At Black Hat 2016, Thycotic conducted a survey of both self-identified white hat and black hat hackers. In part, the survey found that more than 75 percent of respondents believe no password is safe from hackers or the government, and nearly half said they would be willing to hack your password for a fee if asked by the FBI.
It’s yet another bad rap on passwords, which have been the security gatekeeper since at least the 1960s. But passwords have always been a weak security tool, even on those first computers, as a Wired article pointed out: “The irony is that the MIT researchers who pioneered the passwords didn’t really care much about security. CTSS (Compatible Time-Sharing System) may also have been the first system to experience a data breach. One day in 1966, a software bug jumbled up the system’s welcome message and its master password file so that anyone who logged in was presented with the entire list of CTSS passwords.”
There are other options out there beyond the password – biometrics and tokens, for instance – and options to include passwords as part of a larger authentication mechanism. Yet, we continue to default to the password as our primary source of authorization, despite its history of compromise and customer experience challenges.
The Fast Identity Online (FIDO) Alliance wants to change that. The Alliance was started in 2012 and is made up of tech companies that want to promote secure but password-less authentication options. The question is can they push the rest of enterprise and society into action? No one likes passwords, especially as a litany of data breaches force us to create new passwords and reinforce the need for unique passwords for everything.
“What makes passwords and user names attractive to criminals is that they are the gateway to personal data held by banks, merchants, social-media sites, and other companies with which people do business online,” Peter Lucas wrote for Digital Transactions.
In the past, companies have worked in silos, within their own companies’ environment and with their own industry knowledge of authentication, Mike Lynch, Chief Strategy Officer for InAuth, explained. By having a standards organization, best practices for a better method of authentication can be developed for the benefit of all organizations and create a more united front against potential consumer compromise and breaches.
FIDO Alliance is just one of the drivers for change, however. Real change will depend acceptance by industry, manufacturers and customers.
“Customers are certainly frustrated by the process of remembering passwords and have seen the benefit of use of more secure and easy methods such as biometrics in certain consumer facing apps,” said Lynch. “The customers will continue to voice their demand for the acceptance of their preferred authenticator, whether that be a fingerprint, voice, iris, selfie, etc.”
As David Strom wrote for SearchSecurity, the FIDO Alliance should make two-factor authentication easier and more streamlined. Lynch added that it would be a frictionless experience for users. But this isn’t going to happen overnight. There are serious barriers in the way.
“Apple has not yet joined FIDO, so that limits the market somewhat for true FIDO specific adoption for Apple. Apple tends to maintain its own proprietary yet secure platform,” Lynch said.
“Budgets are certainly a consideration for corporations that have not yet build in biometric (UAF) or second factor (U2F) experiences,” he added. “And building for today still may mean that some future integration must be done in the future. However, in my mind, the benefits for the customer (security/convenience) and for the organization (security/customer delight/lower cost of call center costs) far outweigh the cost of the integration.”
However, there is some progress. Some companies, like Amazon, have brought biometric authentication to the masses. Also, we can expect there to be continual pressure both on retailers and financial institutions, based on the voice of their customers.
“As more manufacturers build the authenticators into the devices themselves or the OS, it is very easy to interact with that authenticator,” Lynch stated. “Then it becomes a simpler ‘Bring your own authenticator’ approach.”