Are passwords really passé?

Future proofing anything is a monumental challenge in the IT world these days. Identification and authentication are areas that are especially problematic. For every password protocol or biometric innovation, there’s a very real threat of counterattack.

The digital identity world is coming out with all sorts of innovations; some are viable, some border on the bizarre. Selfies, heart rates, fingerprints, walking gaits, ear cavities, voice, tattoos and jewellery are all being thrown into the authentication mix.

Chris Mathers, CHRISMATHERS Inc., photo courtesy of Urszula Korzak, photographer
Chris Mathers, CHRISMATHERS Inc., photo courtesy of Urszula Korzak, photographer

While many have yet to see the light of day, Chris Mathers, of CHRISMATHERS Inc., an international crime and risk consulting and investigation firm, said “The truth is the world will be completely different when it comes to identification. Ultimately, passwords will disappear as digitization continues to happen all around us. The big question in all this is: how much privacy are consumers willing to give up for convenience, security and social interaction? Everyone will have to answer that at some point.”

In actual fact, despite people’s protests, it’s already happening on a grand scale whether they are aware of it or not. Individuals can be tracked by their phones or where they conducted a transaction or through plenty of other activities. “I don’t think anyone really realizes how sophisticated digital identity has become at this moment,” Mathers said.

At the heart of ID innovation today is biometrics, which is quickly becoming entrenched where the highest level of security are needed; or in some cases, as a competitive differentiator on the consumer side. Fingerprints and retina scans are commonplace in a number of environments, while face recognition is becoming increasingly sophisticated as an added security measure. “With the advent of biometrics, the future is here. It will all be about multi-factor authentication,” Mathers said.

However, we have already reached a stage where even a fingerprint or retina scan on their own will not be enough to secure facilities or sensitive data. A case in point is an incident at a recent convention Mathers attended, where a person hacked an iPhone using dental putty that had been squeezed on a person’s fingerprint. “He could use the putty to open the iPhone. That makes a strong case for multi-factor authentication. You can no longer rely on fingerprint mapping without three or four other identifiers to support it.”

Over time IT systems and devices will integrate multiple security features which won’t necessarily require pin numbers or passwords. For example, it won’t be long before a bank machine will be able to identify a user using a combination of tools, ranging from facial recognition to iris scans and fingerprints, Mathers said. “There is technology today that can scan an iris and/or fingerprints from 20 feet away. It may also measure your gait and run facial recognition software. By the time a person gets to the bank machine, the system will have already confirmed three or four factors.”

In the meantime…

Colin Wallis, executive director, Kantara Initiative
Colin Wallis, executive director, Kantara Initiative

While complete biometric integration may be the stuff of the future, there is the here and now to consider. Colin Wallis, executive director, Kantara Initiative Inc., a global community of IT leaders focused on providing strategic vision and elements for the digital identity transformation, believes the password will continue to play a role for at least three to four years down the road if not longer. “The notion of passwords has been around IT for the last two decades. In fact it predates the Internet, mobile phones and new technologies as a means of identifying and authenticating people.”

The problem is that IT is carrying on a very old process into a new era, he added. “It’s a bit like driving a 1970s Datsun in 2016. You can still stay on the road; the indicators and lights will still work; but the experience is very different from a modern car with reversing sensors and automated features that turns lights on and tells you when things are going wrong.”

As the world undergoes the digital transformation, IT needs to be focused on strengthening identification and authentication as we know it today. Organizations are rapidly trying to catch up to replace the password with something more fit for purpose, Wallis noted. “The problem is the area is expanding and the developments coming at such a rate, it’s hard to keep up. Every time you look up, the tools have gone so much further; and no one development gets global market traction.”

Social media has been a major driver behind the need for enhancing identification processes, as efforts in that corner to date have been “pretty light” and unable to keep IT environments completely safe and secure, Wallis said. “That [social] has driven a lot of fraud activity. If we don’t fix this now, the digital economy of the future will be at risk.”

One of the most promising developments on this front is a move from the tried and true XML-based protocols. XML codes used in the identity space are quite ‘flowery’ and not suited for mobile devices, Wallis said. The authorization piece is XACML (eXtensible Access Control Markup Language) which controls policy language and access implemented in XML.

In this transition, XML is being replaced by the lesser known JavaScript Object Notation (JSON) which is much lighter and easier to develop. “JSON runs on top of the OAuth authentication protocol, thus allowing developers a quicker way to develop authenticate features for mobile devices. Social media is now becoming really good at adopting JSON with OAuth,” Wallis said.

As digital transformation continues, the jury is definitely out on whether the password will be retired any time soon, he concluded. “There have been so many attempts to kill the password, as it’s too weak and vulnerable to brute force attacks. Having said that, it’s taken an awfully long time for the password’s demise to become a reality. I think we have a number of years before it finally dies.”

 

 

 

LEAVE A REPLY