Stagnating passwords need something extra
02 July, 2013
category: Corporate, Digital ID, Financial
The simple reality is that no password, regardless of its complexity, is truly immune to attack. Add the fact that each Internet user maintains multiple accounts with banking institutions, email services, retailers and social media – web sites that all too frequently fail to safeguard their servers – it becomes easy to see the shortcomings in the password method.
Why, then, in an age of computing advancements does the username/password method of authentication retain such popularity? The simple answer could be cost.
Despite its noticeable weaknesses, username/password solutions remain remarkably affordable. Additional security, like that offered by two-factor authentication via software-based tokens, hardware-based tokens or biometric authentication, quite simply cost more.
Also acting against the password is what The Times of India recently referred to as password fatigue.
“As people are increasingly accessing websites from smartphones and tablets, typing passwords is becoming an ever bigger pain,” explains Sarah Needham of Confident Technologies, developers of a picture-based password alternative.
This so-called fatigue has weakened the already much-maligned password, but more disconcerting is that hackers can use fatigue to their advantage.
A 24-nation survey compiled by Norton last year found that 40% of users either don’t take the time to create a complex password or fail to change their password on a regular basis. Moreover, research by rival McAfee suggests that over 60% of users frequent anywhere from 5 to 20 sites that require passwords.
Figures like these are the reason that many are considering the use of biometrics for secure authentication.
In fact, Google is weighing up a solution that would see its users authenticate to their devices using personalized, NFC-enabled finger rings or by inserting Yubikeys‘ ID cards into the USB ports of their computers.
Elsewhere, the FIDO Alliance is developing an open-source system that could allow websites to ask smartphone users to identify themselves by applying a fingerprint directly to their device’s touchscreen. FIDO’s solution could be available as early as this year.
Other, more creative, password alternatives like that of Motorola’s recent rubber tattoo and ingestible pill proposals err on the side of science fiction. For the time being, however, two-factor authentication wherein sites prompt users with an additional security question – your mother’s maiden name, for example – and sends an SMS message with a password, seems to be the preferred choice.
In what seems more like a stopgap than actual security solution, online password managers like Lastpass, KeePass, 1Password, Dashlane and Apple’s iCloud Keychain have risen in popularity recently. These solutions promise to house a user’s entire password collection, providing access to the credentials using one, master password.
With the number of alternate solutions growing seemingly by the day, one constant remains; passwords just don’t cut it anymore. Provided the current trend continues, biometric authentication is a virtual certainty, and that’s a good thing.