 'We see that you have a FIDO token on your device; do you want to use it?'"

For everyone who might love to see passwords become extinct, the good news is that thanks to an approach such as FIDO, we may one day need fewer passwords. The bad news is that we'd still need passwords, for example to log into our PC. "I don't think passwords are going to go, even for FIDO," said Kesanupalli. "Passwords are a bootstrap to start the process."

Even so, password use could be minimized. "We'd like to kill the possibility of ever sending a password over the Internet," said Clain Anderson, director of software at Lenovo and a FIDO Alliance member, via phone. "You can still use a password on the device, but then it relies on a cryptographic handshake" to validate a user with a site, and tailors authentication requirements to the perceived level of risk. "Checking your balance is one level of authentication. But using a brokerage account to move millions of dollars? That's a different level of authentication," he said.

Could the FIDO Alliance succeed? "Yes, I think they can succeed, but like anything else in the security standards/protocol space, it depends on a number of variables," said IDC's Hudson. "How many industry heavyweights will get behind FIDO? What is the actual market demand? What other options might emerge?"

FIDO will also require technology, financial services, governments, retail giants -- and any other business or organization that needs to authenticate people online -- to cooperate and collaborate at an unprecedented scale. "Will it happen? History says no, not at the level needed, but you never know," said Hudson. "Things change."

Here's hoping.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Melanie Rodier
Melanie Rodier,
User Rank: Black Belt
3/5/2013 | 4:33:58 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Getting all these entities to collaborate does sound like a long shot. Still, the idea of being able to authenticate users with whatever is at hand is a great idea. Perhaps there will be a way that innovative vendors will enable this kind of technology to gradually catch on, while bypassing a broad high-level collaboration between government institutions and others. In any case, there really has to be a better way than having to remember a multitude of passwords and answering the same types of security questions (which often do not seem secure at all) when you forget a password.
Cara Latham
Cara Latham,
User Rank: Apprentice
3/4/2013 | 2:45:18 PM
re: Kill Passwords: Hassle-Free Substitute Wanted
Unfortunately, if FIDO really does require technology, financial services, and governments to cooperate to enable a password-free system, I don't think it will work out smoothly and efficiently. When government has to be involved in anything, it is a hurry up and wait situation. The only way I see large-scale cooperation occurring is if there is regulation enacting it, and if that is the case, it will be many years before this is put into place.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.