The password system is broken. That seems to be one thing we all agree on. But we're stuck with passwords (or at best, passwords plus security tokens) until someone comes up with something better. Now Google has joined the quest for alternative validation solutions.
The problems with passwords are two-fold, at least. Passwords strong enough to resist high-speed brute force or dictionary attacks are far too complex for our everyday needs. Social engineering (maliciously requesting password re-sets) is getting easier as we place more information about ourselves online.
What could substitute for passwords? Biometrics, perhaps, although that looks like a costly, and potentially intrusive, solution. As we've seen, DARPA has been focused on behavioral profiling to authenticate identities. Google seems to be researching two possible measures:
Modifying Google's web browser to work with Yubico keys.
A smartcard embedded finger ring (one tap, and you're in).
My first reaction is that these approaches fall disappointingly short of the kind of cutting-edge research in which DARPA is engaged. After all, what else is a key or a finger ring but a security token? It's not clear what advantages these devices would have over traditional RSA SecurID, except ease of use. And ease of use can be a security disadvantage.
RSA, of course, promotes a "two factor" authentication system, relying on a password or pin number as well as a SecurID token. Even this approach presents multiple vulnerabilities. If the token is stolen, and the password is weak, the token offers no additional protection. Researchers have demonstrated the possibility of cracking the tokens through automated attacks. RSA itself suffered a hack attack.
Google, however, seems to anticipate abandoning passwords altogether and relying on devices alone. The obvious risk with this approach is straightforward theft of the device. Losing it would be inconvenient too. No longer could one simply ask for a password re-set: the device would need to be replaced.
How are these devices going to be sent to users? By mail? How would we identify the user requesting a device? Questions, questions.
Trustworthy authentication remains the grail of cybersecurity. We've reached the stage where we know that passwords are not the solution. Tokens are a useful supplement to passwords, but provide no complete answer. The token-only strategy Google is exploring seems regressive.
Authentication will eventually turn on some factor, unique to individuals, which can't be changed or stolen. Biometrics actually don't fit the bill, because the data representing your fingerprints or retinal scan must itself be kept on a database, and databases are by definition hackable. Behavioral interaction with the device being accessed evades that problem -- but how uniquely identifying is behavior, and can't it change?
The solution will come out of left field, and right now I'm betting nobody knows what it is.
The problem, Sarah, is that people are just unwilling to change passwords--unless forced to--when they have some forty or fifty to remember. They are more likely to use the same password for as many things as possible, and not change it.
I don't think that you can beat hackers period. They will do what they want when they want. The best method that does appear to work is to keep changing your password. That is the cheapest and safest option that you will find out there, period. So why try to fix anything that isn't 100% broken?
There were reports that LastPass may have been hacked in 2011, but no reports of actual passwords having been compromised. I figure everything involves some risk.
A security conscious friend uses LastPass and I let that be my guide.
I use LastPass to auto-generate, remember, and automatically paste in passwords. For the few passwords I have to type in by hand, I substitute some punctuation for letters, and use one or two other tricks to make the passwords easy to type, unique and secure (though not easy to remember -- I use LastPass for remembering those passwords too).
And despite what some security experts say, writing down passwords and storing the piece of paper someplace safe really isn't bad. As Bruce Schneier says, we have hundreds of years of experience at securing little pieces of paper.
Usman: Do you prefer to sign onto those accounts through your Facebook, Twitter or LinkedIn account, or do you prefer to create a separate account where, if you want, you can use an alias that has absolutely nothing to do with your real name or location?
Martin Kuppinger spoke to Yubico's CEO in 2012. Google is using a YubiKey, developed by Yubicon, and some of the product and technology info is discussed in this blog.
Just like you do if you forget your password - you use an alternate method to recover the password.
@taimur_tz, thanks for the clarification. I will definitely download and try this app. It would be interesting to see in which cases it fails to recognise the face.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Cybercriminals don't hesitate when they see an opportunity to spread malware. Not even when it means exploiting as horrific an event as the Boston Marathon bombing.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, discusses the state of "Do Not Track" and the problem with consumer behavior tracking online.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
