The End of the Password

I seriously cannot wait for us to be done with the password! The idea of a human-remembered secret to protect our access hasn’t really been a safe or secure one since people started plugging phones into computers. Hopefully we’re starting to see some action on this front, with Michael Barret (CISO of Paypal) starting an alliance to “obliterate user IDs and passwords and PINs from the face of the planet.
Image

The FIDO Alliance seems to be interested in taking a set of biometrics, USB storage, and TPM embedded hardware and using it to provide secure authentication across the web. Certainly this is an idea who’s time is nearly here, with easy to use services providing open two-factor authentication for applications, and the advent of identity federation services.

We also need it very badly, a large proportion of the high-profile security breaches reported on in the press both are caused by and result in password disclosure. Disclosed passwords, even the ones stored in one-way-hashes are getting easier to decode (brute-force). It’s also easy to ‘social-engineer’ your way into someones passworded accounts and completely derail their life. The current best practices for password management systems were defined in 1985, and are still implemented poorly and incompletely, we can do better. Passwords also create a responsibility on engineering groups to store them securely so that a compromised password on one system doesn’t lead to many compromised systems (algorithms like scrypt, bcrypt and PBKDF2 with high iteration counts can do the trick [1] [2]).

But even with the best password authentication system we can design, we are still stuck with a link between the keyboard and the user’s memory as the essential component of assuring who’s trying to gain access. Passwords should be complex, unique, and hard to lose. This is not a job for a person’s scattered memory, and the combination of better identity tools, including biometrics and mobile devices can bring us beyond the idea of ‘accounts’ with ‘usernames’ and ‘passwords’ and instead to a more serious idea of identity.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s