Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Alternatives to passwords: Replacing the ubiquitous authenticator

As the relative security of passwords falters, are they destined for obscurity?

The joke voted the funniest at the Edinburgh Fringe this year was about an unlikely subject: “I needed a password...

eight characters long so I picked Snow White and the Seven Dwarves.”

Funny or not, the fact that it made so many people laugh just shows how much passwords -- and the challenges they pose -- have become part of our mainstream 21st century existence.

Passwords have been a problem since the dawn of computing. They tend to be either so complex that no one can remember them, or so obvious that anyone could guess them.

And the problem is getting even tougher. Anyone who has an encrypted laptop, conducts online banking or online shopping, and uses social networking sites is likely to have dozens of passwords to remember: far too many for one human mind to retain.

Some users choose to write their passwords down on paper and keep them in their desk drawers or (even worse) stick the paper to their computer screens. Others take the line of least resistance and use the same password for multiple accounts. Either route is risky.

So have we reached a point where we have to dump the password and look for some other way of proving who we are -- such as biometrics -- or is the password destined to cling on forever? Just as Cliff Richard once sang of rock’n’roll “They say it’s gonna die but honey please let’s face it, they just don’t know what’s going to replace it”, the same might be said of the password; we can’t come up with anything better.

Or can we? Any quick search of the Internet shows masses of learned papers and research about password strength, which explain how to improve on the way we use passwords. For example, there are free tools, like the Microsoft Password Checker, that help users check the strength of a password. And the U.S. National Institute of Standards and Technology also has a guide to enterprise password management (.pdf) packed full of useful tips.

But most people ignore the advice, according to Peter Wood, CEO of Brighton-based security firm First Base Technologies. “The reuse of passwords is emerging as a massive problem,” Wood says. “The password databases that our friends at Anonymous and LulzSec published all seem to indicate some important hacks took place on the back of that very problem.”

And once hackers have one password, the user’s other accounts then become an easy target, says Graham Cluley, senior technology consultant with security firm Sophos. “One thing people should be paranoid about is their email address getting hacked,” he says. “That is often the skeleton key for a lot of other accounts. When you register with websites, you give them an email address to which they will send a replacement password if you forget. So if your email account is compromised, it can unlock a lot of other things.”

One way to manage many passwords securely is to use a password management tool that will store, and even generate, strong passwords for you in encrypted form; all you have to do as a user is remember a single password or passphrase. Wood is a strong exponent of this, and has made it mandatory that all pen testers working for his company use such a tool. They all have a complex passphrase that locks their encrypted laptops and ensures only they have access to the various passwords stored on their machines.

Cluley agrees: “I don’t know the passwords to my accounts for Twitter, Facebook or Gmail, because they are long, complicated gobbledygook. There is no way I’ll be able to remember all the logins I need and have passwords that are sufficiently complex. The password management software does all the remembering for me. Whenever I need any of my passwords, I just use my master password, which is complicated, but which I have committed to memory.”

He also praises a new function from Google that offers users two-factor authentication for its cloud-based services, such as Gmail. Once the user turns on two-factor authentication and provides a phone number, Google then sends a random code by text to a mobile phone, or by voice to a landline, which the user then has to key in.

“So if I get hacked and someone were to get my username and password, that would not be enough to get into my Google account,” Cluley says. “Hackers would need physical access to my mobile phone as well. [This function is] available for free, and it’s a great idea. I would love Facebook and Twitter to do something similar.”

What about biometrics?

While stronger passwords, passphrases and extra factors (such as one-time passcodes) can help tighten security, they will always be open to a clever breach. For instance, some man-in-the-middle attacks can intercept passcodes sent to phones.

But what if you could prove who you are by using something that is unique to you, such as your voice, your fingerprints, the iris of your eye, or the veins in your hands?

All of these biometric measures offer workable solutions, although some are more practical (and affordable) than others. Iris scanners are now in operation at airports and provide a high level of security, and some Japanese banks have deployed terminals to recognize vein patterns in the palms of their customers’ hands. Both of those technologies have proven extremely effective, but they are currently expensive and require specialized scanners.

However, authentication by voice or fingerprint is already becoming mainstream in certain industry sectors, particularly for smartphone users, according to Alan Goode, managing director of London-based research firm Goode Intelligence.

In a recent report, “Mobile Phone Biometric Security – Analysis and Forecasts 2011–2015” (.pdf), Goode predicts mobile phone biometric security products and services, which currently generate around $30 million a year globally, will grow to $161 million by 2015. 

He argues that with mobile phones being increasingly used for e-commerce and as a contactless payment device via near-field communication, biometric authentication is more convenient and effective than PINs or passwords. “AuthenTec, which supplies fingerprint sensors, has shipped more than 13 million of the product for mobile phones,” says Goode, adding that the majority of these have so far gone to the Japanese market.

Some USB drives and laptop computers have had fingerprint readers for some time, but Goode says devices like the Motorola Atrix smartphone, which uses fingerprint authentication, will see the most growth. “It is easy to enroll yourself on the device, and you just need one swipe to get into your phone instead of putting in a PIN,” Goode says. “It would not be used for high security, but it’s a start. It’s good enough for a phone and more convenient, and if I lose the phone, it adds another layer of protection.”

As for some other types of smartphone biometrics, he says they are still at an early stage. “If you go on the Apple or Android app stores, you’ll see facial recognition and iris recognition apps ready to download, but in my opinion they are just gadgets at the moment,” he says.

However, voice recognition for user authentication (as opposed to speech recognition) does seem to be making inroads in a variety of industries, particularly in banking and insurance. “Voice is useful in banking because it can be used across the channels,” Goode says. “It can be used as part of an IVR [interactive voice response] to authenticate into a phone-based bank as well as providing out-of-band authentication for Internet banking.  Instead of sending a one-time passcode, which is susceptible to man-in-the-middle attacks, the bank phones you and gets you to say a phrase, which it matches against a pre-registered voiceprint.”

According to Nik Stanbridge, director of product marketing for Reading-based Voicevault, which sells voice authentication software, the technology has proved itself to be reliable. In fact, it was going to be the foundation of a voice-based service at Dutch bank ABN Amro back in 2008. But then RBS took over ABN Amro, killed the project, and shortly afterward, the whole banking world melted down. Stanbridge admits the episode set back acceptance of the technology, but among the vendor's current customers are a U.S. insurance company that accepts the voiceprint as a legally binding signature, and a London stock brokerage firm that uses it to verify high-worth clients calling to trade their shares.

Crucially for the companies using it, the system requires little effort from the clients. They enroll themselves by saying the numbers “0579 9075 5709 0957″ down the phone, and this provides the system with a unique voiceprint. Then, to authenticate themselves when they call, customers are asked to say one of the four-digit combinations into their phone.

Stanbridge says the small voiceprint provides enough information about how the individual produces sound to provide a unique voiceprint that cannot be impersonated, but which is unaffected by a bad cold, for instance. “Wherever you use a PIN or password, you can use voice biometrics,” he says. “Voice is the only biometric that doesn’t require a specialist kit. Even fingerprint readers need to be tethered, but phones are ubiquitous.”

So while the password may be the subject of jokes, for most of us, it will still be featured in our lives in some shape or form for the foreseeable future. However, it is clear more of us will need to use password management software (a lot of it is free, and even the commercial products are cheap), and as fingerprint readers appear on more devices, we’ll get used to the convenience they bring too, even as some of our banks may start to recognize us by our voices.

For enterprises needing to manage large workforces, the big secure authentication companies such as Entrust, Vasco, RSA and CrypoCard now support a wider range of authentication factors, including biometrics, soft tokens and SMS messages, enabling organizations to mix and match various technologies for different applications and risk levels, but do so within one security infrastructure. And then maybe they'll finally put an end to the sticky note with passwords written on it.

Ron Condon is UK bureau chief for SearchSecurity.co.UK. Send comments on this column to [email protected].


Dig Deeper on Two-factor and multifactor authentication strategies