Over 25 years ago I started in the networked computer field worrying about authentication, usernames and passwords. And despite all the weeping and wailing about passwords in the intervening years, I still spend an inordinate amount of time thinking, writing and speaking about them.
Just last week, Oracle’s Mike Neuenschwander (formerly with The Burton Group) organized a lively tweet chat on authentication issues (search Twitter for #authchat to see what’s left of the thread) which showed surprising agreement about the future of passwords for authentication.
The week before, Google had announced what the press called a “war on passwords,” when they rolled out a beta project to use Yubikey hardware tokens in a Near Field Communication (NFC) system for authentication. My colleague Martin Kuppinger looked at this possibility just the other day, and liked it – with cautions.
The thing is, most analysts, IT execs, security professionals and others with a stake in authentication services agree that passwords should be removed from the process. They’re inherently insecure, someone recently speculated that the “secure lifespan” of a new password (the time it would take to crack it) is down to less than a second, on average.
The hundreds of data breaches in just the past year unveiled hundreds of thousands of passwords. While many bemoaned the simplicity of the passwords people choose (“password,” “qwerty,” “12345,” “monkey”) and demand more complexity others note that the more complex the password the more often a user will write it on a sticky note attached to their monitor.
It was just over a year ago I suggested going to a Privileged Management (PxM) system, called by some Privileged User Management (PUM), and by others Priveleged Account Management as sort of an SSO on steroids answer to the password problem.
The basic idea is that passwords are here to stay, and all we can hope to do is to reduce our dependence on them or reduce their exposure. By configuring the PxM-SSO system to reset passwords after every use; to use complex combinations of letters, numbers, upper/lower case and other marks; and to never reveal the password chosen that we increase significantly the amount of time needed to break the password. In other words, if we make it more expensive to break in to the system then the value derived from the break-in we reduced the incentive for the cracker. As the old proverb goes, when a group is being chased by a bear you don’t have to be the fastest runner just faster that the slowest.
Of course, as many have pointed out, that “solution” doesn’t remove passwords at all. That’s very true, but also well beside the point. There is no solution that, in the foreseeable future, will remove all reliance on passwords, especially when we speak about the mobile market.
Ever since Apple acquired AuthenTec (maker of 2D finger print sensors), there’s been talk that the next iPhone (either the 6 or the 5S) will include a fingerprint reader. I’ve been waiting for that development for four years, sBut as one wag commented, most smartphones have shiny surfaces which any thief should find to be very thick with fingerprints that could be lifted and reused .
Whether or not that development leads to a use of biometrics rather than a PIN to unlock a smartphone is still problematic. Too many people seem to make a living out of denigrating biometrics for authentication. Lurid tales of people having their digits cut off to fool fingerprint readers are scary, if not very truthful.
Near Field Communications (NFC), used in devices such as the Yubico Yubikey being looked at by Google, is simply a refinement of RFID with a much smaller range. In this case, smaller is supposedly better. RFID has been criticized for broadcasting data too far, allowing the nefarious to “eavesdrop” on communications and harvest all sorts of interesting “stuff”. But NFC devices still have the same flaw, what could be the same fatal flaw, that RFID devices have. It’s the device itself that’s being authenticated no matter who is in possession of it. No matter what form factor the NFC device takes – the credit card sized bit of plastic that Martin favors or the wearable ring that Google is talking about – it’s still quite possible for it to fall into the hands of the cracker with no need for lopping off fingers.
Proponents of NFC devices say that multi-factor authentication is the key. Invariable, this leads us back to a password, a PIN, a passphrase or other shared secret. Well, for many it does. I still prefer a biometric as the second factor. But those who feel a password can be used frequently call for a one-time password (OTP) distributed out-of-band (perhaps by SMS message). The recent Eurograpper exploit should give us pause when considering that solution.
Last week’s #authchat tweet chat pretty much concluded in general consensus about two things: 1) password authentication is bad; 2) passwords are going to be around for a long time, although perhaps in a diminished role.
Winston Churchill once said: “democracy is the worst form of Government except for all those other forms that have been tried from time to time.” Could we paraphrase that and say passwords are the worst form of authentication except for all those other methods that have been tried from time to time? And if we will continue to use passwords, in one way or another, which is the best way? Should we have one strong password we use for all authentications? Different strong passwords for each authentication? A combination where an SSO/PAM handles different strong passwords for each authentication while being accessed by one strong password at initialization?
Here’s the question I want to leave you with today: if you want to protect your eggs, do you hide them – individually – all over the farm or do you put them all in one basket and hide it under a hay rick?
In my days as a network manager I learned that there’s always a bottleneck in the network where traffic slows. When you fix that, then another place becomes the bottleneck. It’s the same with authentication – we can always identify the weak point, but when we fix it doesn’t something else become the weak point?