Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Usable identification - the key to a world without passwords

Ian Yip, Security specialist, NetIQ | Nov. 27, 2013
Security is the enemy of usability.

Consumer devices offer the best vehicle in bringing non-password based authentication mechanisms to the mainstream much the same way social networks have brought identity federation to the masses. It is the best shot we have of eventually killing passwords off for good. If that day comes, passwords will more than likely be replaced by a combination of biometric and token-based mechanisms.

The inevitable rise of wearable computing in addition to the ubiquity of smart phones will result in an abundance of options (compared to a world before smart phones) in available tokens to use as part of the identification dance known as authentication.

Signing on to a site using your social network is not commonly referred to as identity federation; that's what security people call it. But it works because it's usable, although this is at the expense of some security. Social identities help consumers clear the security hurdle to the point where the word "security" doesn't rate a mention during the authentication and/or registration process. Social networks however, still use passwords.

Passwords on their own are insecure. In the absence of other ways to identify ourselves (i.e. multi-factor authentication), a lot of damage can be done to our digital lives that are difficult to recover from. Also, let's not forget about the number of hacks suffered by multiple sites that included leaked passwords. But they remain because the username and password combination is a design pattern we have been trained to understand and accept. Because we have been conditioned this way, passwords are inherently usable. Therein lies the challenge in moving past them.

Good authentication practices have always included multiple factors. In other words, passwords on their own just won't do. In addition to usability, cost is almost always a prohibiting factor. It costs an organisation a lot of money to procure the hardware required to support authentication mechanisms beyond passwords. Wouldn't it be nice if consumers had tokens they could use that were as secure as these expensive ones organisations currently have to buy?

Some organisations have weighed the risks against costs and decided that SMS tokens are good enough to be considered as an acceptable second factor beyond passwords. If you've looked into this, you know SMS messages are not actually that secure. But for a lot of scenarios, they are "good enough" when combined with the primary password. If organisations want to move beyond this however, it gets very expensive.

It took well-known brands with a significant amount of consumer influence (e.g. Facebook, Twitter, LinkedIn) to bring identity federation to the masses. Similarly, it will take at least one well-known brand with a significant amount of consumer influence to fork-lift-point us down the non-password oriented identification path.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.