As we just passed the much anticipated date
of October 21st 2015, where we were supposed to have hover boards
and flying cars, we’ve seen yet another prediction that did not quite live up
to the expectation: no more passwords. “Back to the Future” did not have much
of a direct reference to passwords, except maybe when policewomen identify
Marty’s girlfriend from her fingerprint, which we can easily do these days,
except for privacy laws which probably won’t let the police have all citizen’s
fingerprints on file. I will not argue that we are stuck with passwords and that
other identification technologies will not catch up. Instead, I believe that passwords will have a
prominent role in the holistic approach to access control and security for
years to come; be it as a standalone method or in conjunction with other
technologies such as biometrics and tokens. Recently, there have been lots of new
initiatives that have encouraged people to create strong passwords, but most
people don’t know why a good password is so important. This is why we are going
to get in-depth with this, and find out exactly why we need strong passwords.
It is true that we have made a lot of
progress in the field of biometrics, which essentially is the way to verify
“who you are” by using one of your biological or behavioral patterns that we
presume to be stable enough throughout your life and hard enough to fake.
Fingerprinting has been used long before there were passwords around and today
they are one of the main contenders to replace passwords. Fingerprint scanners
are quite cheap these days and their performance is fast approaching an
acceptable level of accuracy. So what is the problem? Why can’t we replace all
passwords with fingerprints scanners?
For one, the strongest feature of a
fingerprint is also its weakest: You cannot change it. Your fingerprint is
great to verify that you are who you say you are, especially if someone is
watching while you scan your finger. For example, while you are crossing a
border or while a government agent is issuing an ID, an officer will make sure
a real person is scanning their finger and the algorithm verifies that it
matches the person. Your fingerprint impression, which is essentially a picture
of your finger or a mathematical representation of it, is anything but secret
information. You leave it behind everywhere you go, and once you start using
fingerprint as your identity, a large number of systems will have a copy of it,
which sooner or later will be compromised. When your password is compromised
you can simply change it and get a new one, often without the supervision or
help of anyone else. On the other hand,
a compromised fingerprint, or any other biometric feature, is impossible to
change.
Another reason why biometrics is not a
sufficient replacement for passwords is their accuracy. A password is a binary proposition,
you either know it or you don’t. With biometrics, although it has come a long
way, and is at quite an acceptable level right now, there is always a chance
that you could deny entry to someone who deserves it (false negative, FRR) or
worse, let someone in who should not be allowed (false positive, FAR).
Biometric devices come with a “CER” number which indicates the accuracy of the
device and where these two numbers (false positive and negatives) cross over.
As small as these numbers are getting these days, they are still larger than
zero, which means that you don’t want to rely on them if it’s a life or death
situation. There is also the added complexity of needing access to these
physical scanners. You can type your password anywhere, anytime, and from
pretty much any device, but as advanced as some mobile devices are getting
these days, we are still a long way from a global standardization of biometrics
that will eliminate passwords altogether.
If biometrics cannot, or should not replace
passwords, then why do we even need them?
The short answer is MFA, or Multi-Factor Authentication. MFA is based on
the concept of “Defence in Depth”, where rather than trusting in one measure to
protect your assets, you defend it with at least two unrelated measures. This
means that if one of them fails, you still have the other one(s) providing
protection. To visualize “defence in depth”, think of a medieval castle where
you have the moat filled with water (and possibly alligators) on the perimeter.
You hope that heavily armored enemies won’t make it through. If they do, you
have your 6ft thick and 100ft tall stone walls. There is often another layer of
walls inside the castle and, as a last resort, maybe a secret tunnel to bail
out if all else fails.
MFA works in a similar way, where at least
2 different types of authentication mechanisms are used to authenticate
someone. Three distinct types of credentials can be used in MFA that rely on something
you know (password, pin number or a passphrase), something you have (a hard or
soft token or a key) and something you are (biometrics, e.g. fingerprint,
retina scan, palm scan). It is important
to note however that having two separate passwords or authenticating with both
your fingerprint and retina scan is not considered MFA. You need to have at
least one of each type to have a true multi-factor protection. We talked about
“what you know” and “what you are” earlier, which brings us to “what you have”.
The most common thing you “have” to access
private information or objects with is a key (both a metal one in your key
chain and soft keys we’ll talk about later). We are all familiar with the
basics of a key: for every door, box, car or safe we have a unique key. We
carry it in our pockets and use it to open the door, box, or safe when we need
it. We also know losing it is not a pleasant experience, especially if you
don’t have a spare copy. But thanks to advancements in cryptography, we have a
number of mathematical algorithms that work just like the physical keys. These
algorithms also come with the added benefit of being information based, which
means that they can be copied, backed up, and regenerated much easier than a
physical key. Keys are a closer match to regular passwords, and in my opinion,
a better candidate to replace them altogether. There are however, still reasons
why replacing all passwords with keys is not going to happen any time soon.
In terms of security, cryptographic keys,
and soft/hard tokens, are the best option there is. If designed and implemented
properly, they are virtually impossible to break with today’s technology or
with any technology in the foreseeable future. Once you have them, they are
reasonably easy to use with 100% accuracy, although managing their lifecycle is
more complicated than that of a password. The most obvious reason why keys have
not yet taken over passwords is the added complexity and cost they bring. The
added cost ranges from slightly more in software based keys to significantly
higher in hard token solutions that need to be sent to each user. The real
obstacle is the added complexity of their use, where people now need to
understand what keys are, where they reside, how they are used, and how they
need to be kept secure when they are not in use. The fact that standardization
has been slow and different competing vendors have been pushing their own technologies
to get a bigger market share have not helped with adoption.
Another difficulty with keys and tokens is
that they are harder to manage. Remembering a password is often a lot easier
than remembering where you placed your keys, especially when there are many of
them. Sometimes, malware may quietly compromise your key, or your computer
could crash and you could lose your keys altogether. When you forget your
password, the process to get a new one is often quite straightforward and
self-directed. A key recovery however, often involves manual intervention, and
if the key is a hard token, there’s an added cost for reprogramming and
physically sending the replacement key. Interestingly enough, we use passwords
to protect cryptography keys and key stores for added protection. Key recovery
also depends on setting and remembering a password. A password is the only protection
for a compromised key or token when it is stolen.
To sum it all up, there are a number of valuable
technologies today at our disposal to ensure the security of things we value, be
it a sensitive document, or our bank account. It is however, still premature to
expect to get rid of all passwords in the near future, as we still rely on them
as a simple and scalable way to secure things. Passwords do not only protect
our social media posts, bank cards or email accounts; but they are also part of
many advanced encryption and security systems used in conjunction with keys to defend
against compromise, loss or abuse. To be able to strike a good balance between
security and convenience, we still need the good old password. Once a system is
compromised, a good password is often the last line of defense to protect it,
so you should understand what a good password is and learn how to create and
maintain one, but that’s another story, for another blog post.
By
Cuneyt Karul, PhD, CISSP, RESILIA
Chief Security Architect
BlueCat