Alternatives to Passwords: What’s on the Horizon?

Sue Marquette Poremba

It seems like once a week, we see yet another story about a security failure involving passwords. In May alone, for instance, the news came that an unpatched vulnerability in Oracle’s PeopleSoft could open a hole for thieves to steal passwords; Google revealed that those security questions that help you retrieve a lost password are anything but secure; and Starbucks blamed passwords for its own recent hack attack.

It’s no wonder, then, that passwords (and usernames) were a popular topic at the RSA Conference this year. One of those speaking about the problem of passwords, Phillip Dunkelberger, president and CEO at Nok Nok Labs, said a number of significant problems with passwords make them a poor single method of authentication.

“First, passwords are a symmetric secret – we enter a password on our PC or smartphone that is matched up on a server, this means that organizations are holding hundreds of millions of passwords in large databases. Despite using techniques such as salting and hashing of password databases, security professionals have found it practically impossible to secure this infrastructure, so passwords are very vulnerable to massive, scalable hacks,” he said.

“Second, there is a problem with usability. As sites introduce more complex password rules – special characters, length, and so on, we have lost our ability to remember them all. The result of this is that everyone uses the same password for multiple sites. This exacerbates the database problem – even if my server isn’t hacked, my site is still vulnerable if my users have used the same password elsewhere.”

What About Two-Factor Authentication? Isn’t That the Answer?

Obviously, in today’s ever-evolving security climate, the password/username combination for authentication isn’t working. It’s clear that we need a change in the way we log into applications and websites. A steady, although slow, movement toward a two-factor authentication system still relies on passwords for part of the process.

Jeff Smith, CSO with Wombat Security, is a big proponent of two-factor authentication that involves a soft token, like a random number sent via a text message sent to a phone – and gives even more security props if the smartphone requires some type of biometric authentication to access the text message.

SueQuote20150609“One of the biggest hindrances to improving authentication methods is money and time,” Smith said. Hard tokens can be expensive and require a lot of IT support. Soft tokens cut down on the costs because almost everybody has a cell phone that can receive text messages. But the only way two-factor authentication will work, Smith added, is if it is mandatory. If you give users the option to stick with the same old password authentication or to add the second security layer, the vast majority will stick with what they know and what doesn’t require any extra effort. It’s just human nature.

Getting Users to Embrace Password Alternatives

Also, Dunkelberger added, users really don’t like strong authentication. “Whenever we introduce barriers to logging into devices, or making payments, then the user becomes frustrated.”

Moving users forward isn’t going to be easy, and that’s a huge stumbling block in the attempts to improve on the password/username setup we use now. Another issue is recognizing that there isn’t going to be a one-size-fits-all solution to authentication.

“The complication is finding the right balance between convenience for users and the right level of security for the information being protected,” said Travis Greene, identity and access management solutions strategist at NetIQ. “Imagine a health care professional struggling to access life-saving, but regulated information. Risk-based authentication techniques, which require the minimal level of authentication for the situation, hold promise. But if a user is in a work environment during business hours, authenticate once and provide single-sign on to all low-risk information.”

So while it is obvious that the time has come to move beyond the password, what exactly is on the post-password horizon? While he doesn’t have a definitive answer, Dunkelberger believes we’ll see something like an authentication method that is easier to use but much more secure than what we’re used to (and honestly, if it doesn’t involve remembering 600 unique and ever-changing password combinations, it is automatically an easier system!).

Make Role-Based Access the Foundation

Morey Haber, VP of Technology with BeyondTrust, thinks the solution is found in the area of least privilege. “This means that all solutions, regardless of authentication mechanisms, have built in role-based access that can accommodate the proper roles for any user and the data they access,” he said.

Unfortunately, he added, too many solutions consider security and role-based access an afterthought and work in all-or-nothing modes. This means users inevitably have more access than they need. “Therefore, whatever authentication mechanism becomes dominate -- tools, solutions, devices, etc. -- they then have the capabilities to delegate access as appropriate to mitigate insider threats,” Haber stated. “This will ease the transition for users to surpass passwords and adjust to a new model since whatever access they are granted is tailored specifically for their business needs. The point is the password pain is alleviated when users get the proper access regardless of the technique used.”

But let’s be realistic. Despite all the talk about finding something else or creating alternative solutions for authentication, Greene has predicted the most likely future scenario.

“Passwords, or their little brother, PIN numbers, have a role to play indefinitely,” he said. “We have to get smarter about categorizing the information being accessed and protect it accordingly.”

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Add Comment      Leave a comment on this blog post
Jun 11, 2015 1:11 AM Hitoshi Anatomi Hitoshi Anatomi  says:
Biometrics are password-dependent. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts. Reply
Jun 11, 2015 11:58 AM Will Lowe Will Lowe  says:
When discussing the use of passwords and other forms of authentication, it's important to remember that credential reset is the Achilles heel of any authentication mechanism. For example, if you have a strong credential, like a biometric, but it can be reset via email, then its relative security is only as secure as the email account. In addition, a Microsoft study on credentials came to the conclusion that no other form of authentication was as easy to deploy as passwords. Deployability = cost. We know organizations are cost adverse when it comes to security. Until stronger forms of authentication become easier to deploy, and more usable across many applications without having to do one-off integrations, passwords will continue to play a significant role in the authentication equation. Reply
Jun 15, 2015 3:24 PM Roland Hansson Roland Hansson  says:
MapLogin is a (patent pending) alternative to the normal textual password. The method works by identifying a location on a map image, much like recalling a hidden treasure. Reply
Jun 17, 2015 3:48 PM Kendroid Kendroid  says:
..... authenticate over WiFi or by plugging in direct with the USB plug into the cell phone's charge port? Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.