Visa: Goodbye, passwords. Hello, biometrics.

Consumers ready to switch from passwords to biometrics, Visa finds (The Paypers)

“Consumers are ready to leave the password behind and adopt biometrics, according to the results from a survey commissioned by Visa.”

The full pdf info-graphic from Visa is available here.

The study of 1,000 U.S. adult consumers who use at least one credit card, debit card, and/or mobile pay account covers a range of topics on biometrics including:

  • Top benefits
  • Top concerns
  • Trusted entities

And more!

The persistence of passwords

Biometrics has growing, but not sole, role in authentification security (Information Management)

“Many IT professionals aren’t convinced biometrics can serve as a secure and reliable replacement for the standard username and password combo,” said Peter Tsai, senior technology analyst at Spiceworks. “Unless technology vendors can address the security issues and privacy concerns associated with biometrics, the technology will likely be used side-by-side in the workplace with traditional passwords or as a secondary authentication factor for the foreseeable future.”

It looks like this 2013 post and the paper that informed it are holding up quite well.

In the paper, A Research Agenda Acknowledging the Persistence of Passwords, Cormac Herley and Paul C. van Oorschot write:

“Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats. “

All this is still true. Biometrics, however, can also be used as a way to return the password to the simplicity of the PIN. For example: a fingerprint scan associated with a weak password such as a 4 digit PIN provides far stronger authentication than any password a human could be expected to type. In other words, biometrics can be combined with rudimentary passwords to bring an end to the “password arms race” where the main coping strategy has been longer, more complex and more frequently changing passwords — i.e. the real reasons people tire of the humble workhorse of the ID game. So instead of replacing the password, biometrics might one day be used as a way to salvage what makes it great while minimizing the frustrations associated with over-reliance upon it.

 

All posts

Mature talk on authentication…

Security vs. usability—that’s the choice we make with passwords (Phys.org)

We all need some kind of authentication process if we are to access information systems at work or at home. We know why we need to do it: to make sure we have access to our data and unauthorised people don’t.

So why do we routinely ignore such advice[…]?

Not all passwords protect equally valuable access. It turns out that many people are choosing weak passwords on low-priority systems like retail and media sites, and stronger authentication measures on high-priority systems like finance and work-related systems.

This sheds light on why even rigorous security measures like biometrics are being applied to instances where people are willing to jump through more password-related hoops but find the password regime horribly inconvenient.

The amazing durability of password technology

You Might Want To Take Another Pass At Your Passwords (GPB News)

Cormac Herley is in the 95 percent who don’t. He’s principal researcher with Microsoft Research, an arm of the software giant.

“Passwords are the worst system in the world, except for all the other systems,” he says.

Herley recommends assigning different tiers to passwords. Using your best, most complex ones for work and banking, but devoting less effort to those that don’t matter as much. But even that can be a lot to ask, even for him.

“I write the passwords down and have a photocopy at home and a photocopy in the office and a couple copies here and there.”

But, could all that be compromising security?

“Well, I mean, um, yes,” he says.

I also love Harley’s repurposing of the democracy quote often attributed to Winston Churchill.

Being realistic about passwords

Ping Identity engineer: On second thought, passwords may be okay (FierceEnterpriseCommunications)

In the first part of a new discussion with Paul Madsen, a senior technical architect in Ping’s office of the CTO, I first asked whether Ping truly did intend to resurrect the password as a viable mechanism by way of supporting FIDO 1.0.

Paul Madsen, Senior Technical Architect, Ping Identity: It’s less a resurrection than just trying to be a little bit realistic about what FIDO does, and what it can do. Half of the FIDO specification set–U2F, specifically–pretty much assumes that there are still passwords in the mix. FIDO, arguably more so than killing off passwords, just mitigates some of their worst problems, particularly the risk of bulk compromise of the password database, as we see more and more.

Two things jump right out of this article. The first is the realistic treatment of the fact that passwords aren’t going the way of the dodo any time soon. The second is that passwords that control access to databases of passwords are very different than passwords that control access to an individual account.

The big scores are database hacks.

See also:
FIDO is not the end of passwords (and that’s OK) at the Ping Identity blog. It’s well worth it.

Well, he will be soon, he’s very ill.

The Dead Collector: Bring out yer dead.
Man With Dead Body: Here’s one.
The Dead Collector: That’ll be ninepence.
That Claims It Isn’t: I’m not dead.
The Dead Collector: What?
Man With Dead Body: Nothing. There’s your ninepence.
The Dead Collector: ‘Ere, he says he’s not dead.
Man With Dead Body: Yes he is.
That Claims It Isn’t: I’m not.
The Dead Collector: He isn’t.
Man With Dead Body: Well, he will be soon, he’s very ill. [Source]

FIDO 1.0 Specifications are Published and Final Preparing for Broad Industry Adoption of Strong Authentication in 2015 (FIDO Alliance)

“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” said Michael Barrett, president of the FIDO Alliance. “FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in Internet services and digital commerce.”

FIDO is doing great work at developing standards for managing online identity without passwords.
FIDO’s press release and this article at PC World explain what FIDO is up to quite well and the people behind FIDO are to be commended for tackling a serious issue, the solution to which could add significantly to the value proposition for businesses and customers interacting over electronic networks.

Just don’t fall for all the “death of passwords” hype that is out there in other places.

Passwords are going to be around for a long, long time but FIDO is doing a great job of corralling them back to where they can do the most good with the least annoyance.

See also:
Why Passwords are Great

Maybe one day

The White House Cybersecurity Czar Wants to Kill Your Password (Roll Call)

Michael Daniel, the White House cyber czar, says he isn’t just worried about bad passwords as a security liability. He doesn’t even want the password around anymore at all as a big part of computer security.

“Frankly, I would really love to kill the password dead as a primary security method, because it’s terrible,” Daniel said Thursday.

I reckon the password will live a good while longer, yet. Simply put, it does so much work for so little effort. It’s return on investment is through the roof. Also, we’re at a point where things that aren’t people need to identify themselves to computer systems and they don’t have biometrics.

Biometrics can be used to eliminate passwords in many applications. For higher security identifications, biometrics can be used to stem the tide of increasingly complex passwords and move back toward the simplicity of the PIN.

See also: More on the Awesomeness of Passwords

The Extinction of Passwords (Business 2 Community)

Currently, passwords are total chaos. In fact, most people have terrible passwords that are easy for hackers to guess. Even worse, many people use the same password for all their accounts, and they haven’t changed their password for years. So all a hacker has to do is guess the password once and they’ll have access to the user’s entire life. And while we were all advised to change our passwords after the recent Heartbleed attack, very few of us actually did.

Since we’re not really managing our passwords appropriately, it’s time to get rid of the hassle of passwords and use something with more data points and that is unique to each individual.

I guess it’s a start

“password” is no longer the most popular password on the internet.

  The 25 most common passwords of 2013 (CBS News)

According to password management company SplashData, the top three passwords of the year are “123456,” “password” and “12345678.” The top three passwords haven’t changed, but “123456” and “password” swapped places from last year. The company’s list of the “25 worst passwords of the year” was compiled using data that hackers have posted online, which are said to be stolen passwords.

Interesting usability research out of the University of Washington

Read the whole thing; it’s good. My little quibbles after the quote are meant to reinforce the general point of the research which is “if people won’t use it, it won’t work (and vice versa).” The importance of research is the attempt to identify and quantify, and therefore perhaps predict, how much people will endure before they throw their hands up in the air and quit on the technology.

Technology to Replace Passwords Fails User Tests (PsychCentral)

University of Washington engineers are trying to figure out why fingerprint- and eye- and face-recognition authentication technology have not gone mainstream. They found in a recent study that the user’s experience could be key to creating a system that doesn’t rely on passwords.

“How humans interact with biometric devices is critically important for their future success,” said lead researcher Cecilia Aragon, Ph.D., a UW associate professor of human-centered design and engineering.

“This is the beginning of looking at biometric authentication as a socio-technical system, where not only does it require that it be efficient and accurate, but also something that people trust, accept and don’t get frustrated with.”

So true, but hardly new. Security is, and always has been, a socio-technical system. We’ve all seen a waste basket used to keep a self-locking door propped open. If the security measure is disproportionate to the cost of a security breach, people will reject the system. Thoughtful security planners have always known this and it’s why one of our mantras around here is “biometrics is about people.”

Passwords are also likely to be around for a long, long time, but if biometrics could displace passwords in certain cases and allow for simpler passwords in other cases, that’s a big advance. Where simple passwords (PIN’s) are sufficient today, biometrics should be able to displace them altogether. Where increasingly complex passwords are required today, applying biometrics should allow for simpler passwords such as 4-digit PIN’s.

That’s nothing to sneeze at.

Soon, your body will be the only password you need (DVice)

Tiny little computers and sensors are in development all across the globe. And while their development is primarily geared toward a better understanding of our health, there’s another emerging application for their use — biometric security, where your voice and skin and eyeballs are more secure than any password could ever be.

On the one hand, this can sound crazy and too fictitious to be true, especially since it’s been a staple for just about every single sci-fi movie and TV show ever. On the other, we’ve basically already accepted the use of our bodies as sources of information and security.

PayPal would prefer prints to passwords, PIN’s. But…

…as the article concludes, it’s not necessarily an either/or proposition.

Online financial services providers are looking forward to a future where they are less reliant on password technology for authenticating their customers’ identities on line and they seem to have very open minds re biometrics. But can biometrics supplant the password altogether?

PayPal wants to get rid of passwords in favor of biometric security (SlashGear)

However, he [ed. PayPal chief information security officer Michael Barrett] noted that passwords simply won’t go away after biometrics are introduced. It’ll certainly take a while before a new standard can completely take over, especially considering that passwords have been the standard for so many years. So while we could see smartphones with integrated fingerprint scanners, it could be a few years before a new security standard takes over full-time.

Biometrics can be used to overcome some of the limitations of passwords in use cases important to PayPal.

A biometric template is like a really long password your body makes — the example below uses 800 hexadecimal characters — in that sense biometrics allow for more complex passwords the user doesn’t have to remember or write down.

Nevertheless (and in agreement with the quoted article’s concluding paragraphs), rather than making passwords obsolete, biometrics will most probably be used to return the the password to the simplicity of the PIN era, ending the arms race that has required the use of longer, more complex, and more frequently changing passwords.

Real fingerprint template:
2aba08229b3b2a44e72c8f14da168a560a3caf2257add068a7fc1636215bff53152546da3fc8071ea84433a42261f4ff7bc3b455199be8980eea2bb1e922f18aa309e050130d72ca124ecd6e9e86459e60858ff44f71d0c1c4e23b97a9a6554619543e8d347f79ea8fa70db87eaea7f37bf2cac4e697d5525479cc72fb653b5d32089e7b3cbcd01f8dba60eda95a50a31b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c1b2dc9ebaf0d5f602a64ff47f06cf97c

How I learned to quit worrying and love the password

Even in a world saturated with biometric ID management applications, Username/Password verification will still be around.

For one thing, there is no logical limit to the number of password hoops users can be made to jump through, with increasing ID confidence with each consecutive correct answer. The web site for one financial services company I use asks for four pieces of information before allowing me to access the account:

  • user name (a sort-of password)
  • password
  • PIN (really just a shorter password)
  • (and since I have cookies pretty well locked down on my most-favored browser and haven’t bothered to create some sort of exception) one of a menu of security questions is asked every time I log on.

Even though the human representatives employed by this company are uniformly delightful, efficient, and helpful individuals any number of other ID steps could be added to the process before I shunned the web site. After all, the ID steps on the phone with the call center are no less rigorous.

For another, people aren’t the only things that claim an identity before accessing IT systems — computers do it, too, and they don’t have biometrics. Passwords are also a cheap, well-understood, flexible technology that supports certain access control models that biometric techniques don’t.

The challenge that system-designers interested in biometrics now face is to identify where using Username/Password is too risky (or piling them up, too cumbersome), and where biometrics can be used to reduce risk to an acceptable level. This requires identifying everything currently authenticated with a Username/Password and a determining which of these things are more efficiently protected using biometric authentication, then implementing the change. This is far easier said than done.

For starters, and we’ve been banging this drum for a long time, it’s a really good idea to require biometrics for access to tables of stored usernames and passwords. The long and short of it, however, is that passwords are going to be around for a long, long time.

As long as that’s the case, it’s good to know a little more about how passwords work as a technology and the following article is a great resource.

Passwords: How to choose one and why we need them (PHYS ORG)

Perhaps it is because they are so ubiquitous that we take them for granted without ever really understanding how they work. Passwords are an example using of something you know to prove your identity. In security circles it is often said the way we prove our identity falls into three categories:

  • something you have, such as a bank card
  • something you are, such as some form of biometric such as a photograph of the user, fingerprint or iris scan
  • something you know, with passwords being the most common example

What are passwords really made of?

Well-designed password systems never store passwords directly. What’s stored instead is

  • the hash – a cryptographic function that takes a sequence of characters or numbers and generates a sequence based on it
  • the salt – some additional characters which do not form part of the password, but are added during encryption to make it harder for hackers to hack password files

The output of a hash function tells you very little about its input so is very difficult to reverse. It takes vastly more computation to reverse a hash value than it takes to calculate it. When a password is entered into a system, the hash of the password and any salt value is calculated and compared with the stored value.

Read the whole thing. It’s quite good, ending with two points upon which the author and I are in complete agreement: There is nothing as cheap and as well understood as passwords. They are likely to be around a while yet.

Like any other technology, there’s a right way and a wrong way to use passwords. If you get to know them, when to use them, how to use them properly, and the techniques used to undermine them, your relationship with the password can be a long and happy one.

See also:
Why passwords are great;
More on the awesomeness of passwords;
Coopetition: Biometrics and Passwords and
Biometrics, passwords & the Illinois water plant hack attack

Tangentially related…

UPDATE: Government lab demonstrates stealth quantum security project (GIGAOM)

Quantum cryptography is supposed to be a kind of holy grail solution for securing the smart grid, cloud computing, and other sensitive networked resources. The technology is still experimental, with only a handful of companies globally providing quantum key distribution services. Now, researchers at Los Alamos National Lab have quietly revealed that they’ve successfully been running what amounts to a mini quantum internet for the past two-and-a-half years.

The basic premise of keeping information secret using quantum mechanical phenomena lies in what is popularly called the observer effect. A quantum message, sent as photons, will be permanently altered if someone observes it, so the sender and recipient will be able to tell if there was a breach.

End of the line for online passwords, says PayPal (BBC)

So the industry is looking to ditch passwords, and is turning to a variety of solutions, such as voice recognition, key stroke analysis and finger print identification.

Payments firm PayPal is one of those leading the changes, and president David Marcus says the aim is to make the whole process seamless.

“Like magic, you’ll be authenticated, and the payment will go through,” he tells BBC World Service’s Business Daily.

“We want to move away from passwords, and get to embedded fingerprint scanners on mobile phones

Biometrics to protect customer data

Stolen credentials, basic security lapses at core of 2012 breaches (Search Security)

A common thread could be weaved through the high profile data breaches that took place in 2012. Attackers are targeting basic security lapses and configuration errors or bypassing security systems altogether by using stolen account credentials to appear as a legitimate user on the network.

Any organization that allows access to databases full of customer usernames and passwords without biometric authentication is asking for trouble. First, the number of people who have this sort of access should be limited to as few individuals as possible and those should be the types of people who understand both why the security measures are necessary and how to use them.

Translate »