Password hell is bad, but the popular fix could be worse
By Andre Boysen, Chief Identity Officer, SecureKey
Today we are in password hell. Mainstream media have regular stories about user issues, and massive data breaches are regularly happening to online services – even to large, respected brands that are well-funded and well-managed.
The evidence is clear that both users and online services are struggling with passwords. Users are faced with an awful tradeoff between the risky choices of being non-compliant by making some of their passwords the same, or be compliant and face password recall issues when trying to access services.
Web services similarly struggle by admonishing users to make passwords longer and more complex – a measure that has done nothing to quell the data breaches. Crooks only need to correctly guess one password in a hashed database of passwords to reverse engineer the contents of the entire database. A good starting guess for crooks to reverse engineer the contents is to try ”password123” or “letmein” if recent studies of popular passwords are accurate.
Two-factor authentication is often used to strengthen password security. Two-factor is typically implemented in a device like an RSA token, an app on a smart phone, or even an SMS message. Two-factor can reduce the attack surface for crooks but with the current course and speed of these implementations we are going to move from password hell to two-factor hell – and it will be much worse!
Users interact with way too many sites to configure two-factor consistently, and worse yet, not all web services will implement two-factor the same way. It will likely be an SMS here, an app over there, here an RSA token, there a Yubico key, and so on. Do you really want to have two-factor for every web service you currently have a password for, and re-pair to the site when you lose or change devices?
The number of passwords that users manage ranges from 13 to 300. That’s a lot of SMS codes to re-type after typing in a user ID and password. And what if you change phones? Do you have to re-pair your mobile phone to every website?
But two-factor is here to stay and it will be part of the path forward to increase business confidence for online transactions, so how should it unfold?
Imagine for a moment you had to have a unique credit card for every merchant you purchased from. What would that be like? A complete pain might be an understated description.
Consider these interesting things about credit cards: credit cards are federated; cards issued by trusted providers are accepted at all destinations; and credit cards are the biggest example of two-factor authentication in the world now that there are approximately 3.4 billion EMV cards in circulation globally. That’s right, EMV is two-factor – a strong security token in the chip along with a PIN.
Think about this for a moment. Your favorite social media website has a set of painful password obligations in the form of length, complexity, duty to change frequently, etc. But an EMV payment card only has a four-digit PIN. It sounds like a security paradox – why aren’t the banks losing money? The banks are safe because the use of EMV chips has hidden the security complexity in the chip so the user does not have to be burdened with the details.
Three things keep the global payment network safe:
The card cryptographically signed the transactions and the card cannot be cloned.
The person conducting transaction knew the PIN for the card.
The person to whom the card was issued had not called up to have the card revoked.
If identity and access management went the way of payment networks, which is the argument of this article, some important things would occur:
We could move beyond inane passwords as the primary access mechanism by leveraging more robust protocols like Global Platform’s Secure Channel Protocol, implemented securely into smart consumer devices, leveraging hardware capabilities of such devices where possible.
If identity and access management went the way of payment networks, we could move beyond inane passwords as the primary access mechanism
Federated identity and access would be conducted by a smaller set of trusted issuers who provide assertions on behalf of users who need to prove identity online. State governments, banks and wireless carriers, among others, are well suited to serve here.
User centric protocols, like User Managed Access, enables users greater control and provides transparency regarding which organizations have access to data, and allow for better user revocation mechanisms.
Two-factor on its own sounds like a great step forward, until you dig into the details and realize that it simply transfers the same password proliferation issue to a second factor. Double the authentication, more than double the Hell!
Until the industry finds a better model to secure identities in an increasingly connected world, we’re simply doomed to repeat the same issues like a password Groundhog Day. Can we really expect a different outcome?
Until the industry finds a better model to secure identities, we’re simply doomed to repeat the same issues like a password Groundhog Day
Instead, use the two-factor capabilities in today’s devices to federate authentication to the services that consumers wish to use, without requiring them to have to maintain the same one-to-one, user ID-to-service issue that yielded the current password mess. Rather, use the one-to-many model using devices and a smaller set of trusted identity issuers that can prove identity online and we’ll finally crawl out of password hell and be on a better path to identity heaven.