Can strong authentication replace passwords?
I recently found one of my personal username/password combinations in one of those published hacked password lists. My twitter account was the main casualty. I logged in one day and wondered: “Why am I following these 500 people who have nothing interesting to say? When did I change my name and become a beautiful woman?”
The fact is, if you have a password on web app, you can’t protect it. If Twitter gets hacked, it gets hacked, and you’re info is vulnerable. In my work with Enterprise Identity software, I’ve been saying “Kill the Password!” for a while. It just makes no sense to have that single point of failure for any account. So I thought—okay, can I get rid of my own personal passwords?
Executive Summary: No, I can't.
Our company has moved us off of passwords, so all my work resources are using two-factor authentication. It’s more secure and easy to set up. Easy for a company. But for me?
Trying to eliminate passwords from all my external accounts was a different kind of fun. Most of these are online (online, web, what most people would consider "cloud") or mobile apps. A few are fat client apps for Windows. Luckily, I use a password manager, so it's easy for me to get a list of all these accounts—295 in total for me.
Sound like a lot? It isn't really. About 30 of those are for public wifi or other one-time uses, but the rest are actual accounts. You'd probably be surprised just how many you have floating out there. All the more reason to get past passwords, right? You currently have hundreds of get-able passwords out there.
Starting with the major accounts, I started trying to convert to password alternatives or strong authentication. Doing this, I found a few facts about the state of the password. Some are disturbing.
- Every application out there primarily relies on passwords
- Many still have silly password restrictions (14 characters max, no punctuation, etc.)
- Almost none allow you to implement an expiration timeframe on your passwords
- Although the password strength meter is upiquitous, most apps don't require strong passwords
Basically, you're stuck with passwords and there's not much of an infrastructure for making them stronger or safer.
Only a few apps out of my 265 support multi-factor authentication. If it's a Google app, it probably supports Google Authenticator—but no guarantee. And little to no chance you can put in other factors. I use smartphone push (Symantec VIP, PingID, etc.) and One Time Passwords, Yubikeys, FIDO devices, USB-stored certificates and smartcards routinely in my job and have a solid variety of "factors" I can use for multi-factor authentication.
Here's what the process of replacing passwords looked like.
It was common for the apps to require registration of the device I was using. I was also usually able to specify the information to register with. So if someone had my password and used it from a remote workstation in Belarus, the app would require them to register the device.
But here's the thing: the baddie gets to choose the email address or cell phone to which the registration code is sent. So, really, nothing is keeping them out.
The register-your-device countermeasure really sums up the "good old warm-fuzzy security" that exists in most apps rather than the effective security we need. This, more than anything, sums up where we are with passwords today.
I did find that there are a lot of apps where you can require a second for of an OTP code for each login. Unfortunately, this code doesn't come from one of those factors I already have, but is just delivered to me after a successful username/password authentication. And yes, once again, it's sent to the phone or email of my chosing.
In summary—there is pretty much no two-factor / strong authentication / password alternative out there yet. Not for personal accounts, not for public-use accounts. The idea of Bring Your Own Identity, which is such an effective and powerful tool in business, is nowhere near ripe yet in the consumer market. And honestly, most apps are unlikely to support it when it does ripen. And so the password lives on, fitting right in with the ongoing popularity of zombie movies. IT JUST WON'T DIE!
I'm really hoping that the new technologies and the interoperability that the FIDO Alliance is working on can change this by establishing a standard for authentication on the backend and a cheap user method on the front end. And once it's an inexpensive interoperable standard, more vendors will hopefully adopt it and implement it.
Until then, your best bet is to use some sort of password manager that can rotate passwords automatically for you while keeping them all different. And don't forget to monitor all of those accounts—someone may have stolen your Twitter.