Passwords Will Never Die
When I first joined Siber Systems in 2005 the internet was about 5% of the size it is now, but it was clear that its voracious expansion was not going to slow down any time soon. As the uses of the web multiplied year after year, it was equally clear that consumers wouldn’t be able to remember unique passwords for all the websites they visit.
I attended my first RSA conference in February 2007 in San Francisco, eager to propose our new RoboForm password manager as the best solution to this oncoming problem. Yet everywhere I went I would hear the same confident pronouncement: passwords are going to die soon. This might have been somewhat expected: RSA is somewhere software companies from across the world flock to tout their security innovations, and whether you’ve got a full-fledged secure enterprise integration or just a gimmicky idea, being ahead of the game is key.
I must have met at least 10 people from different companies that had biometric authentication solutions that were going to revolutionize the way we log into our computers, websites, business applications, and everything else. I won’t deny that seeing all those advanced technologies in one place at one time made me go home and think very carefully about the future of the password management industry.
Back then, the future as portrayed in films like Minority Report seemed imminent – fingerprint scans, voice recognition, retina readers all getting people through doors and logging them into computers with speeds that made passwords look like bronze-age technology. People in the biometrics industry were sure their time had come.
However, it was clear after testing these devices and talking to colleagues that neither the technology nor the population expected to use it was ready for prime-time. So I continued down the password manager route, confident that we didn’t live in a sci-fi era quite yet.
Since then the internet has ballooned in size, we have seen the adoption of big data, cloud computing, the internet of things and we see a billion users of Facebook every day. But the challenges of the biometrics industry remain remarkably similar to those it faced ten years ago.
Chief among these is simply the human factor: most of us just don’t value our security over our convenience. Biometrics may be secure, but we still haven’t found a way of making fingerprint scanners and the rest simple and reliable for large audiences to use, and so they have simply refused to adopt it.
There’s another rather more basic problem looming over the sector, though. After the various data breaches over the last year, whether Carphone Warehouse, Sony, Target, or even Ashley Madison, the advice for customers has been to change your password. While this may be irritating to most of us, especially if you don’t use a password manager, it’s not the end of the world.
The biggest selling point of biometric identification is that your eyes and fingerprints are unique to you and thus cannot be changed. Unfortunately, that uniqueness comes with a price. In the event that your biometric data is breached, it is permanently lost to those hackers. It cannot simply be changed.
And stealing your biometric data might be easier than many in the industry are willing to admit. Earlier this year, security firm FireEye demonstrated a fingerprint hack at the RSA conference, showing how they could intercept your biometric data before it hits your devices’ secure zone. According to FireEye, the flaw is simple: rather than trying to break into the secure zone where your information is stored, the attackers simply focus on reading the data coming directly from the fingerprint sensor before it reaches the secure zone.
Once you have that data you can potentially reconstruct the fingerprint and use it as often as you want. Your eyes are not safe either. In another recent case, security researcher Jan “Starbug” Krissler claimed he could bypass iris scanners just by holding up high-resolution print outs to the camera.
There’s no point in arguing about which security solution is the “best”. It’s pretty clear that the future lies with individuals using a combination of security options, each making up for the weaknesses of the others. This “greater than the sum of the parts” solution is multifactor authentication, and comes in three parts:
- Something you have, such as a hardware or software token
- Something you know, like a password or answer to a security question
- Something you are, for example a fingerprint or retina scan.
So rather than try to prove that a new technology is the Holy Grail and should replace passwords, it’s time to educate the public to use more than one factor of authentication. Using multiple factors will certainly increase a user’s security more than using one factor alone, no matter how secure we believe that one factor may be.
Passwords have been used for thousands of years for a very good reason – they’re an easy and unique way of identifying individuals who are granted access to private information. In addition, their ability to be easily changed makes them even more attractive to the general public.
Passwords aren’t going to go away anytime soon. While the world continues to welcome new technologies and additional methods of gaining access to our computers, websites and apps, passwords or some form of them will always be an acceptable factor for authentication. It was true back in 2007; it’s still true today and will likely stay true for many years to come.
About the Author
Bill Carey is Vice President of Marketing & Business Development at Siber Systems Inc., which offers the top-rated RoboForm Password Manager solution. Find out more about RoboForm at http://www.roboform.com/