We Need to Stop Killing Passwords

Conference season is in full force and it’s no surprise that along with them, prognostications about the death of passwords abounds. Security professionals and marketing gurus alike share a passion for talking about a future without passwords. And who can blame them?

Since 2004, when Bill Gates predicted the demise of passwords at an RSA Security conference, it seems that the chants and prayers for passwords to die have only become louder and more desperate each year. The reality is that passwords have not only exploded in their popularity and practicality, but their use is expected to increase from 90 billion to more than 300 billion by 2020 according to a research report (PDF) from Cybersecurity Ventures and Thycotic. Furthermore, in research conducted by the popular password manager Dashlane, it was found that the number of passwords we use doubles every 5 years.

In the ongoing saga of passwords, two dominant views get airtime on stage and online by journalists. Passwords must be killed, and passwords are one of many signals for calculating an authentication claim.

Be gone ye password!

Kuppinger Cole’s Consumer Identity World event, held each year in Seattle Washington, is a great time to hear from leading thinkers on the future of authentication. Last week at CIW, Manini Roy, a Program Manager on the Cloud Authentication Team in Microsoft Azure AD, shared updates on Microsoft’s progress to rid the world of passwords. In the opening to her talk, she made it clear that hackers love passwords. Moreover, if hackers love passwords for hacking, her argument follows, then we as security professionals should hate them. Roy continued by sharing details about Microsoft’s journey to a password-less future, from replacing passwords with easier device-centric pins and bio-gestures to Microsoft’s new facial recognition technology called Windows 10 Hello which would allow users to log into Windows and web-based accounts using a facial recognition scan.

Not surprisingly, challenges to going password-less shared by Roy include the need to support legacy applications that use passwords, challenges with initial bootstrapping and those gnarly recovery scenarios. If users use devices that don’t support Windows 10 Hello, or a user has forgotten his or her PIN or lost their authentication device, account recovery becomes a painful process that inevitably falls back to the use of user-provided passwords. If fallback and account recovery require passwords, then the password-less future is, well, not.

In line with Microsoft, Apple developed Face ID, a feature that allows iPhone users to unlock their phones using facial scans. It is convenient, password-less experience provides friction-less access to the device. The flip side of that coin is its potential for abuse. Just this week, it was reported that the FBI forced a suspect to unlock his iPhone X with their face using Face ID. This is just one of many incidents to come where a biometric security feature, when used against the will of its rightful owner, can potentially be a breach of one’s Fifth Amendment rights.

With biometric authentication, challenges with password dependencies and yet-to-be-seen legal and ethical issues related to its use present a significant hurdle for techno-enthusiasts like Roy who wish to rid the planet of passwords.

Modern Consumer Authentication a “Game of Signals”

Also, at Consumer Identity World, Rajiv Dholakia who is the VP of Product at Nok Nok Labs argued during his presentation that “authentication is sharing of signals and performing calculations on those signals.” Strong authentication today looks at a broad range of signals (E.g., the IP blacklist, location, device integrity, etc…) and the access decision is then decided during the subsequent calculation. Dholakia adds, “if you can do that without compromising the user’s privacy that’s all the better.”

As a founding member of the FIDO Alliance, and having developed products that the FIDO Alliance works on, Nok Nok Labs has the vision to develop the standards and protocols that would allow the use of ANY method of authentication and provide higher levels of assurance when and where it is needed. In a world where passwords are but one signal, I never got a sense that they had to be “killed” for the future of consumer authentication to be successful.

“The future of consumer authentication is a function of three things: the experience you want to deliver, the risks you’re willing to accept and the economics you’re willing to live with.” Rajiv Dholakia

In other words, you wouldn’t use weak signals such as passwords [alone] to protect your bank account or medical records, yet sadly many organizations do.

Process, Not Passwords

The future of authentication is not password-less; we don’t have to kill off passwords to have safer online experiences. We need not focus on eliminating the weak signals, but instead focus on authentication workflows (or calculations as Dholakia puts it) using stronger signals that deliver better user experiences and higher assurance levels for enabling the business. Weak and compromised credentials are easily identifiable by checking for breach corpuses against threat intelligence services while satisfying NIST SP 800–63b (HTML) guidance for Authentication and Lifecycle Management.

We live in a world where IT managers and business leaders are constantly seeking ways to minimize risk wherever possible, which can stifle creativity. I posit that we need to have a mindset and process for navigating risk, steering clear of danger with threat intelligence integrated into identity and access management systems while making authentication smarter and better equipped to stop preventable breaches.

To borrow from evolutionary biology, passwords may very well go the way of the appendix. However, as an industry, we would not know how to kill off passwords if our lives depended on it. Yet, our social and fiduciary responsibility requires us all to continue to manage passwords to the best of our ability until we no longer need to. Unfortunately, that day has not yet come.