Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Passwords

What's the Future of Passwords? A Conversation

Introduction: As professionals in the authentication space, we stay up to date with technology providers and their solutions. For this post I have invited Josh Cornutt, Director of Software Development at WWPass to discuss whether it's time to get rid of passwords all together, and the challenges associated with doing so. 


Abby Porter, Director of Product Management, Delfigo: There has been a lot of recent discussion on the lack of security around passwords, especially since so many users choose easy-to-guess combinations that leave their accounts vulnerable to breaches. Both traditional passwords (words typed using the keyboard) and PINs (used on touch screen devices) are vulnerable, especially when the enterprise is reluctant to inconvenience end users with complex requirements. This issue highlights the challenges organizations continue to face with balancing security and user experience. 

Josh Cornutt, Director of Software Development, WWPass: Narisi would certainly take your statement one step further by including not only weak passwords, but passwords in general.  Even a strong password is still significantly weaker in comparison to technologies such as public-key cryptography or biometrics, which are now easier to use and implement in a corporate network than ever.  To take this one step further, even strong single-factor authentication methods have been publicly scrutinized for still not providing enough security for the modern internet user.  Multi-factor authentication is the way of future data security and there are plenty of very easy to use and powerful solutions available, why would corporations settle for anything less now?  I’d love to hear your thoughts as to why you think corporations have been slow to adopt these highly secure authentication methods and continue to rely on legacy authentication schemes such as traditional username and password combinations? 

Abby: In conversations with organizations who have existing password or PIN technology (which is just as vulnerable, if not more vulnerable) in place for their sites and apps, I have found that there is a lot of reluctance to inconvenience the end user, or to introduce new workflow that will be confusing. In the past I felt these conversations centered more on existing technology investments (for example, having invested heavily in tokens), but what I hear most often now is focused on the need for quick and easy authentication, and passwords and PINs are easily recognized, by users who have been conditioned to use them. I could not agree more that multi-factor authentication is the way to go, and believe that the emerging technologies in the market can actually enhance user experience. What do you see as the key drivers for adoption of multi-factor authentication?

Josh: Multi-factor authentication adoption in corporate environments seems to be largely driven by the need to meet and predict increasingly strict certification standards (HIPPA, SOX, PCI-DSS, etc…) either for their own profitability or due to other governing regulations.  For instance, when a corporation goes for PCI-DSS compliance, they’re met with section 8.3 of the PCI-DSS 1.2 standard which states the requirement to “Implement two-factor authentication for remote access to the network by employees, administrators, and third parties”.  This very plainly states that, if this company would like to move forward with PCI-DSS compliance, they will need to implement some form of two-factor authentication which will likely translate to either physical smartcard/token devices or biometrics (or both).  I agree that passwords and PINs are a quick and easy form of authentication, but they open up an organization to data theft as well as the inability to achieve certain compliances.  Multi-factor authentication is here to stay and as more core compliances start enforcing its use you will begin seeing it around every corner.  What do you think authentication into corporate environments will look like in 2-5 years?  Will we still be looking at traditional smartcard model where an employee physically carries around their identity?  Do you predict the “cloud” playing a role in near-future authentication methods (everything else is moving to the cloud, why not authentication)?

Abby: I definitely see more services moving to the cloud – though it seems to be going more slowly that was predicted initially. Security-as-a-Service and Authentication-as-a-Service are extremely compelling concepts, but it's tough to get organizations to break free of the idea that it all needs to be done on premise. Still, I'm seeing major players planning for, and going to, the cloud. I think in 2-5 years we'll see a lot of traction there. In terms of what they will look like, I think we'll see a more holistic view of security focused on the user (Identity focused, as opposed to access focused), and the winning technologies will excel where user experience is concerned. This has been a great discussion. Any final thoughts?

Josh: This has, indeed, been a very great discussion.  I agree with the overall prediction for Authentication-as-a-Service focusing more on user identity management instead of pure authentication/authorization as this concept matures.  User experience is everything in today’s market and there are many companies racing to develop a product that can elegantly mesh secure multi-factor authentication with the most comfortable user experience.  Thanks for joining me in this discussion, Abby.  Until next time!


Can Smartphones Replace Passwords?

Will smartphones replace passwords?

 "Because a smartphone is the one device few people are without, it's seen as the perfect place to store credentials. Add the many sensors in a phone that can be used to identify a user, and the case for using the device for authentication becomes stronger" says Antone Gonsalves in a recent post on the subject in Network World. As smartphones become ubiquitous in our day to day lives, the push to find an authentication solution that is designed for mobile, continues. 

Using the features available with many of the smartphones on the market today for the purpose of authentication is a prospect that has users and enterprises enthusiastic about the idea of leaving passwords behind - as well as embracing, instead of fighting against, the changing habits of users. "For mobile phones to replace passwords, the devices will have to know when the actual owner is logging into a site and not a crook that either stole a phone or found it. Biometrics is one possible answer, as long reliable and highly secure fingerprint scanners and voice and facial recognition technology can be developed." The emphasis on the importance of knowing that the user him/herself is the right person, and the need for additional authentication beyond possession of the device, will encourage organizations to look at authentication in terms of "who you are" - not just "something you know" or "something you have."


"Secure" Password Requirements

Matthew Yglesias posted a great entry on Slate on Monday highlighting the flaw in "secure" password policies. Using 1Password, the author was able to generate a password string that should have been secure for use with most websites (and would have been difficult to guess), however the system that was requiring him to make the change to his password asked that he include special characters - a common requirement in secure password policies. The result was a variation on his name, which could certainly be guessed.

This blog entry highlights some of the key challenges with continuing to use passwords to access secure sites and information. Creating a password that is impossible to guess or remember leads users to save them so that they can then be used by anyone who gets access to their device. Secure password policies, while designed to enhance security, still allow users to create passwords that are easy for hackers to guess and use to gain access to accounts. 


How Easy Is It To Hack a PIN?

How easy is it to compromise a PIN?

PINs are especially vulnerable to brute force attacks because of the fact that they are often fewer digits than passwords, and that they include a more limited set of characters (numbers between 0 and 9). This creates a smaller potential set of combinations, and opens them to being guessed when methods like the ones described in this article are used to systematically try each possible PIN combination in order to eventually land on the correct sequence. As stated in the article, “There’s nothing to stop someone from guessing all the possible PINs,” says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. 'We often hear ‘no one would ever do that.’ We wanted to eliminate that argument. This was already easy, it had just never been done before.'” This robot can do it reliably within 20 hours. 

The fact that PINs are vulnerable is widely known, but most users assume that no one will take the time to try enough entries to correctly "guess" their PIN. However, when you factor in the simple sequences so many users choose out of convenience - for example: "1234", "1111",  or the year of your birth - this means these PINs can be "guessed" first and will be correct for a large percentage of accounts. Users should think carefully about selecting PINs that will be harder to guess, but should also look for opportunities to use providers with strong authentication (given how easy it is to crack any PIN) for applications with sensitive information. 


The 500 Most Common Passwords

Whats My Pass recently listed the 500 Most Common Passwords from the 2005 book Perfect Passwords by Mark Burnett (note: some are offensive). The top 3 are 12345, password and 12345678. One interesting thing that caught our eye - the key difference between numbers 1 and 3 of course must be that those using number 3 work in "secure" organizations that require a strong 8 character password.

Second factor security using keyboard biometrics can help assist in eliminating the releveance of a weak vs. a strong password. It should not matter if the user's password was made up of 3 simple letters only, or a 10 character mix of letters, numbers, symbols and case. Like fingerprints, we all produce a unique keystroke when typing. If this second layer of security has been properly trained into the system, a set of unique patterns will be available for comparison against new entries. Only one individual should be able to duplicate the keystroke pattern with sufficient confidence that the system would authenticate. The simplicity or complexity of the password would not matter, which in turn alleviates a number of usability and password management issues.


Page 3 of 5