With every new data breach, the digital citizenry becomes more aware that online activities aren’t necessarily private or secure. Whether you’re an adult looking for undercover dalliances on Ashley Madison or a child playing games online with VTech digital learning toys, the fact that you enter these sites by way of a password is no guarantee. Between the powerful cracking tools available to cybercriminals, the human tendency to take the easy route, and corporate negligence, it’s no wonder that attitudes about password security are shifting. Both end users and security professionals are calling for a better way forward.
Security is essential to all networked systems, and we interact with these systems multiple times everyday. As we go about our business in today’s hyper-connected world, it seems we need to use a key, entry code, or password every few minutes. We know we need to be careful with every website, mobile app, laptop, car, hotel door lock, retail kiosk, ATM machine, or video game console, but how are we supposed to participate responsibly in a deeply connected, password-protected society without driving ourselves crazy? After all, some days we have a hard time keeping track of our car keys.
In the end, most of us feel inconvenienced by all these logins. According to a LaunchKey survey, 46 percent of respondents claim they manage more than 10 passwords. As a result, we aren’t very responsible about it at all—we reuse the same password for multiple accounts (68 percent admitted to doing this), share them (27 percent confessed) and forget them or write them down (77 percent do this). Each one of these entirely relatable workarounds essentially voids any protection offered by the password, and most of us do more than one of these things at a time.
When virtual or physical access is improperly obtained via failed authentication, the resulting security gaps have tangible eﬀects including stolen identities, fraudulent transactions, intellectual property theft, data manipulation, network attacks, and state-sponsored espionage. These consequences have the potential to cost companies millions of dollars, ruin the reputations of individuals and brands, and disrupt the course of business and service delivery. CIO Insight points out that overly simple authentication methods cause consumers to mistrust digital brands. On the flip side, the cumbersome nature of password logins causes many customers to abandon transactions when authentication fails.
The Internet of Things (IoT) Ups the Ante on Authentication
Traditional forms of authentication were never meant for the deeply networked landscape we live and work in today. Let’s be honest, a memorized password was never an elegant solution and human behavior compounds the issues, especially when we need to remember more than one. The ﬁrst passwords were adequate authentication solutions only because the systems they secured were isolated. Unfortunately, the methods we used in the early days of the personal computing revolution persisted and were used as the foundation for authentication in the Internet Age.
As we begin to consider an Internet of Things (IoT) —a vast universe of connected devices—it’s easy to see how passwords are incompatible with the smart objects that will constitute our future networked world. The in-band, centralized nature of passwords requires that users enter credentials (i.e., username and password or token ID) into the requesting application. However, most devices, such as sensors, door locks, and wearables don’t include a mechanism for input, such as a keyboard. This means that authentication must happen out of band. Instead of the user supplying a device with credentials, that device must obtain authorization externally in a decentralized manner.
In the era of the IoT, the stakes are rising. Individuals and organizations have done a poor job to date securing the sensitive data on the systems and computers they have direct access to, let alone the remote and automated systems that constitute the significantly larger IoT. Traditional password security clearly won’t cut it. Even the mechanism for authentication requires updating: most IoT devices don’t have the requisite keyboards or input devices required to utilize the classic password-based authentication we’re used to. Instead, the decentralized nature of the IoT requires a similarly decentralized authentication method capable of securely authenticating a user outside the confines of the remote systems, devices and sensors that makeup the IoT.
Security breaches directly related to stolen passwords and bypassed authentications continually increase in volume, frequency, and sophistication—and the consequences of data breaches are intensifying apace. Further compounding these issues, cybercriminals have learned to leverage data and techniques from past breaches, rendering subsequent attacks stealthier, more widespread, and more damaging.
Passwords are a Faulty Foundation
It’s not just that we use and manage passwords incorrectly, though we have certainly found that we cannot rely on users alone to keep our networks safe. The real problem is that passwords are fundamentally insecure and unsustainable, especially for authentication in the future.
For decades, the primary form of user authentication in networked systems has been the username and password combination. More recently, the concept of two-step verification has become more popular; an additional method of authentication is used on top of the password layer for added assurance and defense. Unfortunately, neither passwords nor alternate authentication built on top of passwords are bulletproof enough for today’s security challenges. Even “strong” passwords can be cracked in a matter of seconds with the right tools, stolen from an unsecured database, or simply left on a sticky note. In a world of highly-organized cybercrime rings, the good guys and bad guys have equal access to security and penetration testing solutions, rendering legitimate attempts to improve password security somewhat futile.
A Better Way to Face the Future
Password-based authentication is no longer capable of meeting the demands of modern security. Passwords are inherently insecure. Their eﬃcacy relies too heavily on end users, developers, system administrators, and applications—all of which are vulnerable to a wide variety of attack vectors currently being exploited by cyber criminals and hacktivists around the world.
Traditional strong authentication methods built on top of passwords do not address the liability and risk of the insecure password layer, and the shared secret architecture of tokens and one-time passwords (OTP) used on top of passwords is cryptographically inferior when compared to their asymmetric counterparts used within modern public-key crypto systems. Such outdated methods are vulnerable to many attack vectors and create a cumbersome experience that users dislike and often avoid. In fact, overly simple authentication is a significant source of consumer mistrust of brands.
Most importantly, none of these methods are compatible with many of the devices and “things” that will require user authentication in the (near) future, but lack the requisite input mechanisms. The ubiquity of smartphones and connectivity combined with emerging biometrics technology provides opportunities to reinvent authentication, bringing control and convenience to our fingertips.
There is overwhelming support for eliminating passwords completely—84 percent of our recent survey respondents say “good riddance”—and widespread willingness to adopt a safer, easier system. We all know what’s at stake and welcome better ways to fight cyber-crime and keep the Internet safe for business, fun, learning and connecting with each other.
The Internet has been ingrained in global culture and commerce to such a profound degree that every day, the risks and impacts created by improper authentication increase. As the Internet of Everything— that is, the millions or billions of devices, sensors, and systems that will connect to the Internet —proliferates all around us, the need for secure authentication becomes exponentially more urgent. A new approach to authentication and authorization is required to face a new generation of security challenges.