The persistence of passwords

Biometrics has growing, but not sole, role in authentification security (Information Management)

“Many IT professionals aren’t convinced biometrics can serve as a secure and reliable replacement for the standard username and password combo,” said Peter Tsai, senior technology analyst at Spiceworks. “Unless technology vendors can address the security issues and privacy concerns associated with biometrics, the technology will likely be used side-by-side in the workplace with traditional passwords or as a secondary authentication factor for the foreseeable future.”

It looks like this 2013 post and the paper that informed it are holding up quite well.

In the paper, A Research Agenda Acknowledging the Persistence of Passwords, Cormac Herley and Paul C. van Oorschot write:

“Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats. “

All this is still true. Biometrics, however, can also be used as a way to return the password to the simplicity of the PIN. For example: a fingerprint scan associated with a weak password such as a 4 digit PIN provides far stronger authentication than any password a human could be expected to type. In other words, biometrics can be combined with rudimentary passwords to bring an end to the “password arms race” where the main coping strategy has been longer, more complex and more frequently changing passwords — i.e. the real reasons people tire of the humble workhorse of the ID game. So instead of replacing the password, biometrics might one day be used as a way to salvage what makes it great while minimizing the frustrations associated with over-reliance upon it.

 

All posts

Eric Schmidt at HiMSS and comments from Craig Workinger

A final update from Craig at the HiMSS…

Eric Schmidt, the former executive chairman of Alphabet, delivered a bold vision of the future of health care and technology at HiMMS, urging participants to go immediately to the cloud.

The cloud, he notes, can take in—and provide security for—the large amounts of data being generated from the growing number of new mobile apps and sensors, then integrate and structure this data into an information flow to support the clinician sitting in front of a patient. Through an earbud or mobile phone, the clinician can access potentially life-saving guidance.

But Eric’s comments underscore the big challenge facing the next generation of EHR (Electronic Health Records). EHR has a growing, vast flow of potentially valuable data from broad array of devices and apps. What’s lacking is the means to store it and validate its sources.

Identity authentication across platforms and devices is thus crucial to the next generation of EHR. To be usable, all that data must be tied unequivocally to the individual in front of the clinician. In turn, that means having an integrated, holistic approach to managing identity across all the platforms, apps and sensors.

Banks using voice biometrics to counter social engineering

More companies are turning to voice biometrics for security purposes (Digital Trends)

Technology known as voice biometrics seems to be the next big thing in keeping your accounts safe and sound, especially with the alarming rise in call-in center fraud. In this latest version of trickery, criminals take advantage of human error and human emotions when they dial into a customer service line, describe some fictional situation that garners the representative’s sympathy, and subsequently gain access to sensitive data and, of course, money. $10 billion worth last year, in fact.

The purpose of identity management technology is to force fraudsters into social engineering. Identity management technologies can still help with that, too.

You know better but I know him

If we go to biometric IDs, will hackers try to steal your face? (CreditCards.com)

How much damage could a data thief do with your biometrics? According to experts from three different biometric modalities, the threat of someone virtually slipping into your skin is based far more on Hollywood-fueled paranoia than how biometrics are actually secured and deployed in the real world.

An analysis of iris, vein and heartbeat biometrics follows from there.

The piece also serves as a useful counterpoint to this one at InfoWorld which has biometric authentication technology as “Doomed security technology No. 1,” where the author’s formulation,

“After all, using your face, fingerprint, DNA, or some other biometric marker seems like the perfect log-on credential — to someone who doesn’t specialize in log-on authentication.”

begs the retort: After all, using your face, fingerprint, DNA, or some other biometric marker seems like it is destined for history’s dustbin — to someone who doesn’t specialize in biometric authentication.

Biometric sign-on

Biometric SSO – A secret weapon to protect your data (Engadget)

The advantages of using biometric SSO solutions for securing enterprise information are huge. Firstly, utilizing biometric SSO authentication provides stronger authentication and security instead of relying on traditional passwords. It is nearly impossible to steal or duplicate biometric characteristics for authentication purposes. Besides, biometric characteristics are unique for every person in the world; even identical twins have different biometrics. Hence, biometric SSO achieves the highest level of identification accuracy. Secondly, implementing a biometric SSO technology is considered as a cost effective solution to reduce financial losses from being compromised by weak password management policies. Thirdly, the variety of biometric SSO modalities available such as fingerprint, iris, vein, and palm brings a huge flexibility to organizations to achieve better return on investment.

Often overlooked, biometric hardware itself provides an enormous security benefit. From this 2012 post on biometrics in schools

Biometrics provide for far more secure information because the biometric sensor hardware itself provides a layer of protection that a keyboard never can provide passwords. In the standard Username/Password regime, the hardware used, the keyboard, offers no additional security. With username/password authentication, a hacker needs only a keyboard to fill in the proper fields and she gains access to the network. If that username/password is a superuser or administrator credential, an organization may see some turnover in the CTO function.

Biometric authentication is very different animal because with biometrics, the hardware layer does provide extra security. If the hacker steals a biometric or unencrypted biometric template (a long character string), she can’t just type it in even if she finds the place in the programming that handles the template. It has to come from the fingerprint sensor. The template resulting from a verification attempt is like a single use password created during the interaction of a physical object (body part) with certain known sensor.

ID and the internet of things

The Internet of Everything: Is your company ready for machine intelligence? (VentureBeat)

While most of us are familiar with biometric authentication, machine learning may make authentication effortless. “It’s about convenience,” says Zaki. “Our vision is that authentication should be happening in the background continuously.”

If you’re typing on your phone, your fingerprint can be immediately detected; if you’re looking at your screen, your iris can be scanned. Multifactor authentication can include a number of things…

It’s going to be a programmatic challenge, but creating a “smart environment” that takes in bits of information from all available sources in order to identify individuals for logical and physical access control is becoming a possibility.

A way out of “Authentication hell”

Biometric authentication could help solve online fraud (bobsguide)

Darren Hodder, Director of Fraud Consulting told delegates at the SMi 2nd Annual Big Data in Retail Financial Services last week that the easiest way to solve online fraud is for banks to know exactly who their customer is, which could be achieved through biometric authentication.

Hodder believes that we are currently in “authentication hell” and that the authentication processes used by biometrics such as facial, iris, finger print or vein recognition could help to reduce the risk of fraud and enhance customer experience by enabling banks to recognise exactly who their customers are.

Market forecast: Multi-Factor authentication

Via MARKETS AND MARKETS: The global multi-factor authentication (MFA) market which includes different types of authentication and applications is expected to reach $5.45 billion by 2017 at an estimated CAGR of 17.3% from 2012 to 2017. Two-factor authentication is most widely used MFA model in the world with smartcard with PIN and one time password (OTP) are the most popular technique. Biometric based MFA models are growing at a fast rate. North America and Europe covers most of the market, whereas APAC has the fastest growing region.

The sensor-screen: Two giant leaps

Two things struck me about the news that Christian Holz and Patrick Baudisch of the Hasso Plattner Institute in Potsdam, Germany have developed a type of digital display that can sense fingerprints. World-first: Biometric screen recognises fingerprints (Techworld)

The first is the engineering of the screen itself:

The key that allows Fiberio to display an image and sense fingerprints at the same time is its screen material: a fibre optic plate,” said Holz.

The fibre optic plate is comprised entirely of millions of 3mm-long optical fibres bundled together vertically.

Each fibre emits rays of visible light from an image projector placed below the glass. At the same time, infrared light from a source adjacent to the projector bounces off the fingerprints and back down to an infrared camera below.

That sounds like each pixel is controlled with its own fiber and, theoretically at least, should allow for two-way communication of all sorts of information through the screen. At that point the screen might eventually become the camera, too.

Then there’s the approach to authentication the screen technology facilitates.

Security is one of the main issues around deploying public computers and the researchers addressed this by implementing an additional security layer, which authenticates users every time they try and do something to verify if the respective user has the authority to perform the task they are trying to complete.

The other really big idea this screen-sensor allows is authentication on a per-input-event level, or constant ID verification. Because the screen can “see,” it could always “know,” to some degree, who is using it. With that, the whole log-in/log-out regime could get an overdue overhaul.

Biometric Authentication Provides Better Mobile Device Security (Press Release via Marketwatch)

“Today’s phones already enable contactless payments, mobile wallets and mobile banking, and these changes signal the need for secure services that can be performed wirelessly or with a smartphone,” says Denise Culver, research analyst with Heavy Reading Insider and author of the report. “And as smartphones, tablets and other mobile devices continue to proliferate and provide users with powerful, mobile, networked multimedia computing options, the need to secure them will become even greater.”

The drive behind biometric authentication on smartphones will occur from both the consumer and enterprise, Culver says

PayPal would prefer prints to passwords, PIN’s. But…

…as the article concludes, it’s not necessarily an either/or proposition.

Online financial services providers are looking forward to a future where they are less reliant on password technology for authenticating their customers’ identities on line and they seem to have very open minds re biometrics. But can biometrics supplant the password altogether?

PayPal wants to get rid of passwords in favor of biometric security (SlashGear)

However, he [ed. PayPal chief information security officer Michael Barrett] noted that passwords simply won’t go away after biometrics are introduced. It’ll certainly take a while before a new standard can completely take over, especially considering that passwords have been the standard for so many years. So while we could see smartphones with integrated fingerprint scanners, it could be a few years before a new security standard takes over full-time.

Biometrics can be used to overcome some of the limitations of passwords in use cases important to PayPal.

A biometric template is like a really long password your body makes — the example below uses 800 hexadecimal characters — in that sense biometrics allow for more complex passwords the user doesn’t have to remember or write down.

Nevertheless (and in agreement with the quoted article’s concluding paragraphs), rather than making passwords obsolete, biometrics will most probably be used to return the the password to the simplicity of the PIN era, ending the arms race that has required the use of longer, more complex, and more frequently changing passwords.

Real fingerprint template:
2aba08229b3b2a44e72c8f14da168a560a3caf2257add068a7fc1636215bff53152546da3fc8071ea84433a42261f4ff7bc3b455199be8980eea2bb1e922f18aa309e050130d72ca124ecd6e9e86459e60858ff44f71d0c1c4e23b97a9a6554619543e8d347f79ea8fa70db87eaea7f37bf2cac4e697d5525479cc72fb653b5d32089e7b3cbcd01f8dba60eda95a50a31b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c

End of the line for online passwords, says PayPal (BBC)

So the industry is looking to ditch passwords, and is turning to a variety of solutions, such as voice recognition, key stroke analysis and finger print identification.

Payments firm PayPal is one of those leading the changes, and president David Marcus says the aim is to make the whole process seamless.

“Like magic, you’ll be authenticated, and the payment will go through,” he tells BBC World Service’s Business Daily.

“We want to move away from passwords, and get to embedded fingerprint scanners on mobile phones

Praise for Ghana’s recent elections

We Should Learn From Ghana Experience (PM News)

“Having been based in Ghana as the Nigeria High Commissioner for four years, going back for the last election was an added value to my trip, in the sense that I can confidently say that their last election where I was an observer, was an improvement on what transpired during the previous presidential and parliamentary election in Ghana.

The introduction of the biometric data-based machine actually assisted in terms of verifying and authenticating the voters and orderliness despite the huge turn out. The orderliness demonstrated by Ghanians was highly commendable.”

If I recall correctly (and unlike the recent Ghanaian elections), the last Nigerian elections featured biometric registration but not biometric voter verification. That recollection is supported here, where a Nigerian official expresses hope for 100% biometric voter authentication by 2015, and later in the interview.

More at the link.

In search of a post-password world

Google wants to ditch the password – sounds lovely (Singularity Hub)

Memorizing numerous passwords is inconvenient. This is known. To counteract said inconvenience, many people use memorable (read: hackable) passwords on multiple sites. Which is a shame because security experts advise that, at a minimum, we use different, random, alpha-numeric strings for every website and switch them out every few months. Kind of the opposite of convenient. And even this method provides but a fig leaf of security.

Google isn’t suggesting biometrics, at least not yet, but the article does cover biometrics as a possible solution.

The future of online user authentication

7 Reasons Passwords Are Doomed – Finally (ReadWrite Enterprise)

Passwords control your life. From accessing work email and stock prices on the go to checking a grocery store shopping list, passwords have become the primary source of identifying who you are. They are arguably more important than your driver’s license.

But with that ubiquity comes risk – this tiny, yet powerful device contains enough information to expose your financial or health records and other personal details. From an enterprise perspective, the risks are just as great, if not greater.

Ubiquity also creates confusion. On average, password reset requests make up 10% – 30% of all IT helpdesk calls. It’s a productivity black hole.

Granted, despite their problems, passwords have shown incredible staying power. But here are seven reasons why they will finally fade away.

The reasons Toby Rush, EyeVerify CEO, gives for the decline of the password as a human authentication method are good ones.

Humans, however, aren’t the only things that must identify themselves to IT infrastructure. Computers have to do it too. For that reason, it’s hard to foresee the extinction of the password but that might not matter much. Long passwords don’t bother computers nearly as much as they bother people.

Is voice the killer app for mobile ID?

The Rise of Voice Biometrics for Mobile Phones (MIT Technology Review) 

Analysis of voice verification technology from a security angleThe question of course is which biometric system to use. Face, fingerpint and iris recognition are all topics of intense research. But the most obvious choice for a mobile phone is surely voice identification. However, this approach has been plagued with problems.

For example, people’s voices can change dramatically when they are ill or in a hurry. What’s more, it’s relatively easy to record somebody’s voice during authentication and use that to break the system. So many groups have steered away from voice biometrics.

That could be set to change.

Mobile devices already contain the hardware required to deliver two biometric modalities: a camera for facial recognition and a microphone for voice. These modalities present challenges not usually associated with fingerprint biometrics — in the case of facial recognition challenges include lighting and the well-publicized photograph hack; for voice, background noise (etc.) can be a problem — but they offer the advantage that the hardware is “free” and never going to be yanked out of mobile devices. That’s quite an advantage, and it points to why face and voice biometrics are the front-runners for handset biometrics.

This post has a longer discussion of mobile ID management and hardware.

Translate »