Updated 3rd June 2013.
This post was previously published by me over at The Centre for Secure Information Technologies blog.
At the recent World Cyber Security Technology Research Summit hosted by CSIT I had the pleasure of scribing one of the breakout sessions titled “Is it the end of the road for username and password? If so what are the alternatives?”.
The answer, given recent high profile breaches, might surprise. It’s not as clear cut as you might think. One thing is for sure however. There is a huge amount of opportunity in this area.
The session was well attended by representatives from business, academia and government. Industry representatives included social networks, payments, utilities, venture capital, physical security and network intelligence to name a few. We started from first principles. Passwords are used to authenticate and verify. Typically up to four factors are used. These are:
- Something a person knows (a password or secret)
- Something they have in their possession (a token or key)
- A unique characteristic (biometric)
- Location (GPS)
What’s the problem with usernames and passwords?
The initial general consensus at the beginning of the discussion was that authentication by knowledge is, for really secure purposes, a “dead duck”. Passwords came from the physical security space dating back to early days of password access at sentry points in the Roman Empire, if not earlier. They are a well-known process, well embedded and will be hard to replace with mechanisms likely to reach such ubiquity.
Chip and PIN comes close to ubiquity and is the widest held two factor authentication in the world. 32 million people in the UK alone have it.
Graphical passwords are becoming more popular but are not completely secure and implementation techniques vary so there is little consistency in terms of how they are applied. Social authentication is developing as a mechanism with a variety of methods. Again standardisation is limited across a multitude of services.
One of the key problems with passwords is that, through policy or necessity, we have come up with passwords that are hard to remember for people but easy to crack by machines. Everyone has their own threshold with respect to rules around security. This has led to significant push back from users who are introducing risk by re-using passwords across multiple business and personal accounts. Re-use of passwords is a huge issue as any of the recent password breaches at sites such as LinkedIn and Gamigo have highlighted.
Passwords in a lot of use cases are about accountability. When used to protect email for example it is about trust. Peter trusts that if he receives and email from Mary that it is actually Mary who sent it. Passwords are a single point in time proof of someone being authenticated. They are not proof of continuous identity however.
Many alternatives are not scalable across all use cases in the same way that passwords were. Most services have no restitution if things go wrong therefore there is little incentive to improve services beyond avoiding negative publicity. In some cases companies instill bad practice in users for sales reasons, or expediency, and suffer the consequences later.
99% of passwords are used to protect really simple applications and not all passwords are created equal. Really secure ones may only be used periodically such as to access share options each year and therefore user tends to forget them anyway. This isn’t such a problem as reset procedures aren’t that cumbersome. Many attacks are remote so there isn’t necessarily an issue with writing a password on a post-it note stuck under the desk.
Regulators are legislating for multi-factor. The recent European Central Bank’s report on security of internet payments includes in its recommendations the following:
- to protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication;
- implement multiple layers of security defenses in order to mitigate identified risks.
If there was an assumption that passwords have been hacked how do companies analyse behaviours to pick up on anomalous activity?
How can we create recognition methods which automatically authenticate?
There are new interfaces coming about which still require authentication but don’t have an ASCII terminal to input passwords such as Google Glasses. How will authentication be handled in those instances?
The use of the term password as a surrogate for a secret for authentication caused difficulties too. If the terminology was rephrased to “tell me a secret” rather than “enter a password”, would that improve user security around the creation of secure passwords and their storage?
Should every company have their own password database if they do not possess the appropriate skills, experience and resources to protect that database? Curating of passwords by third party password managers might be an option for enterprises. Many consumers already use similar services for web services. Are these password management services ready for the enterprise and are enterprises taking them seriously?
In terms of using mobile devices as a possession based authenticator, the fact that they weren’t originally developed for this purposes causes problems. The same goes for using GPS for identity provision due to poor accuracy. An additional concern is that concentrating everything on one device in inherently insecure if you lose it.
Bonding between carbon based identity and virtual identity may involve some form of biometric authentication. Biometric authentication and verification are part of the answer but prone to false positives. False positives scaled to large numbers mean large impact. Acceptable levels of false positives may be appropriate for some use cases.
While usernames and passwords may not necessarily have had their day we are conditioned to think that there is a problem with password. They still fulfill a purpose and are ‘good enough’ for many applications.
Notwithstanding, there are huge problems with the way that they are being used by enterprises and individuals which make them insecure and prone to attack by those with malicious intent. New interfaces which don’t have ASCII keyboards (hardware or software) to input username/password combinations mean that there are many new research, technology and commercial opportunities coming up in the next 5-10 years in this area of cyber security.
What are the top challenges and/or opportunities in this area:
0. People storing usernames/passwords should just store them securely! Companies should get their house in order first.
- Do we need global third party identity providers e.g. Facebook, Microsoft, Google, Twitter – or a role for government?
- The phone becomes the token, very likely to report it stolen (Threat?)
- Confusing authentication and authorisation.
- No restitution process from identity theft.
What future technologies are required to take advantage of these opportunities:
- Chip all people at birth – A semi-serious proposal to stimulate discussion!
- Wearable computers. i.e. Google Glasses authenticate to phone
- Token – Password wallet on a token. Being near something that is worn by you unlocks the wallet.
- Using emotional intelligence as authenticator
- Behavioral biometrics
- Silicon device authenticators coupled with user authentication
What practical steps can be taken collectively by research organisations to deliver this technology:
- Multidisciplinary approach to researching solutions – Technologists, psychologists, users, enterprise
- Usability coupled with security and iterate
- No-one has a root identity. Need to look at this issue again after the mess of national ID cards