Despite hopeful initiatives, demise of passwords years away

Security pros have been saying for years that password protection is not enough. And this week, two groups -- one private, one public -- announced initiatives to create more secure ways to authenticate identities online.

Several security experts, who would love to see passwords retired, said they will be watching those initiatives with interest, but don't expect mainstream change for at least the next several years.

The FIDO (Fast IDentity Online) Alliance, an industry group formed in July 2012, said it hopes to eliminate passwords and improve online security through establishment of a standard of interoperable authentication protocols that could include USB tokens, fingerprints and one-time passwords.

FIDO includes PC maker Lenovo, security firm Nok Nok Labs, online payment firm PayPal, biometrics firm Agnito, and authentication specialists Validity.

The Defense Advanced Research Project Agency (DARPA), a research and development arm of the Department of Defense (DoD), issued a "broad agency announcement" (BAA) seeking research proposals for developing biometric authentication through analysis of various activities and behaviors -- keystroke patterns, mouse use, sentence structure and use of language -- that add up to what the agency calls a "cognitive fingerprint."

Brian Donohue at Threatpost writes thatÃ'Â DARPA is seeking a biometric platform which "integrates all available biometrics into a single device that carries out the actual business of authentication."

As DARPA puts it: "The application is trying to identify you by looking at all available aspects of you, not just a single sensor connected to the device."

The biometric analysis also is meant to overcome the fact that, "typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard," the BAA said.

[See also: Biometrics -- what, where and why]

These are not the first efforts to get beyond passwords, said Robert Siciliano, CEO of IDTheftSecurity. "The National Strategy for Trusted Identities in Cyberspace (NSTIC) has been at this for well over a decade," he said. "The pain is finally getting bad enough, the criminals are getting good enough and the public is no smarter, so in the next five and more likely 10 years we should see significant change."

But even now, there are "talented companies out there with existing authentication technologies that are non invasive, don't impinge on privacy, are easy to use and pass the grandmother test," he said.

NSTIC says on its website that it envisions an "Identity Ecosystem" that would allow people to choose from a marketplace of identity providers - private and public - that would issue trusted identity credentials. Instead of having to remember dozens of passwords, "the system would work much like your ATM card works now. By having a credential and a password you would be able to use your trusted ID at many different sites," NSTIC said.

Whatever the initiative, experts agree that the elimination of passwords will take some time. Fred Touchette, senior security analyst at AppRiver, said: "Not everyone has the will or desire to do more than they feel they have to in order to maintain good security practices, and the cost to implement things such as biometrics in every device and make all authentication systems compliant means it's a ways off."

And Ben Knieff, director of fraud product marketing at NICE Actimize, said for any new system to work, both users and providers must accept it. "Everybody has to be in it together," he said. "I expect it to take a long time before a new system is widely accepted, but we're in an amazing environment where it could be a lot shorter."

Some analysts said the FIDO Alliance will have difficulty bringing those groups together. John Fontana at ZDNet quoted Gartner analyst Ian Glazer, saying, "It appears to be a good effort, but my two concerns are its small ecosystem and that it may not serve a larger audience."

Suzanne Matick, a spokeswoman for the FIDOÃ'Â Alliance, said by email that the group is poised for expansion. "There are many other organizations ready to join the FIDO Alliance," she said. "They are in their processes and working through legal issues, which cannot be rushed, but you may expect announcements soon."

Knieff said he believes FIDO could be attractive to both users and providers because of a key factor: "It makes it easier. It lets people use personal preferences and what they're comfortable with," he said.

Knieff and others believe the eventual demise of passwords will definitely make the online world more secure. But, as is always the case, criminals will look for other weak points.

"Weak passwords can be cracked in a dictionary attack," said Robert Siciliano. "But the real issue lies in social engineering attacks where the strength of a password doesn't matter."

Knieff added: "With biometrics, it is very difficult to impersonate somebody, so criminals will look for another way to insert themselves." That is already happening, he noted, when cybercriminals trick people into providing their authentication information for bank accounts.

"If there's a weakness, someone will find it," said Touchette.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Identity & Access | Access ControlNetworkingDARPApaypalValidityIdentity & AccessmanagementNok Nok LabsFIDO AllianceAgnitosecuritypasswordsAccess control and authenticationbiometricsLenovoaccess control

More about FredGartnerLenovoNICEPayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place