3 things that will replace passwords
Each month seems to yield another major password breach. In May 2016, over 270 million accounts were found to have been stolen from major email services including Google and Microsoft. Then, in September, Yahoo confirmed what may have been the largest breach of all time, which saw 500 million accounts pilfered in 2014.
Simply making passwords longer and more random isn't helping. “The move to more complex passwords creates less security," explains John Mears, Senior Fellow for Intelligence and Homeland Security at Leidos. “People simply start writing them down."
Regularly changing passwords doesn't work either. The UK's Communications-Electronics Security Group (CESG), part of its intelligence network, explicitly advises against it, deeming it too costly, inconvenient, and insecure.
Something You Have
Instead of passwords, Mears advocates ID verification solutions that are more secure and less complicated for users to handle. One such approach is two-factor authentication (2FA).
Instead of simply typing something you know (and can easily forget or divulge), 2FA involves verifying your identity using something you have. In high-risk or government applications this can often take the form of a hardware token containing a digital certificate or a constantly changing passcode known as a 'one-time pad'.
One form of 2FA involves out-of-band authentication, in which a server sends a code to a user's mobile phone. This turns the phone into the 'something you have', and means that an attacker would need access to the phone to compromise an account.
Many companies have used SMS as the channel for out-of-band communications, although the compromise of Black Lives Matter activist DeRay McKesson's Twitter account by hackers who gained access to his SMS number has demonstrated that this is not secure. In its Digital Authentication Guidelines, the National Institute for Science and Technology says that SMS is deprecated and may be removed from future versions. Instead of SMS, companies are turning to smartphone applications such as Google's Authenticator app to handle out-of-band 2FA.
Something You Are
For even more secure verification, one of the most viable is biometric verification, suggests Mears. Biometrics (the use of data obtained from the body for verification) comes in various forms. Different biometric techniques can yield different accuracy levels – there's the potential for false matches, in which the wrong person is identified as the user, or false negatives, in which a legitimate user is mistakenly denied access.
The different levels of accuracy must be balanced with user convenience and with the distance of the subject from the scanner. DNA analysis is the most accurate means of biometric identification, for example, but impractical in most circumstances. Instead, taking ten fingerprints at once or scanning the iris or the vascular (vein) system are more convenient and highly accurate.
In verification scenarios where the user can be further away from the scanner – such as identifying someone entering a building for example – facial recognition or even gait detection can be used, although these are typically less accurate.
Can biometric verification be foiled by imposters? German hacking group the Chaos Computer Club was able to impersonate a legitimate user's fingerprint to fool the Touch ID fingerprint sensor on Apple's iPhone 5 in 2013. It demonstrated that attack, along with another on facial recognition software in an English-translated video.
Mears protests that research is one thing, but real-world use is another. "I never heard of a successful presentation attack for anything other than demonstration purposes," said Mears.
Security researcher Marc Rogers argued that the Touch ID sensor was also hackable on the iPhone 6, but added that these hacks would take "skill, patience, and a really good copy of someone's fingerprint".
Some organizations are putting their trust in biometrics in combination with an easy-to-remember PIN. Financial institutions, for example, are beginning to use voice biometrics to verify their customers' identities.
The technology and back-end enrollment procedures for biometric verification can be beyond the capabilities of many companies, which has led to the rise of identity-as-a-service (IDaaS). This takes the enrollment and verification process away from the customer, who can rely on a third party to handle it.
Something You Do
While 2FA uses something you have and biometrics uses something you are, there is a third emerging means of verification for users: something you do.
"Behavioral analytics uses observation when people are interacting online," says Mears. "It is used to detect insider threats." Actions that deviate from a baseline of normal behavior can cause an employee's threat score to increase and potentially set off an alarm, he explains. Now, some companies are considering behavioral analysis to help identify people in the first place. "Google has looked at behavioral biometrics and characteristics that can be monitored," says Mears. The search giant's Project Abacus is exploring behavioral indicators such as the unique cadence of your typing patterns on a keyboard, and the angle at which you swipe your touchscreen, to help confirm that you aren't an imposter.
Behavioral analytics is more about probability than determination: it increases the chance that you are who you say you are, rather than providing absolute proof. As with all other verification tools, including passwords, its implementation depends on the level of risk that a company is prepared to take when proving a person's identity.
In some cases, using more than one method together can help to further secure a system. One thing is certain: passwords alone are no longer enough.