Enterprises take aim at the unpopular, hard-to-kill authenticator
11 June, 2014
The American public may not agree upon much in 2014 but one thing that people can get behind is an unadulterated disdain for passwords. They are either too numerous, too hard to remember or too easily stolen. Passwords pretty much suck.
This has led to a lot of talk on the death of passwords. But let’s get one thing out of the way: the password is not likely to die off completely. They are the cockroaches of the authentication and identity world, annoying, dirty and ever present.
Passwords will remain a factor of authentication but the reliance on this outdated modality is likely to lessen as time goes on and as other systems emerge to better secure systems and devices. Also, instead of 10-character passwords – with upper and lowercase letter, digits and special characters – simpler passwords may well become the norm combined with other types of authentication.
But there’s work to do before enterprises make that move. Systems need to be created, standards need to be accepted and consumers need to be educated so that better identity and authentication services can succeed.
The problem with passwords
Twenty-years ago passwords were a fine authentication tool, says Kenneth Weiss, developer of the token-based authentication technology that became RSA’s SecurID and now founder and CEO at Universal Secure Registry. “You only used them to log on to one or two systems,” he adds.
Weiss himself admits to having a password-protected document where he keeps tracks of his various user names and passwords – a list numbering more than 30. “No one is able to memorize all these passwords, it’s absurd,” Weiss says.
While some may say cockroaches don’t serve a purpose, they do clean up messes. Similarly, passwords, while clunky, serve a function as well. “When you’re talking about organizations that don’t have much of an identity and access management infrastructure, user names and passwords might be fine because what they’re protecting might not be that valuable,” says John Zurawski, vice president of marketing at Authentify.
User names and passwords are also ubiquitous. “No matter what device I’m using I can call up a web page, enter a user name and password and gain access,” Zurawski adds.
As much as passwords are dismissed, they work so long as they’re remembered. “They will remain the mainstay in browser-based systems because they make a lot of sense and are quick and easy,” says Dimitri Sirota, senior vice president of Business Unit Strategy at CA Technologies.
The problem with passwords is that enterprises fail to protect them, says Jamie Cowper, senior director of worldwide marketing and business development at Nok Nok Labs. This isn’t just a problem with passwords either. Encryption seeds when left unprotected in databases can lead to corruption of two-factor authentication systems, as witnessed in the RSA hack of 2011. “The biggest issue lies with these password databases – a concentration of numerous assets at one point of risk – and the inability of anyone to properly secure it,” he adds.
All it takes is one database breach because consumers tend to recycle the same user names and passwords for multiple accounts. “Everyone is gaming the system and everyone is losing when it comes to identity and access management,” says Eve Maler, principal analyst serving Security & Risk Professionals at Forrester Consulting.
The vast majority of consumers have multiple accounts on multiple web sites and keeping track of all these credentials has them struggling, according to a Forrester Consulting report titled, “To Increase Security And User Trust, Embrace A Federated Consumer Identity Model.” When choosing passwords at the time of account setup, at least 54% of respondents told Forrester that they pick something they will remember while also meeting the site’s password policy requirements.
“Of course, the main goal of password policies is to force users to choose passwords that are not as easily guessable, or calculable from stolen hashed versions, by attackers,” the report states.
The unfortunate side effect is that it renders passwords unmemorable. To counter this memory challenge, some 61% of consumers now reuse their passwords. U.S. survey respondents reported an average of nearly 19 online accounts but fewer than 11 distinct passwords over those accounts.
It is like a do-it-yourself single sign-on, making it easier for a user to remember the login by sharing it across a series of frequently used sites. The fallacy is that it makes all the sites vulnerable, because a hacker can use the one shared secret to compromise the entire series of accounts.
There are also issues trying to recover forgotten passwords, Maler says. Security questions don’t provide adequate protection and more often consumers are providing fake answers to the questions. Later when they try to recover a password they can’t remember what answer they provided.
Federated identity is a possible fix to password woes, but these solutions have too often failed when it comes to privacy and security, Maler says. These schemes typically rely on usernames and passwords for access but frequently mandate that consumers give up sensitive information, email addresses, friend lists and other personal data. “There is room for federated identity when you inject privacy and security,” she adds. “Federation and strong authentication pairs well and users are signaling that they are ready.”