It seems that in one year or so we could (or should I write “will”?) finally see the beginning of the demise of passwords. The FIDO Alliance is proposing an extension of their UAF protocol which should make it possible to access many online and company applications without a password. The trick is to use the user’s smartphone as the authenticating device with two significant requirements: the user should confirm her/his identity on the smartphone with a biometric authentication, and the smartphone should be directly connected to the device (PC) which is performing the authentication by eg. Bluetooth. More information can be found on the FIDO website (here) and other articles (eg. here and here).
Still I am worried about the security of smartphones: more and more information, functionalities and security features are based on them, but, for example, we haven’t yet solved the problem of patching the Android system which most smartphone use. And what about using just the smartphone (or tablet) and not a PC to access online / company applications?
And the the weak link is … the human factor.
Not surprisingly, recent reports (see eg. here) describe how attackers abuse even MFA processes based on Authenticator Apps (on mobile phones). Of course it requires anyway some work, in a generic scenario it requires to know already the username and password of the account or service under attack and protected by MFA. But after that, bombing the user with second factor authentication requests on the mobile App (in the middle of the night) sometimes leads to receive access (by someone who actually would like to sleep).
This should not be possible with FIDO2 token or biometrics based MFA, but the “human factor” is often very little predictable…
NIST has recently published the final version of SP 800 207 “Zero Trust Architecture” which is a recommended reading.
This gives me the opportunity to consider how vastly the IT architecture has changed in the last 20 years. From the concept of a single IT physical perimeter, we now have multiple physical or virtual perimeters which can be dynamic due for example to Software Defined Networks or Cloud services.
But most importantly who and what is inside a perimeter, which can be even a single application, depends not only on the physical and/or virtual location of the device (both server and/or client) but on the identification / authentication / authorisation of the user and/or the device. So, given the proper identification / authentication / authorisation, a user and its device can be admitted inside a high security perimeter even when connecting from any network in the world.
Moreover, authentication and authorisation are not “once for ever” but each, even tiny, perimeter should perform them again. This requires strong authentication processes which both authenticate the user and also her/his device and its security. Often this process can be done in two steps: the user authenticates her/him-self to the local (portable) device typically with MFA / Biometrics etc., and the device then manages the authentication to the remote services thus providing a simpler user experience.
This is the development we see every day in most major IT / Cloud services, and which, sooner or later, will also lead to decrease our dependency on the use of Passwords.
For a long time, biometric authentication has been considered to be the safest and more secure way of identifying users and granting access to IT and non-IT services. It has just one serious drawback: you cannot change the biometric credentials, this is centainly “you”, and if your biometric credentials are stolen, someone could impersonate “you”.
This is what has happened in the OPM hack, the latest news reports that 5.6 million fingerprints of USA federal employees have been stolen, see wired for example. Information about this is scarce and it is not clear which is the format of the stolen fingerprints and how easy it could be to reproduce them. Security experts believe that it will be possible, sooner or later, to reproduce them, it is just a question of time, technology and money.
So what about the persons who have their fingerprints stolen and possibly reproduced by others? What about the security consequences for companies and the state?
How can we use the security of biometrics without the associated risk of impersonation?
A couple of interesting news on authentication and passwords:
- Telepathwords is a (Microsoft Research) website which tests passwords you digit into it, to verify their strength by checking how likely the next character in the password is to appear in common words and password checking tools; at first sight the idea seems nice, but I wonder to the usefulness of writing your passwords in a public website: obviously any password tested in the website cannot be used, so this should be taken only as an exercise to learn how to create good passwords (moreover, I tested it with pseudo-random generated password and the results were not completely clear to me)
- “Nymi Is A Heartwave-Sensing Wristband That Wants To Replace All Your Passwords & Keys”: it is a wristband that measures your unique (but I have no idea how much “unique” that it is) heartwave and, via bluetooth, authenticates you to any (capable) device; it is the first time I hear of this kind of biometrics and I suspect that it shares with all other biometrics authentication approaches, good and bad points.
We all know very well that username+password is a very weak form of authentication. Unfortunately alternative universal and more secure methods are not available.
Some researcher (see here for example) are proposing to use our mobile phones as pencils to draw our signature in the air and to use this movement as our password. This approach has many interesting characteristics, from the hardware-set used, to the movement itself which can be extremely difficult to replicate, much more difficult than a fingerprint, and a few drawbacks like the obvious need of space to do it.
There is already an App for Android that you can download here. In any case, more research is needed in particular in the full evaluation of the security features of this almost biometric authentication method.