Three alternatives to using passwords
Bill
Gates declared them ‘dead’ in 2004. But now seems to be the right time to kill
them off
As a result of the Heartbleed bug that has made data on two-thirds of the world’s servers potentially accessible to hackers, users have been told to change their passwords. It goes to show that not only is the security of passwords fragile, but they are impractical too. So what are the alternatives? P a s swor d s h ave been around as long as the Web. In short, they are the quickest and simplest means of securing user accounts. They do, however, have a number of drawbacks. If they are too simple they can be cracked by computer programs. If a server is hacked, they can be uncovered. If the same password is used for more than one account, then an uncovered password can compromise a user’s whole Web presence. It is inconvenient to remember lots of different passwords. Bill Gates declared them “dead” in 2004. Premature that may have been, but vulnerabilities in the architecture of the Web, such as Heartbleed, serve to demonstrate quite explicitly that they do need to be killed off – at least in their current form.
Here are a few areas in which potential alternatives are being developed.
Biometrics
Biometric authentication is the most well-known alternative to passwords. E ve r yo n e k now s that fingerprints can be used to identify people, and devices like the Samsung Galaxy S5 and Apple’s iPhone 5S have fingerprint scanners built in. Other methods of biometric authentication include iris scanning, as used by the Myris Eyelock, and using a person’s heartbeat, like the Nymi wristband.
However, Chester Wisniewski, Senior Security Advisor at Sophos, warns us that although biometric information may be more secure than passwords, the consequences of such data being uncovered is far more severe. “Can you imagine if you used a fingerprint or iris scan instead?” says Wisniewski. “Now we would be leaking your biometric data to crooks. Time to change your fingerprints?”
Tokens
For token authentication, users are provided with a unique piece of data that allows them to login to a website. Illiri, for example, sends a sound to smartphones that users play to their computer as a means of authenticating login. Similarly, Clef sends an image to smartphones that is shown to the computer’s webcam. Such smartphone apps add an extra layer of security to your authentication as they themselves can be protected by one or more passwords, but they suffer from being less convenient than just using a password and require contingencies if a phone is lost or out of charge.
Two-factor
The added layer of authentication used by Illiri and Clef, however, is the key to our future security, says Wisniewski. “Clearly passwords alone are not an adequate security measure,” he argues. “When combined with other factors though, they can be a part of the solution.”
“A single factor is not enough. Passwords are certainly the best option we have for one of the two factors we should be using in two-factor authentication. I think I would stick with a password plus a dynamic second factor like a token or an SMS message.”
Two factor authentication is not a new idea. Banks use it routinely and users can set it up on their Google, Facebook and Twitter accounts, as well as on other sites. It’s not as quick or convenient as a simple password, but there has been a lot of talk about it since Heartbleed, as the most immediate means by which security can be improved on websites. Authy and Duo are just two providers that are pushing the uptake of two-factor authentication.
- gizmag online
ETP140423
No comments:
Post a Comment