© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
June 27, 2014 1:41 pm
Companies and consumers are risking their most sensitive information online by relying on an authentication method that dates back at least as far as the Romans.
Simple passwords such as “123456” and “password”, often used repeatedly on several sites across the internet, are still the most popular way to protect the data we entrust to online banks, ecommerce companies and email providers.
But fed up with despairing at this glaring hole in internet security, technology companies are now creating alternatives in the form of biometric logins, USB “keys” for computers and password management systems.
Sebastien Taveau, chief evangelist at the biometric division of Silicon Valley-based Synaptics, said the system has been “broken” for some time. Recent cyber security breaches such as the theft of encrypted passwords at eBay, the online marketplace, are only the latest in a long line of attacks.
“For the past 2,000 years we have been authenticating the same way. If you’re wearing the right uniform and have the right password, you can go into the fortress,” he said.
– You cannot forget your fingers/eyes/face
– It is difficult for other people to pretend to be you
– Often quick and convenient
– Requires the device, app or website to be capable of handling biometric data
– Biometric data could be difficult to replace if stolen
– Fingerprint readers and voice recognition does not work well for some
Synaptics is part of the Fast Identity Online alliance, known as FIDO, which is developing a new standard system to authenticate the rapidly increasing number of devices we own.
As we increasingly live online, the number of times we need to login to different apps will only rise, making it increasingly difficult to use different passwords for each site.
Jamie Cowper, senior director of marketing and business development at another FIDO start-up Nok Nok Labs, said people reusing passwords was one of the biggest problems.
“No matter how good one site’s security might be, if the other site someone is using has awful security, everyone is compromised,” he said. Nok Nok Labs builds infrastructure to allow companies to authenticate users.
“The guys who are stealing the data will run it against common banking platforms, ecommerce platforms, so if you aren’t secure and have a database of 100m or 200m passwords, you’re a very attractive proposition.”
– As simple as using a USB drive
– Passwords are stored on a device that is not connected to the internet
– Can be used as part of two-factor authentication
– Like real keys, you have to remember to carry it
– If you lose it, you would need back-up codes to login to your devices
This, like the overall rise in cyber crime, is fuelled by an underground market, where cyber criminals can buy and sell passwords and tools such as bots, which can speedily attempt different passwords to login to lots of websites.
But many have different ideas about what should replace the password for the user.
For Mr Taveau, the answer is simply biometrics. “I don’t need to learn where is my finger, [or] how do I use my voice for voice recognition. If it is facial recognition, I know I probably need to put my face in front of something,” he said. “When you leave your home, you may forget your wallet, you may forget your phone but you rarely forget yourself.”
Samsung, also a member of the FIDO alliance, adopted Synaptics fingerprint identity system in its latest Galaxy smartphone, the S5. It followed rival Apple, which put a touch sensor in its iPhone 5s, released last autumn.
However, not everyone is as enthusiastic about biometrics. Some have had trouble with the technology reading their fingerprints or recognising their voice, and others worry that if cyber criminals steal a database full of biometric data, people can’t rush to change their fingers and face.
– Only have to remember your password and the device. Or the authentication app on your phone
– You receive a code almost instantaneously
– Some rare instances of researchers proving authentication apps can be hacked
– If you do not have the device or your phone, you have to remember to carry back-up codes
Stina Ehrensvard, chief executive and founder of Yubico, another Silicon Valley company trying to eradicate the password, said: “I think there are actually some good benefits with passwords that people often forget. It is revocable. If biometric is hacked, compromised – what will you do?”
Yubico sells YubiKeys, a key-shaped USB device that computers think is a keyboard. Users push the drive into whatever computer they are using and it types a stream of 44 characters, like the passwords everyone is recommended to use but few can remember. The company is also working on making a more advanced version that automatically changes the credentials each time it is used.
Ms Ehrensvard claims the security is “better than that used by the military” and started being used by cyber security experts when she founded the company in 2007. She hopes it will one day be widely available.
She said that when governments realise how serious a problem poor online security can be, they will start to regulate to ensure people use devices such as YubiKeys. “In the early days in cars we had no seat belts and people died like flies,” she said. “We love the internet, we love the freedom and the speed but we have no seat belts.”
Breathing new life into passwords
While companies rush to experiment with using everything from eyes to keys to replace passwords, some are sticking to just managing passwords better.
Password managers such as LastPass and Sticky Password have millions of users who are concerned about security, but equally concerned about their ability to remember dozens of code words.
As online threats race up national security agendas and governments look at ways of protecting their national infrastructures a cyber arms race is causing concern to the developed world
Joe Siegrist, chief executive and founder of LastPass, started the Virginia-based company in 2008 when he became worried it was not “reasonable” to expect people to come up with different, sufficiently complex passwords for each site.
At the time, few companies were trying to solve the problem of passwords even though it was affecting corporations as well as consumers. Now he has 5m users including 6,000 businesses.
“It is just now I’d say people are realising reusing passwords is like reusing the same key for the same lock. A lock that can be unlocked anywhere in the world and a key which can be copied in an instant,” he said.
The application sits in the user’s browser, remembering its usernames but generating new complex passwords which are encrypted before they leave the device and are not even shared with the company. The user just remembers their LastPass password. The service is free to consumers on the desktop, or $12 a year to use on mobile, and $24 a year per employee for businesses.
Sticky Password, from a Czech Republic-based company, works similarly across devices.
Larry Bridwell, global security strategist for the company, said experts had been working to replace the password for years but have not succeeded. He said two-factor authentication, where a site texts you a new code as well as a password each time you log in, was more likely to be the future. It is already enabled on many email providers and social media sites.
“I don’t know if we’ll ever totally get rid of passwords,” he said.
Please don't cut articles from FT.com and redistribute by email or post to the web.
Sign up for email briefings to stay up to date on topics you are interested in