The Death of Passwords

 

Good enough.

It’s not a concept most people associate with information security people or the approach to information security but it is something we in information security desire.  We don’t want to overburden ourselves with unnecessary work or even management of controls.

To delve down into one area of security, namely AUTHENTICATION, passwords are the unlovely and unloved of recent technology history.

Even in information security circles passwords are an element that people want to move past … but it may not be that fast or simple.

Authentication requires some type of credential; in some cases multipe types of credentials are required.  We refer to the use of multiple credentials as Multi-Factor Authentication or MFA.  Because most times we require two types, it can also be referred to as Two-Factor Authentication or 2FA.

An example of MFA is when you use your mobile device to log in to your banking account and the bank sends you a text message with a secret six-digit PIN that you then have to give back to the bank before they’ll let you access your bank account.  The first credential (or factor) is the password you supplied.  That credential changes infrequently but it is something you know.  The second credential is the single-use PIN the bank’s website sent you via text message.

 

There are three types of credentials:

• Something you know
• Something you have
• Something you are

In our banking example, the thing you know is your password.

The PIN that is sent to you proves that you must be in posession of the phone so the credential isn’t the PIN but the mobile device; it is something you have.

If you were to use your password and then use a thumbprint or a scan of your eye from your mobile device then you would be using something you know, your password, and something you are, your unique iris or retinal scan.

Each of these credentials carries with it risk that it will be compromised.  The password has some well-known problems.

• It can be a pain to keep up with many unique passwords
• They can be easy for bad actors to guess or even figure out (called “cracking”)
• They should be changed frequently

The problems with the other types of credentials are something we deal with less often so most people aren’t yet tired of them.

Anything you can have can be taken from you, either physically or may even be cloned in a manner that allows you to have the original but an exact duplicate is in the possession of someone else.

Things that you are may be somewhat more difficult to misuse but that’s not always true and it doesn’t always matter.  When you provide something that you (e.g., a fingerprint or eye scan) the biometrics aren’t stored directly, they are often run through some algorithem to produce a HASH and the hash is stored.  In this way, your unique information should be safe but the hash of your fingerprint must be protected from a bad actor stealing it, too, and misusing it to impersonate you to get authenticated.  Because the hash of your biometrics must be stored by whatever organization you are trying to get into, it is exactly like when you type in a password which is also hashed and stored with that organization.  To the organization, the hash of your password and the hash of your fingerprint are the same type of data and stored the same way.  So there’s no greater protection on their end.  The benefit of biometrics are two-fold:

1. Biometrics are convenient for users
   • You don’t have to invest any mental energy in them
   • You can’t forget what they are
   • You have them with you at all times
2. They can be a second type of credential to increase the assurance that you are really you

The risk inherent in biometrics, however, can be significant.

• You can’t issue a new set of eyeballs or fingerprints to someone if their biometric credentials become compromised
• To generate a new hash for a user’s biometrics you must have the user physically present since you can’t store their actual biometrics

Thus, when we consider the types of credentials we can use to authenticate that you are who you claim to be, passwords are a reasonable example of something you know.  As information security matures in this space, we’ve found ways to lower the pain most users experience around password management through technologies like password management software (I suggest LastPass).