Yesterday, I wrote that, in my opinion, we reached the saturation point in what we can remember when it comes to passwords. In response, I got an email telling me about mSeven Software's survey on password management habits, which indicated that I was pretty spot on about my assessment. The survey revealed that 70 percent of users rely on their brain power to retain all the passwords they must use, while 75 percent indicate they access at least 10 secured websites.
Count me in that 75 percent who access at least 10 websites that require a password (it’s a lot more than 10, I can assure you). If the average person is like me, for the sites I access every day or at least on a regular basis, the passwords fly off my fingers without much thought. But sites that I visit once a month or less? I can totally understand why people turn to a simple password or repeat passwords over a number of sites — I used to do it myself. It is just a lot easier for an overtaxed brain.
In fact, just thinking about all of these passwords is giving me a headache. It’s why I think that Dropbox is on the right path with two-factor authentication. As Peter Tapling, founder and president, Authentify, told me, the problem with a password-based system is that a password is a single-authentication factor. It is something that can be guessed or electronically cracked. You can make passwords stronger, but most exploits today are a result of intercepting the password.
Out-of-band authentication using a two-factor system might be the best bet right now for network security. Out-of-band authentication refers to authenticating a user (or a communication), via a separate communication channel from the channel being used for the primary contact, Tapling said, and it is a system that has its origins back in ancient times. He explained:
A simple example, in the age of the Roman Empire, military messages were encoded and sent by courier. The code with which to decipher the message was sent by separate courier over a separate route. If the courier with the message was captured, the message was of no value because the courier didn’t have the ability to decipher it. If the courier with the code was captured, they didn’t have the message. You needed BOTH couriers to arrive by separate routes for the message to be used.
My bank has a variation of this when it is assigning you a login and initial password for its online banking system, with the login user ID coming in one mailing and the password arriving in a separate mail several days later. It’s not necessarily convenient but it is more secure. Now, obviously, this system isn’t going to work for a site that you need to access on a regular basis. You can’t stop work until the courier shows up with the second authentication code.
Authentify relies on telephone messages that are synchronized to an online user’s session. Tapling told me:
The user must provide information to both the phone AND online session. The receipt of the appropriate information is validated at secure servers in the background. The use of the telephone as the out-of-band channel is effective because unlike Internet browser sessions, it is difficult to automate the attacks against a user’s telephone.
There are other options for the out-of-band, two-factor authentication, of course, including the option that I think is going to be commonplace within the decade: biometrics.
Is all of this overkill in order to access every site you visit? Probably. But for truly secure sites online or to access secure documents within the network, something more is definitely needed. The password as we know it today is too vulnerable.