No more passwords in 2017?
Yahoo!’s loss of 500 million passwords was a spasm in the death throes of the humble password, a painfully inadequate answer to our security needs. What are you going to do to replace passwords?
Yahoo!’s disclosure that hackers might have vacuumed up the passwords of as many as half a billion users lit the floodlights on two gaping issues in IT:
- Passwords run out of steam well before they cross the goal line of today’s security needs
- Sometimes you don’t even know they’re gone, which means you’re vulnerable without realizing it
Wakefield Research recently surveyed IT decision makers and found out that 69% will probably do away with passwords completely in the next five years.
The finding of the report wasn’t surprising, nor were the insights that IT professionals are despairing of evergreen problems:
- Users “securing” their accounts with passwords a child could guess, let alone a script kiddie driving any of a dozen tools available for free download
- Users recycling the same password for different accounts so that one crack exposes many systems. And it’s especially galling for IT when the breach of its system is the result of a breakdown of a system beyond its control, such as all the systems now at risk because Yahoo! customers used the same password for Yahoo! as for their work access.
Alternatives to passwords
Alternatives that solve both these problems are maturing. They typically involve mixing methods like:
- Two-factor authentication involving single-use pass codes pinged to the user’s mobile phone or emailed to them
- Biometrics—commonly fingerprint, eye, voice scanner
- Behavior—recognizing a user’s signature behavior, such as:
- Considering the time and place a user is requesting access and deciding if it’s in keeping with that person’s usual behavior
- Looking at the way the user is handling the device—mouse movement and keystrokes—to sniff out atypical behavior
- Device-specific lockdown—only allowing access to certain systems by particular devices assigned to individual owners
Combinations of these are most effective. It’s easy to see, for instance, that a device that has never been used to access a system at 11pm let alone from another city than HQ should be locked out.
Wakefield Research found the biggest obstacle to scraping standalone passwords was the belief by 42% of respondents that they’d get pushback because of “disruption to users’ daily routine.”
A choice that taps into something enjoyed by many might be the answer—the selfie.
Uber is periodically asking its drivers to snap a selfie before accepting ride requests. It runs the selfie through an algorithm to match it against the one on file.
Similarly, MasterCard in Europe is asking online shoppers to authenticate themselves with a selfie.
The technology isn’t as mature as some other options—but the selfie of today might yet have its way as the future of security.
Want to learn more?