We have a love/hate affair when it comes to using passwords. The average person has to remember dozens of them for various logins, and many of us try to cope by reusing our favorites. That just opens up all sorts of security issues: if a popular service (take your pick: Yahoo, LinkedIn, Dropbox, and many more sites all have been breached over the years) is compromised and millions of user names and passwords revealed, there is trouble ahead.
Enterprises have typically dealt with password security in one of several ways: set up complexity policies and mandatory change periods in directory services such as Active Directory, beef up security with and one-time password generators such as RSA’s SecurID and Yubico’s Yubikey, use various multifactor tools such as Gemalto’s Authentication Service or Vasco Identikey Authorization Server, use various password management stores such as Lastpass and Keeper, or deploy a single sign-on tool such as Okta or Ping Identity to automate the sign-on process. None of these works flawlessly, and each has its issues with deployment, user acceptance, and security policy management.
Indeed, the password security field has gotten to be such a ripe target that even the popular TV show “Shark Tank” evaluated a password manager startup vendor in a recent episode.
Part of the problem is that no matter what kind of tool an IT department uses, at the core the weakest link for password management has to do with the user and the faulty memory of the human brain. It doesn’t matter how fancy a password management system we put in place if users continue to write them down on sticky notes or keep them in a plain text file (usually called “My passwords”) on their hard drives.
Another issue is that attackers are getting smarter about how to compromise passwords, even when some of the above methods are deployed to make them more difficult to crack. This is especially true for the one-time password (OTP), when it is combined with using a SMS-generated text OTP code to a user’s cellphone as an additional authentication factor. Back in 2013, LifeHacker posted this article that quotes from AusCert general manager Graham Ingram: “The two factor out-of-band device that they’re sending the messages too is now the same device being used for the banking, and the malware is fully aware of that and using the sent information to capture the session.” Several celebrated compromises later, and Wired magazine has put everyone on notice about insecure SMS usage. Indeed, the original attempt with SMS-based OTPs – having “something you know” as an additional authentication factor, isn’t really true: these man-in-the-middle attacks have reduced the SMS OTP to just “something else that you know.”
The third issue is the cloud, which can be both a blessing and a curse for password security. Blessing, because several of the password management vendors are leveraging the cloud to store and track password usage. For example, Lastpass (among others) detects the IP address used and sends a warning if you are attempting a login from a new network as another security safeguard. More single sign-on vendors are automated their logins through the cloud. This has been helped by the effort to adopt better and more pervasive authentication standards too.
The cloud is a curse because it makes a potential compromise of other passwords possible if a user has duplicate passwords or simple passwords for one account. If that particular account has been breached, the other accounts that share that password are vulnerable.
But all is not gloom and doom. Besides the cloud, there are other new developments that could help the puny password. First, the technology for OTP has evolved over the years and the newer OTP hardware tokens are “smarter.” These tokens are now made with some form of the encryption keys or encryption engines embedded, rather than just displaying a changing series of numbers for users to type in the authentication dialog. Using this built-in encryption means that man-in-the-middle attacks are much harder to pull off. Another way is to use what is called “push OTP” methods. Instead of asking a user to key in the OTP displayed in a token, the notification is sent via SMS and all a user has to do is acknowledge its receipt with a text message.
A second approach is getting rid of passwords altogether. Vendors are doing this through a variety of clever methods: the most common is to make use of fingerprint readers that are now common on the latest Android and iOS phones. The open-source PasswordlessApps.com’ Tidas project uses the private encryption keys inside the more recent iPhones to sign and encrypt your data, in common with the fingerprint reader. All private information is stored inside the iPhone and nothing is transmitted anywhere else.
Another passwordless solution is from Trusona, which was announced earlier this year. When you sign up for their service, they send you via a courier a device that fits on the end of your smartphone and looks like a payment-based credit card reader like Square or Amazon payments. Instead, they are using this device (and the chain of custody from their plant to your hands) to associate your credit card with your identity.
In addition, more apps are incorporating security and authentication methods directly into their code. This is the outcome of efforts by vendors such as Vasco, Gemalto and others that have very sophisticated APIs to construct the MFA routines as part of the app itself, whether it be a SaaS-based Web app or something for mobile phones.
So don’t give up on the lowly password quite just yet, there is hope on the way. Enterprise security managers need to think beyond passwords and evaluate some of these new options, and find the right match for their particular circumstances.