2016 / 13 September

Ready to Dump Your 2,000 Year-Old Passwords?

ancient_passwords

The first documented use of passwords can be traced back to at least 200 B.C. when Roman soldiers first used them to tell friend from foe around their encampments.  It was a system that was easily compromised in ancient times and our use of digital passwords in today’s modern world are just as vulnerable.

What’s the Problem?

If you’re like most people, passwords can seem like the bane of your existence on a bad day and just damn annoying at best.  With dozens or even hundreds of tortuously complex passwords to remember, it’s no wonder that people have taken to writing them down or using various electronic password managers. Of course, recent events have shown us that password managers and other cloud-based solutions are, ironically, often less secure than a Post-It Note stuck in our desk drawer.

With more than 2,000 years of password technology under our belt, you’d think we would come up with a better solution, right?  Well, we did … sort of.  We forced ourselves to use insanely complex passwords; implemented policies that require us to frequently change them; added two-factor authentication (i.e., a second password); handed out hardware dongles and the list goes on.  The problem is that all of these approaches have caused significant sacrifices in user convenience as the price for better security – we’re fighting against human nature and that is never a good thing!

Password solutions have progressively gotten more complex and less convenient.

Virtually all of the password solutions today involve answering one or, sometimes, two questions that are fundamentally flawed when used by themselves:

“What you know?” – your username, password, or PIN.

“What you have?” – typically involves having access to your smartphone or other type of one-time password generator used by many two-factor authentication solutions.  In many ways, these are nothing more than a second password.

Anything that you need to know, can be compromised.  The fact that you know something means it must be in a form that is easily remembered or stored someplace that is potentially accessible to the bad guys.  Virtually every cyber security incident, at some point, involves compromising someone’s username and password to gain access to the proverbial crown jewels.

Anything that you have, can be stolen.  So, the moment you rely on a high-theft item such as your smartphone for two-factor authentication, you not only sacrifice convenience for security but you have also introduced a new potential vulnerability. And let’s face it, how many of you REALLY use annoying two-factor authentication other than when you are forced to do so by your employer or perhaps your bank? Yes, I know some of you do but let’s just say that you are an anomaly when it comes to the rest of the mere mortals in the world.

More importantly, what impact has all of these password solutions and policies had on the trajectory of cyber crime? Very little is the answer.

Obviously the growth in cyber crime over the past decade is due to a variety of issues, including how lucrative it’s become for criminals but the point is that what we are doing today to protect ourselves is having little impact in terms of turning the tide. While the inherent weakness of passwords isn’t the only cause, it is certainly one of the key underlying factors.

 

The Solution. Who are you?

To borrow from Shakespeare, “that is the question” we should be asking. It’s also part of a more complete password solution that makes use of something that is not as easily compromised, doesn’t need to be remembered, and is far more convenient – biometrics.  Biometrics include a multitude of biologically driven identification technologies that include things like fingerprints, facial recognition, iris matching, voice print, etc.

Though a mature technology, the key to biometric security and privacy is all about the implementation.  When used as the keys to your digital identity, it’s critical that your biometric templates are stored someplace where they are not vulnerable to theft or fall outside of your control.  You wouldn’t store the keys to an expensive sports car underneath the floor mat and neither should you store your biometric keys on your phone.  Keys need to be kept separate from the devices that use them. The next time you use your fingerprint to unlock your phone, you may want to read this article: Has Your Smartphone Already Been Hacked? Once your biometrics have been compromised, they can never be changed – short of perhaps visiting a plastic surgeon. So, where should you store your biometric keys?  More on that in a moment.

That brings me to my next point regarding the immutable nature of biometric identification and how that factors into an overall password security solution.  Some naysayers of biometric identification point to the fact that since you can’t change your biometrics, traditional passwords are safer.  To that I say, hogwash! For one thing, if done properly it’s FAR more difficult to steal my physical biometric details if you’re a hacker on the other side of the planet and those details are stored only in a location that I physically control.  Secondly, let’s not throw out the baby with the bathwater – there are some good things about passwords.  No, I’m not talking out of both sides of my mouth. Imagine a scenario where you, the user, use your biometrics to authenticate into your online bank account but behind the scenes there is an enormously complex password that is part of the identification process that changes daily, but you never need to know it?  In fact, its impossible for you to know it.  Perhaps this is combined with a automated one-time password that you also never need to see. Now, you’ve combine the benefits of biometrics with the few strengths that passwords can provide while eliminating a key weakness – you no longer need to know your password. That equals convenience plus better security!

What about privacy?  Well, let’s just say the moment that you put your sensitive data in the hands of an online password manager, always connected devices like your smartphone, or any cloud-based solution, they are not only more vulnerable to hackers they are certainly open to prying eyes.  So, don’t do it!

Okay, that brings me to a quick plug for the CyberGate card by BluStor — a real solution that helps solve many of the above challenges. To put it simply, CyberGate is a sophisticated wireless personal biometric identification and data storage card that stays safely in your wallet or purse.   Supporting multi-factor biometric authentication, the CyberGate card replaces -OR- augments traditional usernames, passwords, and PINs with ultra-secure biometric authentication.  The security and privacy of your biometric templates and the data stored on the card are always safely in your physical control – never on your mobile device or in the hands of a third-party.  It combines the convenience of biometric identification with tremendously improved security and privacy — allowing you to ditch your passwords.

It’s taken more than 2,000 years but today the technology and solution exists to allow us to dump our passwords. And it’s about time!

If you valued this article and want more, please sure via your Twitter, LinkedIn, Google+, Facebook, and other social media outlets. I encourage you to join the conversation or ask questions so feel free to add a comment to this post.

You can also find me on Twitter at @NewFrontierCIO for more commentary on the frontiers of technology, leadership, space exploration, and science.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

No comments so far.

Leave a Reply

No comments so far.

Leave a Reply