It seems like once a week, we see yet another story about a security failure involving passwords. In May alone, for instance, the news came that an unpatched vulnerability in Oracle’s PeopleSoft could open a hole for thieves to steal passwords; Google revealed that those security questions that help you retrieve a lost password are anything but secure; and Starbucks blamed passwords for its own recent hack attack.
It’s no wonder, then, that passwords (and usernames) were a popular topic at the RSA Conference this year. One of those speaking about the problem of passwords, Phillip Dunkelberger, president and CEO at Nok Nok Labs, said a number of significant problems with passwords make them a poor single method of authentication.
“First, passwords are a symmetric secret – we enter a password on our PC or smartphone that is matched up on a server, this means that organizations are holding hundreds of millions of passwords in large databases. Despite using techniques such as salting and hashing of password databases, security professionals have found it practically impossible to secure this infrastructure, so passwords are very vulnerable to massive, scalable hacks,” he said.
“Second, there is a problem with usability. As sites introduce more complex password rules – special characters, length, and so on, we have lost our ability to remember them all. The result of this is that everyone uses the same password for multiple sites. This exacerbates the database problem – even if my server isn’t hacked, my site is still vulnerable if my users have used the same password elsewhere.”
What About Two-Factor Authentication? Isn’t That the Answer?
Obviously, in today’s ever-evolving security climate, the password/username combination for authentication isn’t working. It’s clear that we need a change in the way we log into applications and websites. A steady, although slow, movement toward a two-factor authentication system still relies on passwords for part of the process.
Jeff Smith, CSO with Wombat Security, is a big proponent of two-factor authentication that involves a soft token, like a random number sent via a text message sent to a phone – and gives even more security props if the smartphone requires some type of biometric authentication to access the text message.
“One of the biggest hindrances to improving authentication methods is money and time,” Smith said. Hard tokens can be expensive and require a lot of IT support. Soft tokens cut down on the costs because almost everybody has a cell phone that can receive text messages. But the only way two-factor authentication will work, Smith added, is if it is mandatory. If you give users the option to stick with the same old password authentication or to add the second security layer, the vast majority will stick with what they know and what doesn’t require any extra effort. It’s just human nature.
Getting Users to Embrace Password Alternatives
Also, Dunkelberger added, users really don’t like strong authentication. “Whenever we introduce barriers to logging into devices, or making payments, then the user becomes frustrated.”
Moving users forward isn’t going to be easy, and that’s a huge stumbling block in the attempts to improve on the password/username setup we use now. Another issue is recognizing that there isn’t going to be a one-size-fits-all solution to authentication.
“The complication is finding the right balance between convenience for users and the right level of security for the information being protected,” said Travis Greene, identity and access management solutions strategist at NetIQ. “Imagine a health care professional struggling to access life-saving, but regulated information. Risk-based authentication techniques, which require the minimal level of authentication for the situation, hold promise. But if a user is in a work environment during business hours, authenticate once and provide single-sign on to all low-risk information.”
So while it is obvious that the time has come to move beyond the password, what exactly is on the post-password horizon? While he doesn’t have a definitive answer, Dunkelberger believes we’ll see something like an authentication method that is easier to use but much more secure than what we’re used to (and honestly, if it doesn’t involve remembering 600 unique and ever-changing password combinations, it is automatically an easier system!).
Make Role-Based Access the Foundation
Morey Haber, VP of Technology with BeyondTrust, thinks the solution is found in the area of least privilege. “This means that all solutions, regardless of authentication mechanisms, have built in role-based access that can accommodate the proper roles for any user and the data they access,” he said.
Unfortunately, he added, too many solutions consider security and role-based access an afterthought and work in all-or-nothing modes. This means users inevitably have more access than they need. “Therefore, whatever authentication mechanism becomes dominate -- tools, solutions, devices, etc. -- they then have the capabilities to delegate access as appropriate to mitigate insider threats,” Haber stated. “This will ease the transition for users to surpass passwords and adjust to a new model since whatever access they are granted is tailored specifically for their business needs. The point is the password pain is alleviated when users get the proper access regardless of the technique used.”
But let’s be realistic. Despite all the talk about finding something else or creating alternative solutions for authentication, Greene has predicted the most likely future scenario.
“Passwords, or their little brother, PIN numbers, have a role to play indefinitely,” he said. “We have to get smarter about categorizing the information being accessed and protect it accordingly.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba