With the rapid rate of evolution within technology, why are we still using passwords? Why has password-based authentication remained part of almost every application and system?
The answer lies in the simple, positive attributes of passwords that are not found in other authentication methods.
Even as advancements in device-based and biometric authentication allow us to imagine a world without passwords, a closer look reveals some limitations and gaps that will make it hard to move completely beyond passwords.
The reality is that passwords will be around for the foreseeable future. With that acknowledgment, we can explore why passwords will continue to be used and how we can improve password-based authentication.
Even before the advent of Internet, the Password was the standard authentication method to access computer systems. Let’s explore what makes it unique:
When developing any authentication system, cost needs to be part of the equation. Even when it might be deferred to users, cost still matters.
Because the password is nothing more than a piece of information to be kept secret, it has no material cost. Compare this with alternative authentication methods that rely on individuals having access to a relatively expensive piece of technology. This can be a device, where possession itself is the authentication. Or it could be sophisticated sensors that are used for biometric or behavioral patterns detection.
Any authentication factor that requires sensors or hardware is an incremental cost beyond the cost of a password – which is zero. If the organization will have to bear all those costs on behalf of their users, many services will find the investment required to be cost prohibitive.
One solution is to rely on a technology or device that the user already owns, like a smart phone with a fingerprint sensor. However, a social media company that has an economically diverse set of users may not be able to rely on every user owning a smart phone.
This brings us to the next issue of compatibility.
For an authentication solution to be universally effective, it has to work for everyone. Yet there is no authentication standard that will work across all devices, all versions, and all operating systems.
Only the password can be considered a universal authenticator.
If an organization wants to try to increase the compatibility within as many different environments as possible, the costs will increase even further.
Organizations that can’t or don’t make this investment end up excluding some user populations or revert back to the password as a universally compatible solution.
The continuous collection of personal data has made privacy a major concern in our society. When forms of identity, like biometrics, are used to authenticate, it is a privacy risk.
Passwords work for authentication with nothing more than an entirely anonymous string of characters. There is nothing in the password that uniquely identifies the user. Compare that to other authentication methods that use something as personal as a scan of someone’s face.
Consider the example of a social media application used by reporters to share information that is unpopular with the government. Privacy and anonymity may be an essential requirement. In these cases, a facial scan, a phone number associated with a mobile device, or some other form of personally identifiable authentication, are not acceptable.
Many individuals are rightfully concerned about revealing more personal information than is required, especially in light of data breaches.
Should authentication systems require users to reveal biological markers?
Even when the organization handling the authentication process is trusted, many reasonably worry that this type of personally identifying information (PII) could accidentally fall into the wrong hands.
Thank about the fate of those affected by the Office of Personnel Management hack, which exposed the records of 20 million government employees, 5.6 million of which included fingerprint files.
Authentication factors that jeopardize the privacy of the user should be optional. The user should be allowed to determine the trade-off of privacy for convenience.
The password is unique in that the input is either exactly correct or not correct at all.
The particular string of characters you input will always produce the same response, a definitive and deterministic response.
By contrast, biometric authentication mechanisms and risk-based data points rely on pattern matching. These systems are based on comparing against a new sample that may not be identical to the original. This is called a probabilistic model.
Examples of probabilistic models include looking at a current voice sample, fingerprints, typing pattern, location information and computing a response in terms of the likelihood of a match.
The challenge is that the inherent variability of the samples combined with unexpected environmental factors makes them far from exact indicators.
Voice detection can be diminished due to background sound. Fingerprints may not be accurately captured due to a wound or contaminant. Typing patterns may change based on environment. Unusual travel may trip up location patterns. All these situations can produce incorrect results in one direction or the other.
False negative results block authorized users from gaining access, leading to frustration, lost productivity and lost revenue. False positive results are even worse. They allow access when they shouldn’t. Neither is good for business.
One way to increase reliability is to combine multiple authentication factors. By evaluating user, system, and environmental attributes together the confidence in the guess can be increased.
These multiple dimension approaches are described as risk-based or adaptive authentication systems. These solutions all use passwords as the first factor of authentication.
Setting aside the cost, compatibility and privacy concerns noted above, these risk-based or adaptive authentication approaches are not considered sufficiently reliable without the password factor.
NIST (National Institute of Standards and Technology) specifically refers to risk-based or adaptive authentication, saying in their recent FAQ “These solutions do not currently count as a valid authenticator in and of themselves” and “Until we have a good way to define the requirements to properly execute these approaches, “risk-based” and “adaptive” techniques are considered added controls to digital authentication.”
Part of the reason the password is often included in a multi-factor solution is because it doesn’t suffer the same problem of false negative and false positive results.
Any key that is used for authentication needs to be kept secure. Yet, many of the biometric attributes used for authentication are not secure because they are exposed in every day life. There are data gathering methods and social engineering techniques to obtain nearly any biometric attribute imaginable.
NIST describes the problem of biometrics this way: “Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns).”
It’s also useful to consider that your fingerprint, voice scan or other biometric data is just data that’s been converted and stored by a computer system that can be breached.
The solution to preventing biometric impersonation is to make devices that can detect the attempt and avoid being fooled. But as we have seen in the news, as soon as a new biometric verification method is devised, cyber-criminals can find a way around it.
Anything used for authentication may at some point need to be replaced because it is lost, stolen or becomes otherwise compromised. This is especially important after a large data breach.
In these cases, replacing an authentication should happen as quickly as possible and not cause the user or the organization a lot of unnecessary effort.
Authentication solutions that rely on a device may require the device to be replaced with the time and costs that implies. However, an authentication system that uses your unique biometric characteristics makes replacement far more difficult. Where do you get a new set of fingerprints?
The password is often chosen for authentication because it is by far the easiest authenticator to replace if compromise is suspected.
Like any security system, the human element introduces weaknesses.
Individuals rarely exceed the very minimum that systems require. Convenience trumps security. With passwords, users are fairly poor at identifying good password practices.
Systems administrators have tried to overcome this problem by creating password policies that encourage “strong passwords” with an assortment of characters.
However we’ve discovered from the billions of exposed credentials that users follow very predicable patterns. As a result, cybercriminals have created dictionaries that use these patterns and compromised passwords to be able to quickly crack encrypted passwords in offline attacks that can run through billions of possibilities every second.
People then reuse their password across multiple websites because it is easy to remember. Knowing this fact, hackers take username and password combinations compromised in one data breach and use credential stuffing attacks to determine other sites where the credentials are valid.
Because the user is the source of the problem, we really can’t expect them to become the solution. Ultimately the result and the blame roll up to the organization. Fortunately, there are several things that the organization can do to improve the outcome.
There is clear evidence that combining multiple and different layers of security provides the best protection overall.
For some, the focus on multi-factor has meant an emphasis on the “what you have” layer in the form of a secondary device that asks you to confirm the authentication is valid.
However there have been many incidents of failures of 2-factor authentication and NIST has completely removed two-factor authentication using SMS-based messaging from their recommendations.
The key message to remember is that no single factor alone is impenetrable and that each layer should be secured as much as possible.
In many ways, we’ve failed to move forward from the password security practices that we know are not working.
NIST has created new passwords guidelines that recognize these weakness and put the responsibility on the organization to remove complexity and enforce better practices.
Two solutions can be applied to dramatically harden the password layer:
1. Organizations can screen new passwords and restrict any that are known to be compromised or easy to guess. Once a password is compromised anywhere it should be considered an unusable key. By eliminating passwords found in cracking dictionaries and enforcing a minimum length of at least 8 characters, their passwords will be nearly impossible to crack even if their database is compromised.
2. Organizations can control access when the username and password combination was previously compromised. When an exact credential set has been exposed in any data breach, any account that uses that credential set can be immediately accessed.
These two approaches represent a substantial evolution in password security and can dramatically harden the password against the most common attack methods in use today.
Efforts to educate and change users’ behaviors have been shown to produce limited results. The list of worst passwords is not changing year-over-year and users are starting to get security fatigue.
But the one thing that users should be encouraged to do is use a good password manager. These tools help users with the task of managing multiple passwords, confirming passwords are strong enough, checking against reuse, and even using system generated passwords which are better than the ones they pick for themselves.
Attackers will always find ways to uncover the vulnerabilities in any security system. If alternatives to passwords become a new standard, cybercriminals will have the incentive to shift their focus in that direction.
Despite all the hype around other forms of authentication, passwords remain the most broadly deployed authentication solution. While we can be frustrated with password authentication’s limitations, until a suitable replacement is available, we should be applying all practical measures to improve password security and help it evolve.