Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/25/2019
10:00 AM
Chris Roberts
Chris Roberts
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Future of Account Security: A World Without Passwords?

First step: Convince machines that we are who we say we are with expanded biometrics, including behaviors, locations, and other information that makes "us" us.

Passwords
Passcodes
Passphrases
No Passwords
Two factors
Three factors
Biometrics
Facial (smack head against phone…)
Prove you exist
Prove it's you that's proving you exist …

... at which point most people will have thrown the device away, gone back to their notepad or Post-it note, and dug out the old password from years back that still gets them into everything under the sun, which, let's face it, is probably root/calvin, root/toor, admin/letmein, or something akin to these.

We're all creatures of habit. We look for simplicity and ease of use because we're inundated on an hourly basis by applications, systems, phones, cars, fridges, and even the toaster asking us to identify ourselves before we get any meaningful service or a warmed-up waffle.

And herein lies the problem: A long time ago, someone, somewhere, in a mainframe (probably in another galaxy) decided that we needed to associate each human with an account, unique to them, and then protect it (little did they know) with a code that only that one human would ever be able to use or remember.

There's short sighted and then there's not being able to see to the end of your nose. The password flaw is something that it's inventor, recently-deceased Fernando Corbató, was keen to point out. This is, let's face it, on par with the Y2K flaw but without the immediate consequences. We keep living with the issue; heck, we have a World Password Day (first Thursday in May) when we actually celebrate that we can't fix something that's arguably been the bane of our existence since the '60s! The password is to us like the common cold is to healthcare.

The challenge is one of balance. We need/want safety and security, but we like privacy (that is debatable, I know). We also want usability (as shown by all the blinky stuff we keep buying in the hopes of an easier life). Unfortunately, these three forces are acting upon ALL the various options out there vying for supremacy on the password battlefield, and, presently, no one has really come up with something that would keep all parties happy. Remember, our audience is everyone from the NSA/Mossad folks securing their systems to my mother and her computer login to Tesco supermarkets for home crockery delivery. Whatever we come up with must solve this entire spectrum of users.

Some progress has been made in the realm of passwordless solutions, some of which do a fantastic job of uniquely managing credentials in a manner that allows for seamless transactions across multiple platforms. Others can take existing credential techniques and mask them behind a much more collaborative, intuitive, and manageable front end, creating vaults that actually do work, and solutions that tie together all the myriad technologies out there. But, in the end, what they are doing is helping to navigate the mess that is underlying a well-built 1960s veneer: a set of credentials assigned to us, by us, for us, or for our use still has to be part of an access solution. Only now, instead of one mainframe, we have 1,001 apps, systems, websites, programs, ERP systems, etc., all clamoring to understand who we are and whether we should be allowed in.

So, what are we to do? What are our options, and where will we 5-10 years from now? Will we still be fending off "Summer2019!" as the default corporate password, or will we have finally put the '60s to rest and moved on?

In the short term, we have to convince the machines that we are who we say we are, so let's take biometrics and expand it to include behaviors, locations, and other information that makes "us" who we are to the outside world.

Long term, take that concept of "us" and who we appear to be and start to look at our very existence, our experiences, our lives, and our memories. I'm talking about taking neural information, directly from the gray matter between our ears that would demonstrate that we know the location, the bank, the account, the office, the card, and, if we're smart about it, we correlate that with the device itself knowing "us." Therefore, our very existence and interactions become our key. Essentially, we don't have to prove who we are — we just have to be ourselves.

Will that solve all the password problems we collectively grapple with daily? Probably not, but it should at least eradicate 123456 or the more complex version of adding 789.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Playing Around' with Code Keeps Security, DevOps Skills Sharp"

Chris is one of the world's foremost experts on counter threat intelligence and vulnerability research within the information security industry. He has led or been involved in information security assessments and engagements for the better part of 20 years and is credentialed ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
CVE-2021-32623
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
CVE-2021-32676
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...