Subscribe

End of the password?

Reports of the password's death have been greatly exaggerated. Instead, security is betting on a plan B.

James Francis
By James Francis, Ghost Writer, Copywriter, Media Hack & Illustrator
Johannesburg, 30 Jan 2014
Simon Josefsson.
Simon Josefsson.

If there is one thing about passwords, it's that people choose poor ones and then use them everywhere. Take your pick of a report declaring this: in January, Deloitte found 90 percent of all passwords are vulnerable to hackers. A year earlier, Trustwave blamed poor passwords for major data breaches. Numerous polls have revealed our penchant for choosing passwords like '123456' or, amazingly, 'password'.

We're just not very good at this. And why should we be? A decade ago, you juggled one, two, perhaps five passwords. Today, you're likely stuck with dozens of places requiring a login. This has prompted an industry-wide soul search for the perfect security solution and breathless headlines about the end of the password. But is this really the case? Can I finally stop trying to recall my login for funnycatsonskateboards.com?

No. The password is here to stay, says Simon Josefsson, security architect at Yubico: "Passwords, when used with a secure, privacy-respecting second factor authenticator, have several benefits that other authentication methods don't have."

But what has changed, he adds, is relying on passwords. Instead, the industry is trying to find secondary ways to boost security.

Several factors dog security access. First are passwords, particularly the need to create ever-more complex ones that are harder to remember. Second is a lack of universal standards and implementations. Several high-profile groups are attempting to address these. The US' National Institute of Standards and Technology has dished out millions in grants towards addressing specific challenges within these areas. Its focus is mainly on how to create software security access standards across the public sphere.

Concern for security in the private sphere sits with the FIDO (Fast IDentity Online) Alliance, a non-profit group that includes Google, BlackBerry, Lenovo and Yubico. Josefsson says the aim is to create a standardised framework for simpler, faster authentication over a wide range of devices and other access points. Using this, Google has developed the U2F token system, a second factor (2F) security system that uses tokens such as USB drives. 'Second Factor' is the lingo for a second authentication step after a password, the most common example being One Time Pins (OTP), which U2F hopes to eventually replace.

'Second factor' is the lingo for a second authentication step after a password.

But at the moment, U2F's implementation orbits around USB drives, which is a problem. It's no different from a dongle or any other hardware token. These have existed for decades, yet never managed to gain mainstream adoption. Today, smart cards are ideal candidates for 2F security, but even these are not popular. Yet the problem isn't the hardware itself, not if said hardware is already being used for something else.

The Biometrics Boom?

The introduction of a fingerprint reader in Apple's new iPhone has been met with some excitement. Paypal's security chief even predicted it would eventually replace online passwords. That seems like a sober analysis: biometric security has matured into a very effective solution. The challenge is to get end users on board and the new iPhone is seen as a serious stepping stone for this. But according to Forbes, up to 20 percent of iPhone 5S users are having problems with the scanner ? one could easily anticipate an even bigger failure rate from rival devices that may soon ship with similar technology. Biometric systems have also been criticised for being costly and far from universal.

This is why OTP has flourished. It sends a message to your phone and, in theory, is device-agnostic. According to Lee Bristow, security consultant at ESET South Africa, OTP is the most cost-effective method that also ticks the requirements for corporate governance and legislation. This has seen the technology, of which ESET is a vendor, enjoy uptake among a broad range of industries, particularly online banking. Facebook, Google and Twitter all also offer OTP security. OTP is flexible: you may not need the short-lived pin to log into a service, but it can be invoked at numerous points, like changing account details or making payments. But OTPs are not infallible and cyber criminals have been finding inventive ways to fool such systems. As such, it's not regarded as a security holy grail, but rather a significant evolution.

User fatigue

One thing is certain: passwords are not going anywhere. But Josefsson points to a new phenomenon that may alter how they're approached: federated systems. When you use Google or Facebook to log into a third party, that's a federated system. And it's a trend likely to grow: "There are too many sites out there that cannot implement authentication in a secure and usable way. Leading identity providers do a better job here, because they're already heavily invested in complex risk-based authentication capabilities."

The problem isn't one of weak or overused passwords, but what we can do to stop online criminals.

This may cut down on the biggest problem with passwords: user fatigue. Every time we sign up for a new account, we require a new password. Most of the time, we just fall back on a familiar one. Federated systems simplify such housekeeping, while second factor solutions will reduce demand for complicated passwords. Ultimately, the problem isn't one of weak or overused passwords, but what we can do to stop online criminals - preferably ways that don't expect end users to change their habits.

First published in the Dec/Jan 2014 issue of ITWeb Brainstorm magazine.

Share