Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

Are password alternatives a viable option?

09 February, 2015
Increased biometric authentication adoption hides flaws in technology that result in reverting to insecure password usage

There can be no doubt that the use of biometric technology in consumer products is on the increase. The latest smartphones being offered on the iOS and Android platforms enable the user to authenticate with a swipe of the finger, providing simple access to the device and all its functions. At first sight, it seems that the problem of secure access to personal, financial and business information may have been solved but there's a flaw.


Finger print detection and recognition on these devices is so "hit and miss" that users are provided with the option of entering a password as an alternative in order to gain access.


Despite being decades old, the shackles of password authentication are proving to be difficult to shed and the security industry is failing its customers by not resolving the issue.


Why are passwords vulnerable?


The problem with passwords is that if they are "words", they're easy to crack through brute force. Recommendations to mix capital and lower case letters and introduce numbers into the words were suggested, resulting in passwords like "password" being changed to "P4ssw0rd" and everyone felt more comfortable and secure.


However, this was an illusion as it turned out that P4ssw0rd is every bit as crackable as password so the industry advised everyone to use a few special characters and to avoid recognisable strings of characters or numeric substitutions for letters. The result is a password like *h7gv-dGL2& which no-one can remember.


To add to the complication, supermarkets, airlines, hockey clubs, utility companies and e-mail providers all want unique passwords for you to access their sites with the recommendation that they're changed frequently. The situation is impossible because no-one can remember so many passwords that are all unique and all designed to be unmemorable.


The result is that people write them down in a notebook, in a spreadsheet saved on their hard drive or in their browser memory. By recording all these passwords in some way, users are arguably making their access less secure than if they'd chosen simpler, more memorable passwords. We're making it easy for the hackers.... choose a password that's easy for them to crack or choose a more secure password and save it in your browser memory.


The password vault conundrum


Having recognised this paradox, the industry introduced the concept of a password vault, secure storage for all your passwords so you don't have to remember them and you don't have to write them down in a spreadsheet or store them in your browser memory. The password vaults can be held as a service in the cloud or be a feature of a secure hard drive or memory stick.


The conundrum is that the vault itself needs to be accessed and this is invariably via a password. "One key unlocks them all"


However, the technology is there and it can be used as an alternative to password authentication. The favourites are reliable biometric technologies and two-factor authentication which doesn't use a standard password as one of the factors.


Biometrics


New research from Visa stated that nearly half of people aged 16 to 24 foresee the end of passwords and pin numbers by 2020 as biometric security takes over. The research also revealed that 76 percent feel comfortable with the concept of making payments using biometric data.


With ‘generation Z’ appearing to be so open to adopting biometric identification, we asked Roy Tobin, Threat Researcher at Webroot what his thought were: “It’s no surprise that nearly half of 16-24 year olds can see biometrics taking over from passwords and PIN numbers – it’s quick, convenient and there’s less room for error. It’s moved from a futuristic method of entry in films, to becoming common place in a variety of smartphones", he said.


2020 is only five years away and it seems a big step to go from the hit-and-miss finger swiping that we have to endure on smartphones today to a position where we're able to make financial transactions on the basis of a biometric factor.


Webroot's Roy Tobin continued: "Iris/retina scanners have a near zero chance of a false positive as the human eye's iris pattern is highly complex. They are a much more reliable and secure method than fingerprints but building them into mobile devices is not practical right now due to the size of these sensors - although this will change in the same way we have seen with fingerprint scanners. Currently, they are used quite successfully in airports and government buildings, but as we all know, human intervention is sometimes required".  


There are also some lingering, and mostly unfounded, concerns surrounding data privacy and the ability to use a severed finger to comprimise biometric authentications. In this respect, biometrics has advanced considerably and higher end recognition devices have "living tissue" detection built into them.


With respect to privacy, there's an understandable concern that people will feel the potential for their facial identity or fingerprint image to be compromised, which has a more personal implication than having a password stolen. However, unlike police fingerprinting technology which relies on images of the print, biometrics works differently. The "identity" information which is stored is a hashed code which represents the fingerprint, face or iris pattern. The hashed code can't be resolved into an image.


Two-Factor Authentication


Another way forward is to widen the adoption of two-factor authentication (2FA), a technology which typically involves using something you own and something you know as being the means of authenticating identity. "Something you own" could be a payment card, a mobile phone, a hardware module, a key or some other token. "Something you know" could be a password, the contents of an SMS message or it could be a biometric.


Although one of the factors may be a password, the fact is that the password element in this case doesn't need to be so difficult to remember as it isn't the sole means of authentication. However, the best method is to eliminate passwords altogether and have a token and a biometric factor being used to gain access.


There is clearly some way to go before large-scale deployment of reliable biometrics or two-factor authentication can be achieved across all the spaces where passwords currently dominate but this is what the security industry needs to be focused on in order to supply consumers with the products that they deserve and expect in order to be secure.


Passwords belong firmly and squarely in the 1980s as a historical curiosity. It's time to move on.




Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan



 


Bookmark and Share