Passwords are dead or dying: According to Google security executive Heather Adkins, Passwords are dead for Google and warned that any startups that will rely on passwords are going to be dead in the water. Heather Adkins did not offer any real specifics on how Google is going to innovate tomorrow’s security but did hint that Google is experimenting with hardware-based tokens as well as something that Motorola has created that authenticated users by having them touch a device to something embedded.
Google is not the only company, in the news recently, that is presenting other options for security, other than passwords. Apple has now released its latest version of the iPhone which has its own finger print scanner. This was released to help push the end users that refuse to put a password on their device to at least have some sort of security in place. That sounds all well and good except that it took someone less than forty eight hours to crack and circumvent this security feature and get access to the device.
There have been several articles that this hack is irrelevant in that it requires having some kind of access to a finger print of the person that the device belongs to and for most cases of loss or theft that may be a very tall order to achieve on any device that is found or stolen from a random individual. I am not quite sure I agree completely with that statement. As I pull my phone out and look at it in the light I can see my fingerprints all over the device. Actually it is my understanding that we leave our fingerprints all over the place, everything you end up touching actually. I will concede to the idea that this will not be an easy thing to overcome by the average person but my point being is that if it took someone less than a couple of days to bypass this security, what can someone do when they have months to work on another angle? Maybe I am a little paranoid in my thoughts, but lately any false sense of security or privacy that I thought I had has pretty much been dismantled. I do give apple credit for doing something to push some kind of security but I really don’t think they went far enough because the single factor authentication is just not secure and multi-factor authentication needs to be the norm and not the exception. Anyone that believes in the idea that biometrics alone is going to keep them secure is just completely fooling themselves.
Let’s take this concept a step forward and contemplate the idea that this kind of security could really catch on with companies and we start to see more and more biometric authentication. Is this really going to be a good thing? Maybe if it is also implemented with multiple factor authentication on top of the biometrics. Multi-factor authentication is just the start of what need to be done and that is a more secure solution then just the any single factor authentication itself, but also has the potential to open up another problem in itself. How many different hardware devices or even apps on our smart devices are we going to need for the different products and solutions that we use? We would need some kind of device for corporate access, one for Facebook, one for Google and the list will just keep going and going.
I guess what really bothers me the most is the idea that companies are marketing these security authentication mechanisms as being secure when in fact there is really no such thing as being totally secure and once we have completely lost the sense of security that we have, what is left is our false sense of privacy, which is the next domino to fall. The temptation to help make everyone’s life easier by developing some kind of single sign on (SSO) that handles the different forms of biometrics and/or other factors all in a single solution leaves too much trust and information in a single company’s hands. For instance, Facebook has become the central authentication platform for a lot of applications and still growing. I think we won’t be hearing about large amounts of credit card data that has been stolen; instead we could start hearing about the large amount of biometric and personal data that has been stolen and or compromised.
Maybe I am a little paranoid over that when considering that Facebook, Google, and banks, just to name a few of the many, have been establishing a multi-factor authentication method in one form with your cell phone number and being able to send SMS messages directly to you. By sending the SMS to your phone, this is tying in what you know (your passphrase, gesture, phone movement, etc.), to what you have (cell phone), add in biometrics on the phone and you have (what you are). This, in my humble opinion is where we need to move the line to on accepted forms of authentication and it is my hope to the companies realize and accept this all while pushing the deployments of these changes as quick as possible. I could foresee several different methods or models coming in to place as we transition away from the dying password.
I also believe it is good to have a level of skepticism of newer technology that markets itself as being secure when there is really no such thing. It will be these technologies running on devices while at the same time helping fuel that false sense of security. In all likelihood it will be these devices that will also end up accessing the corporate data in one way or another. We the professionals in the industry need to be prepared to support the different technologies and methods that are coming not just today but also tomorrow. Passwords are dead it is just the all the people have not be told, yet biometrics need to be used with other factors of authentication.
I have seen on some security sites a trusted image, where you are on a known device by having this image on your computer that you selected. Certain Yahoo use to do that, and some banks.
Very interesting take as I do not trust biometrics for security purposes, it’s not hard to pick up in a toystore or online finger print dust and some tape.
They are pushing Universal 2-Factor (U2F). It’s a USB/NFC fob. If you lose it or it’s stolen, you can get another cheap fob. Unlike biometrics, which are deader than passwords — we only have 8 fingers plus 2 thumbs, 1 faceprint, and 2 retinal patterns.
Passwords are staying, but perhaps the security problems that come with passwords will slowly go away as huge technological advancements like U2F come into play.
I think eventually there will still be three factors and what you are (biometrics) will still play as one of those factors. The reason is that the device can be lost and if one of those factors (what you have) is lost and that is the device itself then there is another problem. passwords should be replaced with pass phrases, gestures, facial expressions, movements, etc. Something that you know.
We need all three factors not just more of what you have or more of what you know.
Best regards,
Edward L. Haletky