I’ve said it many times before but to improve security we need to eliminate passwords.
Users behave in defensible, rational ways that make sense based on their evolution, culture, education and environment and yet passwords make fools of us all. The IT industry has got away with blaming users for poor passwords for too long – it’s time to start calling the problems with passwords exactly what they are: poor design.
Creating a secure password isn’t easy
For people to use passwords securely and effectively they have to do several things well and all of them are things humans find very difficult indeed.
Secure, password-based authentication demands that we create long, random text strings that are full of letters and numbers, and liberally sprinkled with wacky characters we barely use any other time.
We need to do that very difficult thing without reference to a previous password, pattern or method that might make our actions predictable and then when we’ve concocted our mystery string we have to remember it.
Multiple passwords, multiple problems
It would be bad enough if we had to do that once, but we don’t; studies by Microsoft Research in 2007 and by a NorSIS in 2012 both concluded that most people have to maintain 25 passwords (and for some of us it’s much higher). There is a small software industry helping people maintain an entire key chain of passwords. Many browsers, for example, quite helpfully fill your password in for you. Except when you stop and think where is the browser storing all these passwords and is that file of my passwords secure? – You would be right, it isn’t.
I could point to the Chromes and Firefoxes of the world and say that they shouldn’t provide us with insecure password managers – but of course I won’t because it’s not the browsers that are the problem, it’s the sheer number of passwords. We are pinning our security hopes on a poor design and user experience, and the browsers are simply providing a way for people to cope with this poor design. There must be a better and more secure approach. Thankfully I’m not the only person who thinks so.
The Fast IDentity Online Alliance
The FIDO (Fast IDentity Online) Alliance is a collection of technology big-hitters including Alibaba, Google, ARM, Lenovo and Mastercard who wants to reduce our dependency on passwords.
FIDO has created a single sign-on (SSO) technology that’s driven by three ideas – security and standardisation and ease of use.
All three are useful but it’s that last of those that could make FIDO an industry standard.
In the FIDO Universal Authentication prototcol, the user is required to authenticate once – using a pin code, a fingerprint scan or USB key, to unlock a private key on the device which is in turn is used to authenticate to online services. It’s simple and standardised – and could help to eliminate the need for 25 passwords each.
Progressive security and usability
I believe that security and usability go hand in hand, and that security solutions with poor usability are never secure in practice. It’s why I’m so passionate about progressive security and our attack-aware, AppSensorFS technology.
FIDO fits perfectly with that philosophy and I was delighted that one of our teams explored this innovation in our recent hackathon.
All the entries from our teams were excellent and inspired pieces of work but, as it happens, the FIDO team won. It won’t be long before a production version of their FIDO code will be making the lives of Interact users easier and more secure.