Make your password at least eight characters long, upper and lower case, with a numeral and a special character. Now make a different one for every system, each application and every website you use.
Net result: Lousy cyber hygiene. Some 49 percent of adults keep passwords written down on paper, and 39 percent routinely reuse passwords, according to research from the Pew Research Center. This is a recipe for disaster, and experts say it’s time to chart a new course.
“If you are in any business that sits on any information, which relies on the availability of any network, you have to be thinking about moving on from passwords,” says Michael Kaiser, executive director of the National Cyber Security Alliance.
Looking across a range of verticals – insurance, higher education, retail – IT security leaders are calling for an end to the complex password. They foresee biometrics, dual-factor authentication and eventually a new “whole person” approach to identity as being among the not-too-distant remedies for password malaise.
On Its Way Out
“I would love to see passwords go away,” says Stephen DiFilipo, CIO of the 14-campus University of Texas Systems. “In my daily life I already use my fingerprint to get into my phone, which has all of my life in in it, including all my financials. I have used a Surface Pro that recognized me just by my face. So I think the password as we know it is already on its way out.”
Smaller colleges may not see a burning need to ditch the password, he says. But big universities with lots of intellectual property to safeguard should already be looking for something more secure.
In the retail world, the first stirrings of change are afoot. Consider for instance Amazon Go, an emerging store model in which shoppers are recognized by their mobile device and get to scoop up their goods without even having to wait in line, much less swipe a card or enter a password.
“That has been beta-tested, and Amazon says it has worked out the kinks. That one move is likely to level-set expectations in retail for consumers in a very dramatic way,” says Doug Stephens, author of Reengineering Retail: The Future of Selling in a Post-Digital World. Consumers who can buy this way in a physical story likely won’t have much patience for entering passwords online: They’ll want something quicker and simpler.
The shift away from passwords is perhaps most visible in financial services, where CSOs and CISOs often have responsibility for high-value personal and financial data.
“I hate passwords. They are a poor, very antiquated technology that need to be taken behind the barn and shot,” says Adrian Asher, CISO of the London Stock Exchange. “We have been actively phasing them out here. When I design from scratch, I use two-factor authentication with a biometric or four-fingerprint, along with a cryptographic secret, a private key.”
Insurance giant Aetna takes it one step further. Some 600,000 Aetna consumers can choose to access their health data through a combination of biometrics and other attributes – no password needed – and the company is developing a similar authentication scheme for internal users.
“Passwords are obsolete,” notes Aetna CSO Jim Routh. “The question now is just: What do you do about that?”
In the short term, many will find the answer to that question through easily-implemented biometric and multi-factor solutions. The longer-term fix will look a lot like Aetna’s model, experts say, with complex algorithms building a reliable means of identification from a broad range of metrics.
Before exploring this “contextual” solution, it makes sense to take a look at the tools that are most readily available today.
Biometrics are fast emerging as a preferred means of authentication, not just by CISOs who have come to distrust passwords, but among employees and consumers who are tired of wrangling with the complex requirements.
Once wary of sharing their fingerprints, many end users now are ready to accept biometrics as a part of the security landscape. As a result, 69 percent of IT professionals surveyed by Accenture say they are considering a biometric deployment.
The rise of biometric-enabled devices is helping drive the trend. “If you already provide your employees with a cellphone that has an iris reader or a fingerprint reader, then the cost of biometrics is minimal,” says Keith Palmgren, a cybersecurity instructor with the SANS Institute. “But you have to pick the right one. Some fingerprint readers expect a clean, dry finger, and if I have warehouse workers that is going to be problematic. You have to consider your environment.”
Just as smartphones can be leveraged for biometric authentication, office-bound users can access existing systems to improve security. “Windows 10 has a facial scanner built in, and it just uses the camera on your computer. So that’s a biometric that is built into the software, that is already ubiquitously available, and that takes advantage of an existing hardware capability,” Kaiser says.
Still, finger- and iris-printing may not be a panacea. These solutions do introduce new elements of cost and complexity. “You’ll have to have a server to store the templates,” Palmgren says. “And you need a plan for the one-off situation. Some people for instance have incredibly light fingerprints. Some retina scanners won’t work with certain types of blindness. What is your plan for dealing with those situations?”
Others see new forms of risk emerging. “What if someone violently forces you to authenticate yourself to your phone? Now your net security is lowered, and your biometric implementation has just resulted in a dire physical threat,” says James Stanger, chief technology evangelist for CompTIA.
Many will turn instead to dual-factor methods as a password work-around. Typically, an employee seeking to access a system enters a password, but that’s no longer enough to get in. The user then receives via text a temporary code that is used to confirm identity.
“Financial institutions are going to two-factor authentication because they realize: Everyone already has a smartphone with them, so why not just add that additional assurance?” says Curtis Dukes, executive vice president at the Center for Internet Security.
Practically every industry vertical can rely on employees to be toting phones, and universities can be equally sure that students are text-enabled. Ubiquity and ease make the dual-factor crosscheck a tempting proposition. But this approach, too, has its limitations: It adds an extra step, introducing a level of complexity for both the end user and the administrator.
Some predict the next phase of security may combine biometrics, artificial intelligence and sophisticated algorithms to deliver higher-level security while simultaneously simplifying the end-user experience.
Aetna expects some 30 million of its customers will be able to login password-free by the end of 2018.
The insurer’s security protocols harvest between 30 and 60 metrics around a given user: How many apps you have on your phone? What are the most frequently used apps? How do you hold your phone when you use those apps?
“We bind attributes to the device you are using: What kind of plug-ins you have on your browser, how your browser is configured, what location you are in. All those together create a mathematical score, and the application uses that to provide access,” says Routh.
Essentially, the system considers such a wide range of variables that the only way you can authenticate yourself is by being…exactly who you are. If you are anyone else, the math won’t add up.
Unlike a password, this agglomeration of data cannot be stolen, and even if some metrics were compromised, “we are using benign attributes, where if the information was exposed it would not represent a major breach. And we are not keeping the attribute data, we are only keeping the mathematical representation of that data, so we are comparing a number to a number,” Routh says.
Unlike passwords, this system has the advantage of being able to verify identity continuously. If a user’s identity seems to veer off mid-session, because of unusual behaviors or other triggers, the system can prompt for some confirmation of identity.
Some see this kind of contextual approach to identity as the long-term replacement for the password.
“There is great progress being made on this by companies like Google, Apple and Microsoft,” Dukes says. “All three of them have said they want to offer a number of pieces of information about each individual – it could be your voice, your gait when you walk and talk on the phone, or how you type. You can measure all these different functions and build a knowledge of that person: He speaks with an accent, he typically travels on the coast.”
Pull them together and you get an authentication scheme that is highly reliable and minimally invasive. “I think that’s where it is all headed,” Dukes says.
Given the novelty of such a solution, Kaiser suggests that businesses may want to take a tiered approached to phasing out passwords, implementing these more sophisticated techniques first in circumstances where the security need is greatest.
“In education, for instance, there is some security need around students accessing calendars, but there may be added levels of protection needed for the registrar or the financial aid office,” Kaiser says. “In retail, the cashiers might need to authenticate to their devices, but the manager may need something stronger to authenticate to the corporate network.”
The success of a contextual security protocol – or any new security implementation, for that matter – rests on user acceptance. Whether a CSO is implementing a simple dual-factor program, an iris scan or an AI-driven algorithm, Palmgran suggests, it’s always best to start with a limited deployment on a select group of employees before expanding outward.
“You can roll this out blindly and find that all your users hate it,” he says. “Put it in a lab first, test it on a small group of users, and then do a phased roll-out. Don’t put it out there to 10,000 people all at once.”
The New Guidelines
Many enterprises are looking to phase out passwords, which have gotten too complicated and clunky over the years.
During this time of transition, the National Institute of Standards and Technology recommends simplifying passwords. The latest NIST guidelines advise CISOs to:
- Remove the requirement for periodic password change. The latest findings show these periodic rotations do little to enhance security.
- Drop the complexity. Forget the special symbols and uppercase letters. NIST doesn’t see these adding security value.
- Go long. The new best thinking says it’s more important that a password be long, at least eight and as many as 64 characters.
- OK to paste. NIST also recommends allowing users to paste in their passwords. This facilitates use of password managers and encourages users to choose stronger passwords.