The End of Passwords


Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  (http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/


I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.   


The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise !) and which will leverage the emergent technologies like smart-phones and tablets.  These technologies enable mobile based solutions like SMS out of band and character recognition solutions as well as wireless solutions like NFC.    In fact these technologies have created a challenge for the enterprise with these devices being brought into work by employees frustrated with working on antiquated PC’s. 


What is Nirvana ?   The user not having to remember anything apart from having his smart-phone on him.  Well it seems that people are more inclined to leave their keys or wallet at home than their smart-phone.  So all you will need is something that you already have and one which you wont leave at home.   
The first step is to log in to the site with your email address (as the identifier). You then engage with a QR code that is delivered to the screen of the device you are logging in on ( even your smart-phone).. A line of sight interaction – you have to present your phone to scan the QR code on the screen.  There is no wireless interface a la NFC which is vulnerable to interception.  The phone delivers the scanned code back to the site, closing the loop ( triangulation) thereby proving your identity  and allowing you to transact.  


Nirvana exists.  It is called Live Ensure. (http://www.liveensure.com


Happy New Year. 

Comments

  1. Unknown3 January 2012 at 07:14

    This is an interesting take on web site security. While I do appreciate the unique approach of using the QR code in a loop back to the site to authenticate the user it adds a layer of complexity that I believe is unwarranted.

    The approach that my company's patent-pending product takes for web site security also uses the mobile device as an authentication tool but doesn't require scanning or a smartphone. This "triangulation" (excellent imagery - I'm going to use this in future descriptions!) occurs through the use of a simple SMS which can be sent from any phone in the world.

    So, while LiveEnsure may appear to be Nirvana, we believe that TextKey™ represents Occam's Razor (the simplest solution is often the best).

    Our personal interest aside, an excellent post.

    Scott Goldman
    CEO - TextPower, Inc.

    ReplyDelete
  2. Ross Macdonald4 January 2012 at 15:13

    Scott
    Thank you for your magnanimous words. It is heartening that in this day and age competitors can show mutual respect.

    I guess the battle is on between Nirvana and Occam's Razor - although we have some of that too ;-)

    We steered clear of OOB because we did not want to be reliant upon a third party's network for the performance of our product. And cost etc.

    Best wishes
    Ross
    CEO Live Ensure

    ReplyDelete
  3. Anonymous14 January 2012 at 03:30

    I assume you are not talking about a work/company environment?

    In a true security environment the last thing you want are employees waving smartphones about. The capabilities of smartphones in this day and age employ far more technology that enables the user to record by video, photograph, infrared etc. data that would not normally find its way outside the workplace or be compromised. I have worked in an environment where mobile telephones are banned from the workplace for just such cases.

    When the combination lock was invented it gave people the freedom to secure material they found imortant without having to carry a physical "key" around with them. The reality is that the physical key could be stolen or copied in order to access that material. Much like a combination number, a password is stored in the memory of the person that has legitimate right to access what it unlocks. There will always be some form of interaction required from the user and if that user cannot remember a password then maybe they are in the wrong job to start with.

    Are we now taking a step backwards and saying that you need your smartphone as a key to unlock and access what you need and what happens when it's the case that your smartphone crashes, loses power, you actually (God forbid) do forget it or it gets stolen?

    Mind you it could always be used as an excuse by slackers for not getting any work done, "I'm sorry I forgot/broke/lost my smartphone today," compared to a password reset. I for one will stick with a memorised password as it costs me nothing but memory space, I do not need to charge it and I won't leave home without it!

    ReplyDelete
  4. Ross Macdonald15 January 2012 at 15:17

    The BYOD phenomenon is upon us. Most corporations are embracing this reality. Fighting it is like Canute trying to hold back the tide. We believe this will be the norm and hence smartphones and iPads will become de rigueur. This means that instead of issuing staff with smart cards/ dongles/ USB keys etc ( most of which are even more likely to be lost or stolen) - let them use what they have. But ours also works with an OOB PIN via email/SMS if that was all that was allowed.
    Peace.

    ReplyDelete
  5. Anonymous25 July 2012 at 16:41

    This thread is probably a few months old.
    The other anonymous is absolutely right on target.

    Last thing we want is smart phone stolen.

    Mind you, there is _no replacement_ for first factor on "Internet"(aka remote authentication), i.e what you know
    is a _must_ for authentication.

    Only next come the second factor (what you have) and third factor (what you are).

    Sorry, but your "nirvana without anything to remember" is not secure.

    But there are alternatives to passwords, without necessarily losing the simplicity and convenience of passwords.

    If you want to dig in, http://www.oncybersecurity.com

    Yes, Peace!

    ReplyDelete

Post a Comment

Popular posts from this blog

CAPITALISM – no longer fit for purpose ?

Image
The vast majority of humanity survive on a few dollars a day.    The economic boom of the last fifty years has benefited a relatively small elite. The fossil fuel driven economy has devastated the planet. Capitalism is the most efficient creator of wealth but it has been derailed and it has led to inequality and environmental degradation on a global scale. Global warming and capitalism’s favourite progeny – globalisation – has triggered social movements,   political discontent and massive migration.    There are more economic and political migrants seeking greener pastures than at any time in history. Increased Government participation in the economy both directly and through regulation is required to temper the excesses of laissez-faire capitalism. Degrowth means uncoupling the link between growth and prosperity.        Adam Smith’s ‘invisible hand’ has been the single biggest driver of the phenomenal economic growth enjoyed globally over the last two hundred years
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more