 |
Increasingly, we’ve been hearing the drumbeat, announcing the imminent death of passwords and pins, as we know them today. In 2012, I started a company, primarily to help hammer in the nails on the password-based auth coffin, using modern mobile & biometric authentication methods, in large part due to my personal frustration with passwords. 3 years later, I’m sad to report, that: The man’s too big; the man’s too strong. Let me explain. Since joining RSA a couple of years back, I’ve been part of a team representing RSA within the FIDO alliance. A group of like-minded companies from a wide variety of industries have come together to agree on an open standard for password-less strong authentication. And they’re serious, and committed to the cause. I feel confident FIDO will make a difference (as it already has started to) in terms of how service providers, financial organizations and other companies look at better ways of trusting their users, while balancing security with convenience in the authentication process. Device makers are moving fast to make sure they include support for native biometric authentication methods in their products. I think in 3-5 years, we’ll be hard-pressed to buy a modern smartphone/tablet/phablet/laptop that is not equipped with a native and user-friendly biometric authenticator (such as fingerprint, face, voice, iris, or other behavioral verification technologies). Apple’s Touch ID has introduced us all to a friendly alternative to using plastic credit cards when completing purchases at point of sale terminals. Many retailers have started allowing for Touch ID to be used even in remote transaction scenarios (purchase from home), either as an alternative to the UserID/Password based auth, or as a complement to it. But under the surface, in order for me to establish that ‘first’ trust with Apple as a service provider, I had to authenticate myself. That initial authentication process, as of the time of writing this blog, continues to rely primarily on me, entering my Apple-ID/Password combination. In addition, as soon as I try to use my iPhone after any reboot, after a lengthy idle period or when I try to use the device in colder weather, the iPhone prompts me with the good old “enter your pin” screen. It appears to me that: a) Apple equates the strength of the Touch ID fingerprint biometric auth method with a 4-5 digit numeric pin, and that b) having a Pin continues to be a must have. Similarly, within FIDO, that initial registration process with the service provider (or relying party) still requires for the user to authenticate themselves using the ‘primary’ account provisioning method, i.e.: user-name and password. For example, here are the steps to use Paypal (a FIDO early adopter), with FIDO, on a Samsung S5 device:
You will have to log in to your PayPal app at least once using your email and password or mobile phone number and PIN before you start seeing Fingerprint as a login option. In addition, if I lose my device, the same User-ID-Password/Passphrase auth process is still required for me to re-establish trust between me and the phone/service provider. In order to establish/verify my identity to the service, I need to go thru an initial “trusting “process, where I provide mutually-known information, such as passwords, answer to knowledge based questions, etc. and then, once that trust has been (re-) established, I can add features like OTP (One Time Password), outbound SMS, or FIDO biometric based authentication. So, I’m seeing a trend. Passwords/Passphrases are still needed to establish that initial bootstrap relation between the user and the service provider (usually established during user registration/enrollment process). Passwords (whether they are user-set passwords, or based on knowledge base questions like your mother’s maiden name, etc.) are still also necessary for many ‘recovery’ or ‘backup’ paths. Once we complete those steps, just once, then there are good options (OTP, FIDO, etc.) for us to use on an ongoing basis, where we don’t have to remember/enter any Pins or Passwords. Can we make Passwords invisible but still use them? To deal with all our passwords, a whole category of password management products have come to our rescue, helping us ‘manage’ the many passwords we still have to enter when accessing services and applications. In parallel, some of the leading browser and OS vendors have started to incorporate credential (password) management features, natively into their solutions. These solutions send the password to the destination, on the users behalf (said differently, they ‘stuff’ the password). It’s still “there,” but you and I just don’t see/enter it. At RSA, we find the expectations from organizations (especially within the larger enterprise) in terms of credential management features are quite different from those expected by casual users and consumer service providers. These include differences in credential strength, rotation, protection (encryption and use of multi-factor authentication), synchronization, and lock out policies. Users expect credential management solutions that can manage both their personal passwords as well as work resources. Almost all organization and users want to get rid of passwords. But, we know this is a work in progress and will take more time. So maybe the conversation is not about whether “Passwords are dead” or not. Instead, as one of my colleagues put it: “we are graduating to a state where, even if passwords are being used, users don’t have to remember them anymore.” I can live with that! The post Passwords & Pins are dead (Are they really?) appeared first on Speaking of Security - The RSA Blog and Podcast. |
