In earlier years, matching a user ID to his secret password was considered the ultimate in security. Despite some users who actually used "password" as their password, the method worked relatively well for securing workstations or stand-alone computers. Even when the public began to flock to the Internet to conduct online shopping or send emails, the password kept them fairly well protected.
Unfortunately, easy access to the Internet brought a new breed of criminal -- those who steal users' personal information and credit card data. These perpetrators can log in from virtually any country, making them notoriously difficult to track, apprehend and prosecute. In most cases, these criminals are highly skilled and knowledgeable, and in some cases, they have not only the support of their governments, but also government funding.
The problem was exacerbated by the rapid growth of mobile devices. Securing a cell phone transmission, for example, is extremely difficult; worse, considering the number of phones left in taxis or otherwise lost, it is impossible to assume that a mobile device in use is actually in the hands of the rightful owner.
In recent years, there have been a number of security breaches that have been highly publicized. Facebook, PayPal, eBay and other high-profile sites have fallen prey to hackers. In early 2014, the infamous Heartbleed vulnerability was exposed, and users were strongly urged to change their passwords to protect their data. Even shopping at a brick-and-mortar store became problematic -- witness the massive data breach suffered by Target.
The Move to Eliminate Passwords
Because of these breaches, there have been some in the industry who urge the elimination of passwords. They claim passwords simply do not work; passwords have become obsolete, and security needs to evolve to a higher level. Different ideas have been bandied about as offering a secure alternative to passwords, including the use of biometrics, such as the user's voiceprint or fingerprint, to validate identity. Other options include more hoops for users to jump through, ranging from security questions to one-time passwords and authentication tokens.
The fact is that there are significant risks and implications when using human biometrics, such as fingerprints for online authentication. Many would argue that these risks far outweigh their potential security benefits. While biometrics can be reliable as unique human identifiers, they are best in controlled environments and closed systems, none of which applies to the online world. As an example, we leave our fingerprints exposed to collection hundreds of times a day as we interact with objects in our work and home environments. This makes it all too easy for criminals to capture, digitalize and use or sell our fingerprints if they ever become a mainstream authentication factor. The uniqueness and permanence that is most desirable for authentication will become their primary vulnerability and introduce an instant black market for fingerprint collection. In other words, fingerprints don’t make good secrets and secrets are the basis for online security. Reliability problems come into play for voice and facial recognition in online authentication.
Why Passwords Aren't Going Away
From the very beginning of the computer age, passwords have been a primary method of securing access. They are the most affordable and widely adopted method of authentication used and this is unlikely to change any time soon. Most internet users have accepted and become proficient with the use of passwords and PIN’s and the fact that they can be changed over time is a major security benefit. There is no doubt that increased online service adoption has complicated password management but it would be better to address this than to abandon the use of passwords all together.
What the online world needs is the addition of a frictionless authentication factor that protects passwords and PIN’s from capture and exploitation, simplifies password use and management, and strengthens the security of online access.
Threat Surface Reduction - The Key to Online Security
The adoption of mobile devices has placed quite a demand on the industry: provide more security without making security more complicated. In fact, many users do not want to have to take even one extra step when they log in with their devices. It might seem like an impossible task, but there is actually a way to deliver both of these requirements. The key is to reduce the threat surface of online access by introducing a high assurance, device-centric dimension to user authentication.
This device-focused technology makes the device an integral part of layered, machine-to-machine security that does not require the user to do, have, or know anything more than their current user authentication factor, such as a password or PIN. This restricts access to specifically authorized devices and provides authenticated device identity, integrity validation and policy enforcement.
With a device-centric dimension, criminals can no longer steal, capture or phish user passwords and then use them to log in from the own devices. If a device is lost or stolen, it can be quarantined or blacklisted, rendering the device useless to the criminal. When a user’s password is used from an unauthorized device, the user can be notified to change their password while their account is protected from unauthorized access.
Passwords are not going to disappear overnight and they shouldn’t. They need the support of the next mass-adoptable authentication factor that provides advanced security without destroying user experience or moving to solutions that introduce more serious consequences and privacy issues.
About the Author: Talbot Harty is CEO and Founder of DeviceAuthority, Inc. Mr. Harty is a multi-disciplined technology executive who specializes in application design, advanced technologies, and high-performance team-building. Throughout his 20 year career he has worked with early start-ups and publicly-held corporations, delivering industry pioneering and award winning products.