07 May 2013

On Eliminating Passwords

It seems to me that authentication in general needs to change. The requirement to remember a password for every online service you use has proven to be a daunting task not only for users but also for businesses that must store the credentials to authenticate those users. Considering the dramatic increase in data security breaches in recent years, it's no wonder that the competition amongst password management software continues to increase.

Personally, I use a password manager that supports all the devices I use (MacOS X, iOS and Android) and has the ability to sync across them. Not only does a password manager store your username/password pairs in a secure file, but it also has the ability to generate passwords with a high entropy to guard against a brute force attack. But even this is a game of chase. Just like in the world of anti-virus software, it's kind of a reactionary game. That is, only as new viruses are discovered can the signatures of those viruses be added to the anti-virus software. The same applies to passwords -- as the ability to crack stronger passwords only becomes easier, the requirements for passwords become more strict. At some point the whole idea of passwords will become a counterintuitive exercise. Many services also require the use of security questions for password recovery but this is also a losing game given that most of the security questions offered are largely the same across many unrelated services. It makes me wonder if eventually the use of a text based password is simply an invitation for a security breach (e.g., 'Oh this person is using a text-based password only, no problem we'll just crack it').

Beyond the cracking of passwords, consider how much companies spend to support usernames and passwords. Just the other day I was locked out of a system and had to actually call the help desk for assistance because there was no online password recovery offered. Now think about the fact that the help desk I contacted supports many thousands of users all over the world. In fact, my need for support with a password is such a common request that there is a category in the phone tree dedicated to password support. I hazard a guess that the investment to provide this support alone is probably fairly high.

To protect against simple password cracking we've seen the rise of multi-factor authentication (MFA) whereby a password plus some other out-of-band methods are used for authentication such as a text sent to your mobile device, a phone call to your phone number of choice, etc. Financial institutions typically provide this capability and even Amazon provides a MFA feature to secure an AWS environment. Many companies provide employees with a small two-factor authentication device -- I'm sure you've seen a SecureID token from RSA, a similar device from Symantec or smart cards from various companiesj, but even these have been breached and/or have been proven to be flawed. Furthermore, these solutions are aimed at the SMB and enterprise markets for distribution to employees, not at the general consumer market. And beyond that, I've even been locked out of a SecurID token before which required a phone call to a help desk!

Earlier this year, a new group named Fast IDentity Online Alliance (FIDO) launched to bring forth a new type of multi-factor authentication and new usage models. From the FIDO website's description of What Makes FIDO Different?:

The range of technologies supported by the FIDO protocol will include biometrics such as fingerprint scanners, voice and facial recognition, as well as existing authentication solutions such as Trusted Platform Modules (TPM), Near Field Communication (NFC), One Time Passwords (OTP) and many others.
To learn more about FIDO, check out the How FIDO Works page describing the protocol, here's an image about it:

The short story is that a three-way binding occurs between the user, the device and the vendor's back-end system and it requires all three need to be present to use the system. What is intriguing to me is that this protocol is aimed at end users/consumers -- people like you and me.

The first company to be considered FIDO certified is Nok Nok Labs in Palo Alto, CA. This company provides a commercial solution to implement the FIDO protocol and is currently testing it at about 15 companies. What's really needed is adoption of such a solution by popular online services and Nok Nok Labs is already testing it's solution with PayPal.

Not only would it be more comforting to know that my payments and my funds are secured by more than a username/password pair, but it would also be more convenient not to have to remember a password for every website I use. But until something like the FIDO protocol becomes ubiquitous, we must continue to live with what we've got today.


  1. Look into OpenID ( http://openid.net/ ). Ok, it still requires you to type a password, but you only need to remember one password, for one site.

    In fact, I am writing this very post on your blog using my Wordpress OpenID

    I still need to log in to Wordpress before I can post on your site, but I only have to remember my password for this one service and if I feel it might be compromised, I can just change it there and it will not affect the dozens of websites I am using OpenID on.

  2. I already use OpenID on various sites. IMO, the problem with OpenID is that it still relies upon a password.

  3. I use PasswordWrench. I switch my important passwords each 30-60 days, and make them long, but I can never remember them and ended up using variations of the same password over and over, which is not Immune. This way they help me create my own personal system for managing my passwords.