No more passwords in 2017? | Dec16 Newsletter
Yahoo!’s disclosure that hackers might have vacuumed up the passwords of as many as half a billion users lit the floodlights on two gaping issues in IT:
- Passwords run out of steam well before they cross the goal line of today’s security needs
- Sometimes you don’t even know they’re gone, which means you’re vulnerable without realising it
Wakefield Research recently surveyed IT decision makers and found out that 69% will probably do away with passwords completely in the next five years.
The finding of the report wasn’t surprising, nor were the insights that IT professionals are despairing of evergreen problems:
- Stupid users “securing” their accounts with passwords a child could guess, let alone a script kiddie driving any of a dozen tools available for free download
- Lazy users recycling the same password for different accounts so that one crack exposes many systems. And it’s especially galling for IT when the breach of its system is the result of a breakdown of a system beyond its control, such as all the systems now at risk because Yahoo! customers used the same password for Yahoo! as for their work access.
Alternatives to passwords
Alternatives that solve both these problems are maturing. They typically involve mixing methods like:
- Two-factor authentication involving single-use pass codes pinged to the user’s mobile phone or emailed to them
- Biometrics—commonly fingerprint, eye, voice scanner
- Behaviour—recognising a user’s signature behaviour, such as:
- Considering the time and place a user is requesting access and deciding if it’s in keeping with that person’s usual behaviour
- Looking at the way the user is handling the device—mouse movement and keystrokes—to sniff out atypical behaviour
- Device-specific lockdown—only allowing access to certain systems by particular devices assigned to individual owners
Combinations of these are most effective. It’s easy to see, for instance, that a device that has never been used to access a system at 11pm let alone from another city than HQ should be locked out.
Wakefield Research found the biggest obstacle to scrapping standalone passwords was the belief by 42% of respondents that they’d get push back because of "disruption to users' daily routine”.
A choice that taps into something enjoyed by many might be the answer—the selfie.
Uber is periodically asking its drivers to snap a selfie before accepting ride requests. It runs the selfie through an algorithm to match it against the one on file.
Similarly, MasterCard in Europe is asking online shoppers to authenticate themselves with a selfie.
The technology isn’t as mature as some other options—Google had to apologise when its Photos app identified two black people as “gorillas”.
But the selfie of today might yet have its way as the future of security.
After years of lectures from security experts, business IT professionals have finally begun to accept that a password alone isn't enough to secure a corporate computing account. Passwords can be cracked by brute force, lost to phishing attack, and forgotten. Security teams have tried making them stronger, only to run up against the tragic limits of the average human memory.
What’s more secure than a fingerprint?
One of the methods used to improve log-in security is multi-factor authentication. Fingerprint recognition is a common second factor.
Security researchers have proven on many occasions that fingerprint readers are subject to hacking, so what can be more secure than a fingerprint? Security vendors have begun to answer that question with other body parts that are:
- More difficult to hack
- Possible for computer system vendors to install on workstations not purchased with spy-agency budgets
The first major biometric seeing use is facial recognition. Each human face has a number of points. The size, shape, and relationship between them all is unique to each person. The sort of technology that started on social media sites (suggesting you tag friends) and in cameras (to focus on faces) has been extended and improved to recognise and verify one particular face. When it sees the right face, it unlocks the workstation.
The benefits of facial recognition for authentication
- Facial recognition can be implemented through a combination of software and hardware that most laptops already have (a webcam).
- It’s also a "low-friction" authentication method. It requires little in the way of action or time on the part of users before they're able to use the workstation.
- It’s so free of transactional friction that it's easy to use for authentication into network segments and applications.
- It's being built into a growing number of mobile devices, allowing facial recognition to be used as a single authentication component across all the devices in an organisation
Facial recognition isn't the only biometric authentication factor that's available, of course. Voice recognition has been used successfully, and the cost of accurate voice recognition is coming down rapidly.
Retina scans are famous for their use in high-security physical security and motion pictures. However, exceptionally accurate and secure retinal scans require expensive third-party equipment in order to function. If you're guarding a secret recipe that's the key to a multi-billion-dollar business, then it can be justified. If you're trying to keep casual thieves out of someone's email, then it may be difficult to justify with the cost of the technology in 2016.
The second factor in authentication can be more than a biometric, too. Single-use tokens, hardware tokens, and hardware keys are all possible, though each of these requires that the user keep up with a piece of hardware -- something presumably not an issue when a fingerprint, face, or eyeball is the factor.