Smartphones could evolve into password killers

The ubiquitous smartphone, which many people now depend on for business and in their personal lives, is emerging as a promising replacement for passwords used in authentication.

Most experts agree that a password killer is necessary to bolster Web site security. People's fondness for easy-to-guess passwords that are often used across sites has severely weakened their effectiveness. In addition, sophisticated decryption technology has made even encrypted passwords easily acquirable by hackers.

Because a smartphone is the one device few people are without, it's seen as the perfect place to store credentials. Add the many sensors in a phone that can be used to identify a user, and the case for using the device for authentication becomes stronger.

"I think it's brilliant," Trent Henry, analyst for Gartner, said of smartphone-based authentication. "We're finding that this will be the type of authentication mode in the future."

A number of vendors with the same view as Henry are trying their best to drive the industry in that direction. Authy, Clef and Duo Security are examples of such vendors.

Even large security companies are getting into the market. Last month, EMC-owned RSA acquired PassBan, which provides technology for using a smartphone for voice and facial recognition for multifactor authentication.

Today, most vendors use the mobile phone for two-factor authentication. If a Web site supports a vendor's service, then when a person logs in, a unique personal identification number (PIN) is sent to the phone. Inputting the PIN completes the sign-in process.

Unfortunately, most consumers are unwilling to take those extra steps, so the search for an easier and more seamless method continues.

Authy moved in that direction last week with the introduction of an app that connects an iPhone or Android phone to an Apple computer via Bluetooth. From then on, when a person visits Facebook, Dropbox, Google Gmail or another supporting Web site, the credential stored in the phone is used to log into the site automatically.

Authy founder and CEO Daniel Palacio sees the app as only a beginning. In time, the same means of authentication could be used with Google Glass, a digital watch or some other type of wearable computer.

Authy's work and that of its competitors reflect the industry's search for the perfect solution, which is still a ways off.

"The frothy experimentation in the market means we haven't found the right sweet-spot solution yet, and we may never find a single one that suffices for all scenarios," said Eve Maler, analyst for Forrester Research. "Passwords are unlikely to be entirely supplanted unless that single solution appears some day."

For mobile phones to replace passwords, the devices will have to know when the actual owner is logging into a site and not a crook that either stole a phone or found it. Biometrics is one possible answer, as long reliable and highly secure fingerprint scanners and voice and facial recognition technology can be developed.

Another possibility is phone sensors that can identify the user by the way he or she walks. Such technology, called gait recognition, is currently in the research stage at Georgia Institute of Technology and the Massachusetts Institute of Technology.

Once biometrics becomes rock solid in identifying a device's user, "we'll start to have a very, very, very secure authentication system that's very hassle free," Palacio said. "People just buy it and it works."

While such a system may be much better than the passwords now in use, it does not mean hackers will be out of business.

"The attackers continue to go after these new techniques, so we have to be very careful about the security properties," Henry said. "In other words, you still have to evaluate what kind of attacks could occur."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags smartphoneDuo SecurityGartnerapplicationstwo-factor authenticationAuthysoftwaredata protectionemc

More about AppleDropboxEMC CorporationFacebookForrester ResearchGartnerGeorgia Institute of TechnologyGoogleMassachusetts Institute of TechnologyRSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts