IAM Thought Leaders: Time to Replace the Password

The Identity and Access Management literati (or identerati, as Andre Boysen suggests) seem obsessed with passwords, specifically in replacing them with something better. Three recent articles highlight this focus within the IAM universe by turning a spotlight on how passwords fall short as a means of authentication, as well as some possible replacements.

Lisa Eadicicco at Business Insider starts off by relaying some of the wisdom of Johnathan Klein, President of Usher, “a company that focuses on mobile identity solutions for enterprise platforms.” Klein says that:

I think the password is going the way of the dinosaur. I think there’s no question that it’s a flawed and broken system.

Why, you ask? Klein explains:

One of two things happen. They either forget [their passwords] and they get locked out of their systems…or much more dangerously they do the old famous yellow sticky note. And you’d be surprised if you walk around a corporation or organization that’s supposed to have high security, the number of people that have just written down their username and password on a little sticky note.

These outcomes decrease productivity and/or compromise your company’s security. Eadicicco builds Klein’s by adding that there are vulnerabilities when transmitting username and password data between different servers:

The other issue has to do with the nature of the username and password system. Sending critical information, such as your password, to another server makes it susceptible to hackers. In most cases, this type of data is encrypted when it travels between servers to prevent interceptors from reading it. However, if someone learns how to take advantage of a serious vulnerability such as Heartbleed, they could potentially decrypt that information.

The results of this vulnerability? The potential ruination of your online reputation and the almost complete “erasure” of your online identity could be one outcome, as Wired reporter Matt Honan experienced about 2 years ago. Another of course could be the inability to even pay your rent after a hacker uses your username and password to run up the bill on your playstation account, as one Reddit user documented this year. Both stories were relayed by Eadicicco as downsides to password based authentication systems.

And lest you think your password-secured business is safe from security breaches, InfoSecurity Magazine says you’ve got another thing coming. According to the mag, a study from Swivel Secure, “a pioneering network security solutions provider” according to its website, of 2,500 US employees found that business owners and managers:

are taking insufficient steps to secure access to their workplace systems, setting a bad example to staff and dangerously exposing their company data as a result.

Top of the list? Password misuse:

According to the research, nearly three-quarters (74.2%) of business owners keep a written log or have another offline system for recording their passwords. And worse, the study has also revealed that 63% of business owners continually re-use the same passwords to log in to different systems, yet 61% remain ‘unconcerned’ with the security of their corporate systems.

As a result of the poor habits of management, those same poor habits are “trickling down” to employees, with a whopping 73% of full-time US workers admitting “to re-using the same batch of passwords online, with a third (33%) using less than five different passwords to access between 25 and 50 personal and business sites.” The result of this carelessness according to Fraser Thomas, VP of International at Swivel Secure, is that “a significant proportion of last year’s $46 billion global spend on cyber security will have been wasted as a direct consequence of password reuse.”

Yikes. Given the potential for wasted money, you would think business owners and managers would be more concerned with the state of security at their business, right?

So what are some potential solutions to the password security problem?

Andre Boysen at Information Week’s DarkReading.com has one potential answer: payment networks.  Boysen specifies what this means by saying that the security system needs to built around a “payment-card-like” token or device, such as a smartphone. To illustrate the benefits of the ease of use of such a system, Boysen asks you to “imagine if you needed a different credit card for each merchant you visited,” comparing that to the need for a different password for each site you want to log into. The result is that “the payments card industry realized this and created an ecosystem built on interoperability and standards” with 5 key stakeholders involved in maintaining the system: Financial Institutions, Card Issuers, Credit and Debit Cards (payment cards), merchants and consumers.

Boysen then sets forward a slightly different group of stakeholders for a new, password-less security architecture: the same financial institutions, merchants and consumers would be involved, but mobile devices would take the place of debit and credit cards in this arrangement. Your smartphone would become your security token, in other words, with merchants, consumers and financial institutions all playing a role in ensuring the system works well.

My reaction, and those of many commenters on Boysen’s article, is that this does not sound like a foolproof system. Mobile devices get stolen all the time, so relying on just that one system is probably a set up for failure.

Another potential solution comes in the form of biometric scanners, such as the fingerprint. It turns out, however, that fingerprints aren’t actually all that secure according to Nicholas Percoco, vice president of strategic services at IT security firm Rapid7 and relayed through Eadicicco:

The main reason is, it’s not necessarily a secret whereas a password could be. If you think about your fingerprint, every single thing you’ve touched since you woke up this morning has your password on it. So that’s a problem.

The same goes for that fingerprint protected smartphone:

“If a thief steals your fingerprint-protected iPhone 5s, he or she could lift the fingerprints off your phone’s screen. The other thing is, you can’t change your fingerprints,” Percoco said. “So you really only have 10 shots.”

So if both your smart device and your biometric signs on their own are out, what hope do we have left of protecting our info and money?

Eadicicco and many others say multi-factor authentication. A variety of multi-factor authentication systems can be thought of, including ones that don’t require vulnerability while transferring sensitive data. Take Eadicicco’s example of:

the system used at Usher’s parent company MicroStrategy, which involves using your smartphone to scan a QR code on your computer screen to login rather than typing in a username and password.
An encrypted mobile ID would be stored on your phone, which tells the computer that you’re authorized to log in. This type of technology could be even more secure if you’re using a phone with biometric authentication such as the iPhone 5s or Galaxy S5.

Johnathan Klein, President of Usher, is absolutely a fan:

“There’s nothing to intercept, there’s nothing to steal, there’s nothing to remember, and it’s perfectly secure,” he said. “We think that this is the future—the combination of biometrics and encryption on a smartphone.”

These technologies are still “very young,” however, which is why we haven’t seen widespread adoption yet but we should expect big changes in the next three to five years as the technology matures, according to Liam O Murchu, a Senior Manager at Symantec. Nevertheless, guess what Klein still thinks we’ll have by then:

Realistically usernames and passwords will be here for a while.

Working those usernames and passwords into a multi-factor authentication scheme is probably going to be your best bet for a while to come then.
For Lisa Eadicicco’s piece at Business Insider, click here.

For InfoSecurity Magazine’s piece on password misuse, click here.

For Andre Boysen’s piece at Dark Reading, click here.