Passwords: A long goodbye

The campaign to eliminate passwords has been ongoing, and growing, for close to a decade. There are even some declarations that this might be the year, or at least ought to be the year, that it happens.

Don’t hold your breath. Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology.

The goal of FIDO, a nonprofit created in 2012, is to supplant passwords with what it calls, “an open, scalable, interoperable set of mechanisms,” for secure authentication.

But McDowell said last fall, and said again this past week that passwords will, "have a long tail," that is unlikely to disappear anytime soon – certainly not this year.

There are a number of reasons for that, even though the security problems with passwords are well known and well documented. As Phil Dunkelberger, CEO of Nok Nok Labs, put it, “the username and password paradigm is fundamentally broken. It was never designed for, and is inherently incapable of addressing, the use cases of modern society. “

Brett McDowell, executive director, FIDO Alliance

And of course it is not just technology that has made it easier for attackers to compromise them. Users frequently make it ridiculously easy as well. They use short, simple passwords that wouldn’t even take a machine to guess – like “admin,” “password,” “12345,” etc. They continue to use the same user name and password for multiple sites, since they know they won’t be able to remember a couple dozen of them.

The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords.

And even if users do have somewhat rigorous passwords, far too many can still be tricked into giving them away through social engineering attacks.

Yet, passwords are such an embedded part of authentication systems – most popular websites still use them – that, as McDowell said, it will take considerable time for them to disappear.

Or as Scott Simkin, senior group manager, threat intelligence cloud & security subscriptions at Palo Alto Networks, put it, “We have decades of legacy systems and behavior to change, and it will take years for the industry to catch up.”

Joe Fantuzzi, CEO, RiskVision

Beyond that, there are at least some in the security community who say we should be careful what we wish for. They note that cyber criminals have always found a way around every advance in security. So while biometric credentials – fingerprints, iris scans, voice recognition etc. – are much tougher to compromise than passwords, they may not be a magic bullet. And if attackers can find ways to steal or spoof them, those will obviously be much more difficult to change or update than a password.

Indeed, there have already been multiple reports of biometric spoofing. FireEye reported more than a year ago that fingerprint data could be stolen from Android devices made by Samsung, Huawei, and HTC because, “the fingerprint sensor on some devices is only guarded by the ‘system’ privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.”

The Japan Times reported earlier this month that a team at Japan’s National Institute of Informatics (NII) found that a good digital image of people simply flashing the peace sign could result in their fingerprint data being stolen.

Researchers have reported that a high-resolution image of a person’s eyes can allow an attacker to make a "contact lens" of the iris that would pass as the real thing for authentication.

And there have already been demonstrations that a manipulated recording of a person's voice can trick authentication systems.

Advocates of biometric authenticators don’t deny any of this, but say one key to their successful use is for the data from them to stay on user devices only, as is the case with Apple’s Touch ID. As McDowell notes, one of the many problems with passwords is that they are “shared secrets” – they exist not only on users’ devices, but also have to be given to a website’s server, which then matches them with what is stored in its database. When such a server gets compromised, millions of passwords get stolen at the same time, through no fault of the user.

Zohar Alon, Co-Founder and CEO of Dome9

According to McDowell, the risk of biometric spoofing is “infinitesimal” compared to that of passwords.

Since the biometric credential data never leaves the device, “the attacker must steal the phone or computer even to attempt an attack,” he said. “This doesn’t scale, and is therefore not viable for financially-motivated attackers.”

James Stickland, CEO of Veridium, agreed. “You can purchase a kit from China for $10 to copy and extract a fingerprint. This has been shown to work on fingerprint sensors from Touch ID to the device used for the Indian government, and is a problem for almost all but the most expensive sensors,” he said.

“But this is a problem only when an attacker has access to the user’s device, so the time window for attack is pretty low.”

Of course, not all biometrics remain only on the user device. Some, such as the fingerprints of millions of people who work, or have worked, for government or that are taken by law enforcement, will be stored on servers.

Joe Fantuzzi, CEO of RiskVision, said this might lead to the same risks that plague the healthcare industry, because of its storage of patient data. “Incorporating customer biometric information will essentially make all companies lucrative targets for attacks and ransomware,” he said.

But those advocating the “death” of passwords say the other key to secure authentication is what security professionals have been preaching for years: multi-factor authentication.

In other words, they are not trying to mandate that biometrics be the sole replacement for passwords. Dunkelberger, who said the FIDO Alliance is using the authentication technology his firm created, said the core idea, “isn’t to replace passwords with biometrics, but rather to replace passwords with a strong, secure signal of any kind.”

McDowell agreed. He said many FIDO implementations do use biometrics for authentication, but that the specifications are “technology agnostic.”

It is implementers, he said, who decide what mechanisms it will support. It could be, “a local PIN code for user verification vs. biometrics if you prefer.”

He said FIDO specifications, “allow the use of authenticators built into a device, such as biometrics or a PIN, and/or external, second-factor authenticators, such as a token or a wearable.”

The message from Stickland is similar. “The only current defense is multifactor authentication, using two or more biometrics – for example, fingerprint and face, or voice. At the very least fingerprint plus a long, randomized PIN would be good.”

He said his firm created an authentication tool that, “uses a combination of hardware, secure certificates, biometrics, and other information to validate not only the biometric, but every communication between a remote device and a server, basically verifying that not only is the user valid, but the hardware the user is using is also valid.”

Simkin also said multifactor authentication, “of which there are many options available today,” should be used, “for all critical resources and applications. The more time and resources you require attackers to expend, the lower the chances of a successful breach.”

Stephen Stuut, CEO of Jumio, said organizations will still have to balance security with convenience, since “friction” in the process of signing on to a site may cause users simply to give up on it.

“Companies should focus less on one single technology but rather on the correct combination that meets their business requirements and customer needs,” he said. “Adding too many steps to the process may increase session abandonment, especially on mobile, where attention spans are short.”

All of which sounds like, passwords could for some time remain as a part of multi-factor authentication: Something you know, something you have and something you are.

Zohar Alon, Co-Founder and CEO of Dome9, said he doesn’t think they will ever disappear. “They remain one of the simplest means of proving identity and gaining access,” he said. “We can design better security with multiple factors of authentication and authorization that are not correlated with each other, that cannot be compromised all at once.”

But Stickland said he believes they will eventually become obsolete. “Passwords are painful. We forget them, they are stolen, it’s time consuming to reset them. At some point, new technology will win.”