One of the first security meetings I had when I joined IBM and took over part of the responsibility for security audits for my division was on passwords. The whole point of the presentation, which was backed up by a massive amount of research, was that passwords suck. Well, that’s what I walked away with, but the conclusion at the time was that passwords not only weren’t secure the way they were being used, but there was no way to ever make them secure. I figured at the time that the firm, and since IBM pretty much owned the tech market back then, virtually all of tech would find a way to eliminate passwords within a few years. The reason for that belief was that, based on that report, any company, including IBM, that was still using passwords would fail a security audit.
Maybe internal auditing didn’t step up (I changed jobs myself a short time later), but here we are decades later and we still predominantly have passwords to identify us. Now that is just stupid. Well, this week, thanks to Lenovo, Intel and FIDO, passwords finally may be on their way to becoming well and truly dead. (And it’s about time.)
FIDO stands for Fast IDentity Online, and while it is hard for me to get around the idea of a technology alliance using a common dog name, it seems to be uniquely focused on solving this problem. The mission is focused on creating common interoperable alternatives to passwords and to changing the nature of identification to something that is more secure and easier to use.
If it is successful, the result for us would be a combination of never having to remember a password again and having our identities and assets become far more secure than they currently are.
Lenovo and Intel
What Lenovo and Intel will be delivering shortly are laptops that are inherently more secure than anything we have had before in the general market. Particularly useful for government, security, law enforcement, pharma, finance, and health care, where security is often paramount, these laptops embody fingerprint biometrics and built-in second factor authentication that typically would require a USB dongle.
The UAF fingerprint authentication method authenticates the user to the hardware but no information other than that the user is valid is passed on to the service or application that the user is logging into. U2F could be used with a password or PIN to provide a second factor where the laptop itself replaced the dongle that would typically be used for higher security implementations.
Particularly interesting is that you may not need to buy new hardware to get these benefits. Intel Online Connect is downloaded and installed on current 7th or 8th generation Lenovo Intel laptops, and the Yoga 920, IdeaPad 720S, ThinkPad X1 Carbon 2nd generation, Xi Carbon 5th Generation, ThinkPad Yoga 370, ThinkPad P51s, ThinkPad T470s, ThinkPad X270 and X270s will all get this new capability.
It should come preinstalled shortly and if I were specifying configurations, I’d certainly consider making this capability a requirement regardless of vendor.
Wrapping Up: Password Progress
Finally, progress! That’s really where I am. That meeting I had back in the 1980s really stuck with me and to say I’m surprised it took so long to get this done, particularly in the current extremely hostile environment, is surprising. But we are finally making decent progress and, I expect, shortly Lenovo won’t be alone in offering this kind of advanced desktop security protection. Someone does have to be first and Lenovo, with Intel, stepped up.
I’m only left wondering what my old peers in internal audit doing security have been doing all these decades because they should have been flagging the use of passwords every year and in every report as an unacceptable security risk.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+