Passwords are dead? Long live passwords!!!
In reading this blog post from Douglas Schweitzer (here) this AM, I continue to be amazed that the viability of passwords remains in question. Let me say unequivocally, passwords are here to stay. Period. Weak passwords, strong passwords, pretty much all passwords. Why? Because they are easy and "good enough."
Oh crap, I hear you sighing again - there he goes with that "good enough" spiel again. Well, it's true. For about 90% of the stuff we do online, a marginally strong password is good enough. And I want to be able to store those passwords in my browser. So I'm really pissed about the Firefox 2.0 XSS issue that forced me to delete all my stored passwords yesterday (thanks to the Mogull for the heads-up here).
Douglas' point in the post is that passwords are hard to administer and they are unsafe (who knows when a key logger is on a machine and all the passwords are compromised?). That's a load of crap. There are password management tools that allow users to reset their stuff in an automated fashion. What's hard about that? And the idea that passwords are unsafe has everything to do with what you are trying to protect.
He relies on a December 2005 Gartner report that predicted: "By 2007, 80 percent of organizations will reach the password breaking point and will need to strengthen user authentication with alternative security methods." I think if you are talking about 80% of banks, they'd be right because of the FFIEC guidance on multi-factor authentication. But there is a snowball's chance in hell that 80% of ALL organizations will strengthen user authentication by even the end of 2007. Maybe this research is taken out of context, but it feels similar to the prediction Bill Gates made almost 3 years ago that "spam will be solved in two years." Not so much.
So, according to Douglas, "With passwords gradually falling out of favor, the biometric industry has ably stepped up to the plate to fill the widening void." Again, not so much. I've been in this space a long, long time and since I started, we've been talking about biometrics. And not a damn thing has happened. Is it because "users are not comfortable with what they don't understand?" I don't think so. You actually think that the idea of a fingerprint reader is so hard to grok?
It's because people just don't care. They are still doing their transactions with passwords and that is just fine for them. There is no catalyst to get them to look at something more secure and that doesn't even bring up the continued technical issues that plague biometrics (like accuracy and deployment of readers).
To be clear, I believe in a concept called "contextual authentication." Basically this means that you use the right amount of authentication to provide adequate security for what you are trying to do. Logging onto your web email account has one level, while getting access to your brokerage and/or bank account online should have another. And a much more stringent level should be required if you are transferring large sums of money or doing something that is just uncharacteristic (like withdrawing money from Senegal if you live in Topeka).
I do believe there is a role for semi-biometrics type technology like keystroke dynamics. Why? Because it's transparent to the user. They don't even have to know it's there, and there is no requirement to distribute readers. As that technology matures, I suspect we'll be seeing a lot more of it baked in.
And I am pretty indifferent relative to password length as well. Passwords can be broken, regardless of how long you make them. But the idea of having a longer one without requiring stupid capitals and special characters makes sense.
But I've just got to push back on this death of passwords crap because it's just not right.
Just like keys are "good enough" for most people when locking up their homes. They don't protect the windows, they get left unlocked, most are very easy to pick, and additional security is not light-years ahead or something. It just comes down to what people want to get up off their ass to do and spend money on. Most of the time, there is little care to it until something happens or it is required by their neighborhood or something.
Similarly, you're correct. Biometrics are cool and I'd love to see them implemented, but they simply cannot be effectively implemented over the Internet, and I doubt ever will until we get very heavily into neuro-connections...and even then we have a long ethical battle ahead.
Corporations also will not adopt biometrics or key fobs unless the cost is not very nearly nil or they have to rework their entire network anyway.
Yeah, passwords/passphrases are here to stay for a very long time, because for the amount of effort and cost, you get a LOT of bang for your buck.
If anything pushes the envelope on access control technologies, it will be the push for more unified sign-on, such as single-sign-on implementations so that users don't need to remember and use 25 username/passwords each week. Sadly, as long as we have capitalism and competition, no real unification can truly ever happen outside of small pockets (a corporation, for instance). As it is, home users do their own form of it by using the same username and password for most things (hell, I do, and I know the risks). D'oh!