By Diederik Perk and Peter Rietveld.
“What I would really love to be able to do is to kill the password dead,” said White House cybersecurity coordinator Michael Daniel recently. A simple and understandable idea from the man often colloquially referred to as the cyber Czar. However, enabling that idea is just not that simple and not that urgent either. In fact, whereas a host of more feasible and relevant security measures that can be taken aren’t getting the required support- such as the overstretched OpenSSL volunteer developers- the White House sees it fit to dwell on the unattainable, risking to further undermine public trust.
The shortcomings associated with the current password security are evident- and have been identified by security specialists since forever ago- concerning its reuse at multiple locations, automated password reset systems and widely available cracking tools. Despite those inherent and irremediable weaknesses, there are a few fundamental factors that explain why passwords are here to stay. In short: the technology, funding and usability of alternatives fall short, while increases in security would be minimal.
Integration of Applications
Usability is key for any security measure, and the password has simplicity on its side – not only in usability but also from a technical perspective. Some claim that soft tokens are the answer, and it will ease the challenge of having hardware support on all devices in use or in production, which is a prerequisite for all tokens, smartcards or biometric solutions. Ever since IT has expanded beyond a simple desktop device, building an alternative authentication mechanism requires significant changes in hardware and the way we organize access, not to mention a variety of back-end technology invisible to the end-user, but very influential operationally. The only way for a user not too walk around with 30+ smart cards and hardware tokens to access every single application is to adopt a Single Sign On solution.
Left to your own Devices
However, weaving together the credentials for numerous web-based apps over multiple devices in multiple trust zones into a unified Single Sign-On ecosystem makes the construction of the Pyramids look easy. And those had the benefit of not having to adapt on a day-to-day basis. Furthermore, building Single Sign-On inevitably introduces a unification all of user identities and the associated topic of authorizations. This is something that in its complexity already eluded our grasp over the past fifteen years without the current challenges of mobile devices, cloud applications and the Internet of Things lurking just around the corner.
Furthermore, alternative strong authentication mechanisms need to be resilient itself, which they too often aren’t. For instance, despite all innovative security measures in biometrics, every solution to hit the market in significant numbers has been circumvented as exemplified recently with the Apple TouchID. This is not an exception caused by the fact that Apple is still rather new to the security industry. Far from it, the pattern and the speed of breaking biometrics is a cause for concern. The overall picture indicates that the added complexity of a strong authentication solution increases the attack surface, which far too often nullifies the gains in projected security.
The Market is a Cruel Mistress
The current vendor space for alternatives to passwords is characterized by its singular focus on the enterprise. This is reflected by the pricing for One Time Password systems, in which rates are often on a per user basis and at prices ranging from $1 to $98 per user per year. In an enterprise environment this type of pricing may be within budget, but as soon as customers have to log in on an irregular basis, the numbers and the corresponding license fees are obstructive. Of course the prices will come down with a wider adoption. The fact that they haven’t yet testifies to a market of scale not getting off the ground. And, considering the complexity of the puzzle, it is very unlikely that it ever will be.
To its detriment, the Information Security market is not immune to perverse incentives. New software solutions get designed to distribute yesterday, aiming to create consumer lock-in whereby security may be the stated objective but in reality merely is an afterthought. For consumers, not much is tailor-made to safeguard their personal data, generally it trickles down from enterprise security or government projects. Without the open-source model the consumer would hardly ever be the primary customer serviced.
Furthermore, industry giants like Google, Microsoft, Facebook and Apple are finding ways to bind users’ digital identities to their brand. Passport-type accounts offer Single Sign-On, enabling the company to trace user data and control the network of web servers. Relegating the password-based infrastructure would jeopardize their grip on this entrenched market segment. The major vendors are already extending their control over user identities into the emerging field of Security of Things, ranging from cars to air-conditioning and coffee machines. Regrettably, when this market is faced with liabilities, it tends to dump its residual risk onto the end-user.
The More Things Change…
Looking at attack vectors used by the bad guys demonstrates that passwords are by far not among the most frequently exploited weak spots. The Verizon 2014 DBIR clearly shows that although weak passwords play their part, the majority of breaches are related to malware and technical flaws in web applications. Replacing the password with a stronger mechanism will not do much towards stopping the most common attacks that cause the most damage.
Considering that getting rid of passwords means a massive effort coupled with enormous investments across the board, while in terms of security and usability gaining marginally at best, it will never transpire. The realistic path is to promote strong and dynamic authentication where it is feasible and focus on what is possible in combatting existing flaws and weaknesses elsewhere. Keeping up with new technology in itself is already overstretching the capacity and capabilities of the cyber security industry- an issue already portrayed as a major threat to US security in itself.
The lifecycle of the password will outlive the reign of the cyber czar, even all of us, and the companies that employ us. That company, however, does have the option to introduce some defensive depth, locally or in a consortium. Collectively- innovating, hardening and enforcing policy should be the mantra. That’s where governmental agencies should find their place in promoting, supporting and aligning security (inter-)nationally. Essentially, it’d be welcomed when the White House no longer chases shadows and contributes to information security’s common objectives, once they decipher the writings on the wall.
This article has originally been published by InfoSec Institute.