Should passwords die in a fire?
Michael Daniel, the US Cyber Security Czar thinks so. His replacement solution? Selfies (the pictures people take of themselves). While the notion of killing the password is shared by many, suggestions -- even those not as laughable as selfies -- have a tendency to fall short.
Now Twitter suggests they need to do away with passwords because it won’t work for people in developing countries. Their suggestion? Use your phone number and a service they developed to have a code sent to your phone. It’s what we used to call a one-time password. Except in this case, what do we know about the wireless network(s) in which the password is delivered? Do you trust them?
Seems a lot of solutions targeting the demise of the password end up relying on… passwords. Sure they wrap complexity around them, or they add factors (see below). What these attempts reveal is clear: passwords aren’t the problem. The friction, agony, and disdain are just symptoms.
The real challenge? The ability to clearly define the problem we’re trying to solve.
Building on the basics of authentication
The basics of authentication draw on a few key concepts:
Identity proofing: the methods used and confidence in associating the identity of a person with an account, device, or other construct
Factors of authentication, classically explained as
something you know (like a password)
something you have (like a token)
something you are (biometrics)
Level of assurance: the strength of the identity proofing that is required. Typically, the higher the assurance level, the more factors of authentication are required
Sometimes people conflate identity with authentication. Allowing for some confusion, we have an increasing need for more assurance/confidence in the authentication.
By focusing on the password, here’s what we miss
The password, itself, is but a part of a larger system. That means the desire to bolster, abandon, or replace passwords needs to address three critical elements (read more here). As a system, authentication has at least three parts:
Design and implementation
Operation and maintenance
Most of the outrage over passwords is hyper-focused on individual usage. As such, the more critical components of the solution are largely ignored. And that creates opportunity for attackers.
While some high-profile attacks are suggested (or confirmed) to take advantage of single compromised user accounts, the broader trend is attacks on password stores and exploits that take advantage of weaknesses in system design.
In the blind rush to end the password, it is essential to keep focus on the expected outcome and necessary parts of the solution design.
Defining the problem we need to solve
The first step to design a better authentication system means forgetting about passwords. It also means setting aside dreams of selfies and other headline-grabbing methods. Instead, go back to the basics and focus on functional outcomes to define the problem before advancing a solution.
Complaints about passwords suggest the problem we need to solve is authentication. The need to design, implement, and offer methods for authentication that are easy-to-use, hard to break, and provide the appropriate level of assurance.
The high-level criteria for a solution include:
Easy to use
Easy to implement
Strong/easy to protect
Allows for the appropriate confidence in identity proofing
Allows for the desired level of assurance
The criteria are both subjective and variable. Designing a solution that allows that sort of flexibility requires more time to clearly define and explain each of the requirements in a way that is easily understood.
Developing a better solution
When people write about using existing networks to handle authentication -- in the name of convenience and ending the password -- we have to evaluate the entire solution design, then compare it against known and anticipated problems.
A good way to get started? Use a concept central to many practices -- put people in the center. Learn how they work, then design and build solutions that address their needs. We never really did that with passwords. Or the real reason for passwords - authentication.
Advancing the discussion
For the nearly two decades of my security career, people routinely call for the demise of the humble password. If we’re going to end the password - which I’d support -- then the answer isn’t as simple as two factor (which typically still uses a password), or biometrics (too many questions to ask, too many left unanswered). Admittedly, Apple’s Touch ID seems to be paving a potential pathway for biometrics, and it merits more scrutiny.
In the meantime, if we stop bashing the password, starting discussing the problem, defining requirements, and sharing our knowledge and experience, our children might actually experience a different, better, and more usable solution to the challenge of authentication.