Businesses Should Take a Pass on Traditional Password Security

Tuesday, August 04, 2015

Geoff Sanders


In today’s connected world, authentication is ubiquitous. Whether it’s a website, mobile app, laptop, car, hotel door lock, retail kiosk, ATM machine, or video game console, security is essential to all networked systems. Even individuals must use authentication through state-issued ID cards to validate their identities within the network of a city or state.

Whether virtual or physical, the improper access obtained from failed authentication has tangible effects ranging from stolen identities, fraudulent transactions, intellectual property theft, data manipulation, network attacks, and state-sponsored espionage. These consequences have the potential to cost companies millions of dollars, ruin reputations of individuals, and disrupt business.

Authentication in the Internet Age

Let’s be honest. Historical forms of authentication were never meant for the networked landscape we live in today. The first passwords were adequate authentication solutions only because the systems they secured were isolated. Unfortunately, the isolated systems that pervaded the early days of the computer revolution has set the foundation for authentication in the Internet Age.

Within just a few years, the global computer market transitioned from a disconnected world of isolated computers to a fragmented world connected by the cloud. Not only are computers now interconnected, devices themselves and the applications running on them are as mobile as the users who own them. No longer are applications restricted to specific machines or data centers, they can be distributed, dispersed, or local to mobile devices. The security of any individual system or user now affects the security of those systems networked to it.

The Internet has been ingrained in global culture and commerce to such a drastic degree that every new day increases the risk and impact of improper authentication. And with the impending Internet of Everything — that is, the millions or billions of devices, sensors, and systems that will connect to the Internet — not only is the need for secure authentication exponentially rising, the landscape is also changing.

Today, the tempo of security breaches directly related to stolen passwords and bypassed authentication is increasing along with the severity of their consequences. Further compounding these issues, past breaches are creating a snowball effect resulting in subsequent attacks being easier, quicker, and more widespread than their predecessors.

A new approach to authentication and authorization is required to face the new generation of modern security challenges. 

Houston…We Have a Password Problem

I believe that passwords aren’t simply used incorrectly today; they’re fundamentally insecure and present problems for device authentication in the future.

Traditionally, the primary form of user authentication in networked systems has been the username and password combination. More recently, the concept of strong authentication has become popular whereby an additional factor of authentication is used on top of the password layer for added assurance. Unfortunately, neither passwords nor strong authentication built on top of passwords are bulletproof solutions for today’s security challenges.

As we begin to consider an Internet of Things (IoT) world of connected devices, it’s easy to see how passwords are incompatible with the vast majority of smart objects that constitute the future of our networked world. The in-band centralized nature of passwords requires that users input credentials into the requesting application. However, most devices, such as sensors, door locks, and wearables don’t have an attached keyboard for password input. This means that authentication must happen out of band. Instead of the user supplying a device with credentials, that device must obtain authorization externally in a decentralized manner.

The Problem with Two-Factor Authentication

Security experts have long recommended strong authentication to compensate for the weakness of passwords. While strong authentication is the correct approach to take, the traditional method, known colloquially as two-factor authentication, is inadequate.

Let’s take a look at a few of the key issues:

Architectural Vulnerabilities

Shared secret architectures involve a token or one-time password (OTP) that is sent to a mobile phone or fob that the end user owns. This OTP is compared with a token generated by the application being secured.

The symmetric key cryptography that this process relies on is an inferior security approach because if either the user’s device or the application is compromised, the shared secret can be obtained, thereby allowing an attacker to generate their own correct token. Additionally, since the user’s token must be transposed or delivered back to the application for comparison, there is a risk that the token can be intercepted by a hacker, malware, or observer in a man-in-the-middle (MITM) attack.

Password Layer Remains Unresolved

Traditional two-factor authentication retains the in-band password layer which means the core password problems remain unresolved. The application still holds on to the “bait” that hackers and malware are after, keeping the application layer in the crosshairs of any attack on the authentication layer.

Poor User Experience 

Transposing tokens that quickly expire may be considered an annoying user experience that many users will opt to avoid in lieu of a smoother authentication flow. OTP flows that rely on SMS are unreliable and inconsistent. End users’ preference towards convenience over security means traditional two-factor authentication implementations like OTP may go unused. For organizations and applications, traditional two-factor authentication means sending their users outside of the branded experience that they control.

Additionally, traditional two-factor authentication approaches involve sending the end user to a third-party application. Often, this involves a company or online service forwarding their users to mobile apps or hardware with unaffiliated branding and user experience. Such an approach is often unacceptable, especially for consumer-facing organizations.

Use Cases Are Limited

Authentication is integral to more use cases than login forms. Whether a user wants to approve a purchase in real time, sign for a package, verify their identity, or access a secure corporate office, authentication plays a critical role. In many of these scenarios, an input form to submit credentials like a password and OTP token isn’t available, thereby placing such scenarios out of the scope of traditional two-factor authentication.

High Cost

Many two-factor authentication solutions represent a tangible cost and logistical burden. A single hardware token can cost as much as $100 or more, making a two-factor authentication solution that only satisfies a limited subset of use cases unrealistic.

Time to Move Beyond the Password

Password-based authentication is no longer capable of meeting the demands of modern security. Passwords are inherently insecure as a method of authentication, and their efficacy relies on end users, developers, system administrators, and the applications themselves, all of which are vulnerable to a wide variety of attack vectors currently being exploited by cyberattacks around the world today.

Traditional strong authentication methods like two-factor authentication built on top of passwords does nothing to address the liability and risk of the insecure password layer, while their shared secret architecture (e.g. OTP) is cryptographically inferior, vulnerable to many attack vectors, and creates a cumbersome experience that users dislike and often avoid. Furthermore, both passwords and the strong authentication built on top of them are incompatible with many of the devices and remote “things” that will require user authentication in the future, but lack the requisite input mechanisms like keyboards and forms to use them.

Organizations and applications must remove the vulnerability and liability that passwords have created while implementing more secure authentication methods that account for an evolving and diversified landscape of use cases, end users, and threats.

About the Author: Geoff Sanders is Co-Founder and CEO of LaunchKey

Possibly Related Articles:
Infosec Island Network Access Control Network->General
Information Security
Passwords Authentication Two-Factor
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.