Despite hopeful initiatives, demise of passwords years away
FIDO Alliance, DARPA vow to create better authentication, but new systems will have to attract users and providers, say security pros
February 14, 2013 — CSO — Security pros have been saying for years that password protection is not enough. And this week, two groups -- one private, one public -- announced initiatives to create more secure ways to authenticate identities online.
Several security experts, who would love to see passwords retired, said they will be watching those initiatives with interest, but don't expect mainstream change for at least the next several years.
The FIDO (Fast IDentity Online) Alliance, an industry group formed in July 2012, said it hopes to eliminate passwords and improve online security through establishment of a standard of interoperable authentication protocols that could include USB tokens, fingerprints and one-time passwords.
FIDO includes PC maker Lenovo, security firm Nok Nok Labs, online payment firm PayPal, biometrics firm Agnito, and authentication specialists Validity.
The Defense Advanced Research Project Agency (DARPA), a research and development arm of the Department of Defense (DoD), issued a "broad agency announcement" (BAA) seeking research proposals for developing biometric authentication through analysis of various activities and behaviors -- keystroke patterns, mouse use, sentence structure and use of language -- that add up to what the agency calls a "cognitive fingerprint."
Brian Donohue at Threatpost writes that DARPA is seeking a biometric platform which "integrates all available biometrics into a single device that carries out the actual business of authentication."
As DARPA puts it: "The application is trying to identify you by looking at all available aspects of you, not just a single sensor connected to the device."
The biometric analysis also is meant to overcome the fact that, "typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard," the BAA said.
[See also: Biometrics -- what, where and why]
These are not the first efforts to get beyond passwords, said Robert Siciliano, CEO of IDTheftSecurity. "The National Strategy for Trusted Identities in Cyberspace (NSTIC) has been at this since 2010, but many private companies have been at this for over a decade," he said. "The pain is finally getting bad enough, the criminals are getting good enough and the public is no smarter, so in the next five and more likely 10 years we should see significant change."
But even now, there are "talented companies out there with existing authentication technologies that are non invasive, don't impinge on privacy, are easy to use and pass the grandmother test," he said.
NSTIC says on its website that it envisions an "Identity Ecosystem" that would allow people to choose from a marketplace of identity providers - private and public - that would issue trusted identity credentials. Instead of having to remember dozens of passwords, "the system would work much like your ATM card works now. By having a credential and a password you would be able to use your trusted ID at many different sites," NSTIC said.
Whatever the initiative, experts agree that the elimination of passwords will take some time. Fred Touchette, senior security analyst at AppRiver, said: "Not everyone has the will or desire to do more than they feel they have to in order to maintain good security practices, and the cost to implement things such as biometrics in every device and make all authentication systems compliant means it's a ways off."
And Ben Knieff, director of fraud product marketing at NICE Actimize, said for any new system to work, both users and providers must accept it. "Everybody has to be in it together," he said. "I expect it to take a long time before a new system is widely accepted, but we're in an amazing environment where it could be a lot shorter."
Some analysts said the FIDO Alliance will have difficulty bringing those groups together. John Fontana at ZDNet quoted Gartner analyst Ian Glazer, saying, "It appears to be a good effort, but my two concerns are its small ecosystem and that it may not serve a larger audience."
Suzanne Matick, a spokeswoman for the FIDO Alliance, said by email that the group is poised for expansion. "There are many other organizations ready to join the FIDO Alliance," she said. "They are in their processes and working through legal issues, which cannot be rushed, but you may expect announcements soon."
Knieff said he believes FIDO could be attractive to both users and providers because of a key factor: "It makes it easier. It lets people use personal preferences and what they're comfortable with," he said.
Knieff and others believe the eventual demise of passwords will definitely make the online world more secure. But, as is always the case, criminals will look for other weak points.
"Weak passwords can be cracked in a dictionary attack," said Robert Siciliano. "But the real issue lies in social engineering attacks where the strength of a password doesn't matter."
Knieff added: "With biometrics, it is very difficult to impersonate somebody, so criminals will look for another way to insert themselves." That is already happening, he noted, when cybercriminals trick people into providing their authentication information for bank accounts.
"If there's a weakness, someone will find it," said Touchette.
Read more about access control in CSOonline's Access Control section.
Other stories by Taylor Armerding