A good question indeed

Mark Dixon responds to this Dave Kearns article comparing passwords to buggy whips by posing a very good question:

The big question is, “Replace username/password with what?”

I personally like the use of secure certificates, as illustrated in Henry Story’s use of certificates in his demonstration iPhone app I blogged about recently.  However, the mechanism for distributing, installing and managing such credentials for ordinary computer users seems like a daunting task.  I also personally like the Information Card concept, at least for the conceptual metaphor it uses.  But that isn’t a raging success and this technique is certainly burdened by its own challenges.

This is a question that is not asked enough, much less sufficiently answered. All of the competing approaches suffer from drawbacks that make them less acceptable in many cases.

Like Mark I also think highly of certificates as the solution. But there are significant lifecycle deployment issues that are too daunting for most users. There is also another issue that does not get enough attention, physical security. When using a certificate you are really dependent on the physical security of the container holding the private key. If it’s a smart phone in your possession, great. If it’s a laptop in your possession, also great. If it’s a beige box sitting unsecured in your cubicle while you are at lunch, not so great.

Information Cards are a good solution, but also suffer from the same physical security issues. Of course the card can be PIN protected, but a PIN is really just another password (albeit a local one) and now you get into some of the same issues as with passwords, for example the PIN for less frequently used cards written on a yellow stick attached to the monitor.

Biometrics is a hot area of research now. It seems every week some new breakthrough in earlobe recognition or some other phrenological magic is announced. But as of yet there are just too many problems with biometrics to displace passwords.

If cost is no issue OTP devices are a great way to go. But cost is always an issue.

Password authentication is like an impressionistic painting. The farther you move away from it, the better it starts to look.


6 responses to “A good question indeed

  1. You stated that there are just too many problems with biometrics to displace passwords. Can you elaborate on what those problems may be?

    A biometric, say a fingerprint, is actually just a very, very long password (e.g., strong) that you don’t need remember. The unique characteristics of your finger, iris, retina, face, vein pattern, voice, etc. etc. is converted into a mathematical representation which is this very long password.

    The challenge is only that you never present that very same password exactly the same each time. But that problem can be addressed many different ways.

    As you point out cost is an issue. The only other real issue I am aware of is lack of “input devices” or fingerprint readers. Another cost problem only.

  2. The most common type of biometric out there is fingerprint readers. These suffer from the lack of input devices as you say, but they also suffer from vulnerabilities in replay attacks. Some readers may be better than others, but there have been too many reported ways to spoof readers once you have a copy of the finger print (which can often be obtained from the reader itself).

    Also there have been a lot of reported reliability issues where the readers just won’t recognize the registered user. The only finger print reader I use personally is the one at the Disney World gate. As a passholder I have to authenticate via my fingerprint and I can tell you there are a lot of times it doesn’t work for a couple of tries.

    Perhaps we will have better luck with some of the other methods. But so far finger print readers don’t seem to be catching on outside of some highly secure environments.

  3. Oh boy, where to start on this one…
    – certs not only have the physical storage issue you mention, but are often touted as ‘strong’ — of course, only as strong as the password used to retrieve them and that password’s management by the user.
    – information cards aren’t just authentication mechanisms, they are our privacy protectors. we can choose the card, we can choose the attributes to share, we can choose the IdP. this is a big plus and once the killer use case comes along, information card adoption should take off
    – low-cost strong authentication options include things like SMS-access-code-to-mobile-phone and scratch or grid cards. both can scale to millions of users for well under $10/user per year.
    – biometrics have the benefit of unique identification – and the drawback of unique identification. because they are so solid, they are also high-value targets for hackers. and once compromised they are useless — Google ‘interior minister fingerprint’ to see what I mean.

    While there is no one perfect solution to all use cases, the privacy protection capabilities of information cards, combined with mobile phone SMS for 2 factor have lots of appeal. Clearly understanding the requirements is the key to selecting authentication solutions.


  4. Mike makes a lot of good points. I did neglect to mention out-of-band authentication like SMS. These are intriguing because they a low cost. Unfortunately there are environments where there simply isn’t reliable cell phone coverage, like my last office for instance. A backup authentication mechanism is a must when using SMS codes as a 2nd factor.

    You do make a good point that the requirements are key. There is no one size fits all solution for authentication.

  5. Thanks for clarifying. Yes there are challenges with readers. A contact reader such as the majority of fingerprint readers today suffer from wear and tear. Especially when in high traffic situations like Disney’s gate, or immigration at the airport, grocery stores as the now Chapter 7 Pay-by-Touch, or the desert in Iraq. An application to log onto your computer however doesn’t have the same volume and doesn’t suffer as much but without maintenance it’s performance will get worse.

    I’m not so sure I buy lifting a latent off of the reader as a way to spoof it. I’ve heard claims it is possible but only when it was touched once and by the same person (overlay two of your own prints and suddenly it doesn’t look like your print let alone yours and someone else).

    In theory you could get someone’s fingerprint elsewhere – like off the print from a the German minister and I agree with Mike that it becomes a high value target. But that only assumes that what you are protecting by using biometrics for access control is worth the effort of getting to it AND that you are using ONLY a single fingerprint without some other factor which isn’t really the way these things are fielded.

    Biometrics should be considered an alternative but not the answer. The answer to Marks’ question in the end will come down to a range of choices depending on the application vs a single technology.

    I guess in the end I am agreeing with your point that things are moving fast for biometrics but has issues. I certainly agree with the former but since things are moving so fast I’m not ready to agree with the later and throw the baby out with the bath water. Biometrics should and will have its place but the question is how big and will it ever break away from the high security access control applications.


  6. Please don’t interpret my comments as a repudiation of biometrics (or other authn technologies in general). I was addressing the issue of replacing passwords completely for authentication.

    I agree, don’t throw the baby out with the bath water. But we may have to let the baby grow a bit first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s