Grace Information Management Blog

Let’s face it, we all hate them. Passwords have become the bane of our modern existence.

With so many devices, programs and social platforms that need passwords, most people end up inevitably using versions of the same ones, typing them into a spreadsheet or worse leaving scraps of paper around the house just to remember them.

Even when you think you’ve discovered a foolproof method for remembering your password, the constant security breaches on major companies such as Sony and Yahoo continue to leave you and your company vulnerable to identity theft and fraud.

Over the next three weeks, Grace Information Management will publish articles exploring the future of passwords and how to best protect ourselves from security breaches.

For many years now, technology experts have been working on a more effective way to increase online security, including facial recognition and finger print identification. While great in theory, none of these technologies have made their way into mainstream society.

To date, the best advancement in password protection comes in the way of two-step or multi-factor authentication.

Two-step verification requires the use of two of the three identifying factors. These factors are:

  • Something the user knows (e.g., password, PIN, pattern);
  • Something the user has (e.g., mobile phone, ATM card, smart card); and
  • Something the user is (e.g., biometric characteristic, such as a fingerprint).

According to Geoff Duncan of online consumer magazine, Digital Trends, Google’s two-step verification is perhaps the best known multi-factor authentication, requiring a password (something you know) and your phone (something you have). When a user logs in, Google sends a one-time verification code to the phone registered with the account via SMS.

However, in February, a number of leading Internet companies, system integrators and security providers came together to launch the Fast Identity Online Alliance (FIDO). Supported by well-known companies such as PayPal and Lenovo, the FIDO standard will support a full range of technologies, including biometrics such as fingerprint scanners, voice and facial recognition and tokens.

Under the proposed protocol a small bit of code that definitively identifies the user by the device he/she is using, lists the methods of authentication that might be available, and advices which method would be the most secure.

A FIDO server then enrols the user and issues a symmetric key, placing one half of the key on the end user’s device and the other half on the destination server. The end user half of the key can be unlocked by whichever authentication tool the end device might have, including fingerprint sensors, facial recognition, or the Trusted Platform Module (TPM) chips found in most PCs.

Yet as Duncan points out, while multi-factor authentication systems do provide better security than passwords they can also create hassles.

“A lost or broken phone set up for Google’s two-step verification can lead to days-long account recovery process,” says Duncan.

“With FIDO, a lost or damaged device will mean jumping through hoops to get another device authorised.”

In addition, even with the best multi-factor authentication there must always be a way for users who have forgotten or lost their passwords to regain access. That once again leaves the user vulnerable. This was seen last week when a flaw was discovered with Apple ID which enabled hackers to reset passwords without authorization as long as they knew the account holder’s email address and birthday.

While two-step and multi-factor authentication is making advancements in online security, the password still remains a vital piece of the puzzle, at least for now.

Next week, Grace Information Management will look at what technologies are in the pipeline to replace the password.