The End of Passwords


Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  (http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/


I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.   


The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise !) and which will leverage the emergent technologies like smart-phones and tablets.  These technologies enable mobile based solutions like SMS out of band and character recognition solutions as well as wireless solutions like NFC.    In fact these technologies have created a challenge for the enterprise with these devices being brought into work by employees frustrated with working on antiquated PC’s. 


What is Nirvana ?   The user not having to remember anything apart from having his smart-phone on him.  Well it seems that people are more inclined to leave their keys or wallet at home than their smart-phone.  So all you will need is something that you already have and one which you wont leave at home.   
The first step is to log in to the site with your email address (as the identifier). You then engage with a QR code that is delivered to the screen of the device you are logging in on ( even your smart-phone).. A line of sight interaction – you have to present your phone to scan the QR code on the screen.  There is no wireless interface a la NFC which is vulnerable to interception.  The phone delivers the scanned code back to the site, closing the loop ( triangulation) thereby proving your identity  and allowing you to transact.  


Nirvana exists.  It is called Live Ensure. (http://www.liveensure.com


Happy New Year. 

Comments

  1. This is an interesting take on web site security. While I do appreciate the unique approach of using the QR code in a loop back to the site to authenticate the user it adds a layer of complexity that I believe is unwarranted.

    The approach that my company's patent-pending product takes for web site security also uses the mobile device as an authentication tool but doesn't require scanning or a smartphone. This "triangulation" (excellent imagery - I'm going to use this in future descriptions!) occurs through the use of a simple SMS which can be sent from any phone in the world.

    So, while LiveEnsure may appear to be Nirvana, we believe that TextKey™ represents Occam's Razor (the simplest solution is often the best).

    Our personal interest aside, an excellent post.

    Scott Goldman
    CEO - TextPower, Inc.

    ReplyDelete
  2. Scott
    Thank you for your magnanimous words. It is heartening that in this day and age competitors can show mutual respect.

    I guess the battle is on between Nirvana and Occam's Razor - although we have some of that too ;-)

    We steered clear of OOB because we did not want to be reliant upon a third party's network for the performance of our product. And cost etc.

    Best wishes
    Ross
    CEO Live Ensure

    ReplyDelete
  3. I assume you are not talking about a work/company environment?

    In a true security environment the last thing you want are employees waving smartphones about. The capabilities of smartphones in this day and age employ far more technology that enables the user to record by video, photograph, infrared etc. data that would not normally find its way outside the workplace or be compromised. I have worked in an environment where mobile telephones are banned from the workplace for just such cases.

    When the combination lock was invented it gave people the freedom to secure material they found imortant without having to carry a physical "key" around with them. The reality is that the physical key could be stolen or copied in order to access that material. Much like a combination number, a password is stored in the memory of the person that has legitimate right to access what it unlocks. There will always be some form of interaction required from the user and if that user cannot remember a password then maybe they are in the wrong job to start with.

    Are we now taking a step backwards and saying that you need your smartphone as a key to unlock and access what you need and what happens when it's the case that your smartphone crashes, loses power, you actually (God forbid) do forget it or it gets stolen?

    Mind you it could always be used as an excuse by slackers for not getting any work done, "I'm sorry I forgot/broke/lost my smartphone today," compared to a password reset. I for one will stick with a memorised password as it costs me nothing but memory space, I do not need to charge it and I won't leave home without it!

    ReplyDelete
  4. The BYOD phenomenon is upon us. Most corporations are embracing this reality. Fighting it is like Canute trying to hold back the tide. We believe this will be the norm and hence smartphones and iPads will become de rigueur. This means that instead of issuing staff with smart cards/ dongles/ USB keys etc ( most of which are even more likely to be lost or stolen) - let them use what they have. But ours also works with an OOB PIN via email/SMS if that was all that was allowed.
    Peace.

    ReplyDelete
  5. This thread is probably a few months old.
    The other anonymous is absolutely right on target.

    Last thing we want is smart phone stolen.

    Mind you, there is _no replacement_ for first factor on "Internet"(aka remote authentication), i.e what you know
    is a _must_ for authentication.

    Only next come the second factor (what you have) and third factor (what you are).

    Sorry, but your "nirvana without anything to remember" is not secure.

    But there are alternatives to passwords, without necessarily losing the simplicity and convenience of passwords.

    If you want to dig in, http://www.oncybersecurity.com

    Yes, Peace!

    ReplyDelete

Post a Comment

Popular posts from this blog

WIKILEAKS - the fuss?

SPOOKS - CYBER ATTACK