Death of a Password

Recently while entering a particularly complex password I started to wonder how much time we spend just entering passwords so I did a quick calculation I will share with you now.

It takes me six seconds to enter a typical password. Yes, my passwords are reasonably complex and my hunt/peck, two finger typing is not the fastest. On average, I enter a password twenty times per day five or more days per week, probably a little more often than most people. This all adds up to eight hours just entering passwords per year! One whole (admittedly short for many working in small business) work day per year, per person.

Working with computers and data all day I use a password manager and that helps with many but not all the systems I need to log into. My calculation also only considered the time taken to enter the password, add to this the time to enter a username if it cannot be saved.

I also assumed we get the password correct every time and do not have to wait to be rudely rejected before carefully re-entering the password or “trying that other password that it must be”. I normally use Microsoft Windows machines but often need to use Apple Macs and I swear if that OS X password dialog shakes its head at me again I will shake the screen just as vigorously.

Add this all up and pretty soon we start to see multiple days just entering passwords per year! Multiply this by the number of computer users in your business and we start to see that the power of the internet comes at a significant hidden cost.

Popular opinion is that the first computer password appeared in the early 60’s. Now after 50 years the security experts (and the headlines) are telling us that passwords, even complex ones, are becoming insecure and we need two factor authentication. OMG! You seriously want me to remember another piece of information to prove to this stupid machine that I am who I say I am!

Fortunately there is some light at the end of the tunnel and it is in the form of a perfect storm of security related technologies coming together in late 2015. Let’s step through several of the key technologies in an effort to demystify the alphabet soup and cut through the hype to see if we can predict the demise of an old enemy:

Multi/Two Factor Authentication (MFA/TFA)

As the heading suggests MFA is the use of more than one factor to prove that the user is who they claim to be. Typically these factors are categorised into three broad groups:

  • Knowledge factors (“things only the user knows”), such as Passwords, PINs, Secret Questions
  • Possession factors (“things only the user has”), such as smart cards (e.g. modern ATM cards)
  • Inherence factors (“things only the user is”), such as biometrics (e.g. Fingerprint, Voice, Face Recognition)

TFA systems utilise two of these factors to authenticate a user. The common example of this is using your cash or credit card in an ATM. You need both your card and your PIN to get cash from the ATM. MFA security increases as the number and independence, or separation, of the two factors increases. This is why banks warn you not to store your PIN with your ATM card.

The security of the delivery and storage mechanism for the factors is also a consideration. If one of the factors is delivered over an insecure channel (some security experts suggest SMS is an insecure channel) then it is a case of 1 + 1 = 1.1. Those who use Commonwealth Bank may have noticed a recent move away from SMS as second factor for online transaction to second factor code delivered through their CommBank mobile app. Whether this is a security, cost or reliability related change I do not know. I suspect it is all three.

Fast IDentity Online (FIDO)

The FIDO alliance was formed in July 2012 and aims address common authentication challenges experienced by developers and users alike through the development and promotion of specifications that enable improved interoperability specifically between security devices and browsers. FIDO has released two sets of specifications that support two types of user experience Passwordless and Second Factor. These are supported by two protocols Universal Second Factor (U2F) and Universal Authentication Framework (UAF) respectively.

Beware that the pesky password has not completely disappeared despite what the graphic above suggests. Look closely and you will realise that, in many cases, even the passwordless experience will usually have a password somewhere in the process even if it is only used once at the start.

The FIDO Alliance is not the only attempt at authentication standardisation but it is truly open and making a big splash. The FIDO Alliance boasts a members list that is the who’s who of companies we are forced to trust with the security of our data; Google, Microsoft, Visa, PayPal, MasterCard and Yubico just to name a few. Haven’t heard of Yubico? You will.

If you are interested in killing or at least mortally wounding passwords and you only follow one link in this article then this is the one: https://fidoalliance.org

Single Sign On (SSO)

SSO technology is not new. It is however, rapidly gaining momentum as companies rush to reduce the number of times you are prompted for credentials as we all begin using cloud based resources for work applications. SSO can be as simple as a single password giving you access to all resources on your work network or it may extend to your work login giving you access to external resources (such as Google Apps or Office 365). While strictly speaking SSO by itself does not eliminate passwords it does reduce the number of usernames and passwords we must enter each day.

Windows 10

Microsoft’s next version of the Windows operating system after Windows 8 is Windows 10 and it is expected to be released in late 2015. Microsoft recently announced that Windows 10 will be a free upgrade from Windows 7 and 8 for the first 12 months after release.

I am currently using the Windows 10 technical preview and in my opinion it completely solves the Windows 8 metro interface issues that drove just about everybody crazy, myself included. It brings with it a host of subtle improvements, especially if you are coming from Windows 7, along with a couple of huge leaps forward.

One of the leaps that is making passwords weak at the knees is the Microsoft announcement regarding Windows 10 on the FIDO website. Specifically:

Microsoft will ship a password replacement solution in Windows 10, and plans to support FIDO authentication.

To delve further the following extract from a BLOG entry on October 22, 2014 by Jim Alkove the Director of Program Management at Microsoft gives us some idea of how this might work:

Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint…..Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC’s, networks, and web services as long as their mobile phone is nearby. In this case, the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.

Passwords should be scared, very scared.

Biometrics

Courtesy of Wikipedia:

Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioural characteristics. Physiological characteristics are related to the shape of the body. Examples include, but are not limited to fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and odour/scent. Behavioural characteristics are related to the pattern of behaviour of a person, including but not limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics to describe the latter class of biometrics.

Anyone who has an e-Passport and has travelled internationally recently may have used the Biometric Passport checking system when returning home. This system relies on Face Recognition and essentially a Smart card in your passport to verify your identity and check your rights to enter the country. If you have experienced international airport arrivals before and after this was implemented you will know what a great time saver it is reducing what could be an hour or two transit through arrivals down to fifteen minutes (depending on time to collect your baggage).

Several countries are using or starting to use Biometrics especially in government related service delivery. According to a 2013 report, roughly 1.2 billion people have already received identification through a biometric identification program in low-middle income countries.

As with most technologies biometrics are not infallible. One of the more common biometric identification methods we see in relation to computers is fingerprint recognition. Fingerprint recognition has gone through highs and lows in reputation since the first scanners were introduced with reports of scanners being easily defeated or unreliable due to slightly damaged skin or dirt. Several technologies exist to scan fingerprints and higher accuracy usually means higher cost and complexity.

In fact, a challenge with all biometric scanning devices has been reliability versus cost. Generally the more reliable the biometric device the more costly and cumbersome it is. However, smart phone manufacturers are rushing to add biometrics such as fingerprint, iris and voice recognition to their phones and as the volume of sensors manufactured increases the cost and quality of the technology will decrease rapidly.

Remember that the direction we are heading in is towards two or more factor authentication. So, while affordable biometrics may not be 100% infallible, when coupled with a simple PIN or password the whole authentication process will certainly be more secure and efficient than our current password approach.

2015 may just be the year we point the finger and give the evil eye to passwords!

Bringing it all together

As with any revolution, change will be involved and as with any change the change is made easier if a need for that change is clear and present and felt by all affected by the change. Anyone mad as hell and not going to put up with the frustration of complex passwords any more put your hand up. Tick that one off.

As standards evolve, interoperability will also evolve. Initially however, the most benefit will be had by businesses (and home users) settling on a single ecosystem. By ecosystem I refer to the big three; Microsoft, Google and to a lesser extent in the business environment, Apple.

Some may complain that I have ignored Linux. To that I counter that I am thinking specifically about small to medium business and due to many factors Linux still tends to live in either the large corporate or the enthusiast home user environment and generally not as a whole ecosystem. Linux may, in fact, lead the way in authentication in some instances due to enthusiasm and open standards but that, as they say, is another story.

In most cases for small to medium businesses riding this wave will mean committing to Microsoft and possibly a minimum subscription to Office 365 (at just over $5 per user per month) and an upgrade to Windows 10 (free upgrade for 12 months from release, remember?).

You could also decide to adopt the Google ecosystem with Google Apps for Work at around $5 per user per month. While this offers an inherently very mobile solution (not just on the road but within the office) it does require some adjustment especially with respect to email client usage and document editing. If you and your users can make the adjustment then the Google ecosystem has a lot to offer.

Finally there is the Apple ecosystem, and while Apple deliver an operating system focussed on user friendliness their market penetration in the work environment is very low. This is mainly because Apple proudly approaches computing from a more personal experience aspect. This tends to give us users a warm and fuzzy feeling. The problem is individuality does not scale well when you need to manage many computers. Who knows, we may yet see Apple decide to get serious with respect to the small to medium business market and we all know what happens when Apple decides it wants to change the world.

2015 will be very interesting indeed and if I was a password I would have my succession plan well under way.