Why do we still need a password?
27 04 2020
Passwords can be a daily headache and can represent a major source of vulnerability for companies due to the human factor. So we often hear people saying that the time has come to do away with them. But how reliable are the proposed alternatives? Can we really do away with passwords?
Password theft is one of the main forms of illegal intrusion. The annual survey carried out by the American telecommunications operator Verizon recently highlighted the fact that 29% of malicious intrusions are down to stolen passwords and that in 80% of cases the cause was a weak password. Each year, countless rankings for the “worst password” are published, guaranteed to put a smile on any IT manager’s face… or to lead them to despair.
From the classic “123456” to the most mnemonically “incorrect” –not to mention the bold “p/q2-q4!a”–, passwords can be a thorny issue as the need for security often clashes with the realities of day-to-day use. The twofold requirement to remember a number-letter-capital combination of varying degrees of complexity and to replace this combination at regular intervals can often be a headache for users. And there’s a great temptation to note down your passwords on a post-it note or even to use the same password for all applications (this is the case for 78% of employees according to an Harris Interactive study for CaptainCyber). This need for “practicality” combines with the general lack of maturity of individuals and staff.
In this context, many people are now calling for “an end to passwords” and the advent of the passwordless age, while others see biometrics as a promising solution. Others consider two-factor authentication as an effective supplement to passwords. So what’s the situation with these different alternatives? Will we still need a password in the weeks/months/years to come? As security and constraints go hand-in-hand, do we need fewer passwords but better quality ones?
Biometrics: practical but not infallible
Biometric identification (scanning our fingerprints, facial contours or the patterns of our eyes) have quickly emerged as alternatives to traditional passwords. Opening your telephone using your fingerprint is faster and less tedious than entering a code comprised of several numbers. And it’s certainly true that individual physical characteristics, those which by their very nature are unique and specific to each user, offer a useful means of generating signatures. After retina authentication, a concept so dear to Hollywood, the rest of the human body has now been brought into play. Amazon recently lodged a patent to analyse the traces of veins, lines and wrinkles on the skin for authentication purposes. For its part, the Japanese giant Hitachi has opted for a process which makes it possible to analyse blood vessels, as the network the veins in our bodies constitute unique structures.
These companies view these alternative biometric identification methods as being more reliable than fingerprints or than facial recognition, which also has its limits. A team of researchers at New York University recently developed a technique making it possible to generate “universal” fingerprints, and therefore to fool the captors used on 70% of telephones. And when they’re not being falsified, fingerprints can also be stolen (this was the case in 2015 during an attack against the American Federal reserve – FED) and end up being sold in marketplaces specialised in the resale of biometric data. In 2019, the fingerprints of more than 60,000 users were made available on GenesisStore, a marketplace on the darknet. As for facial recognition, the journalist Thomas Brewster from Forbes demonstrated it was possible to trick telephones using a 3D print of your face…What also obviously comes to mind is deepfake technology, which makes it possible to produce highly realistic videos and therefore to potentially fool sensors. So as you can see, there are plenty of experiments underway in the field of biometrics but the risk of identity theft remains.
Ultimately, a combination of two biometric factors, for example a fingerprint and the venous circuit or a fingerprint and facial analysis, could limit these risks. But this solution comes up against cost considerations. Sensors are expensive and it’s difficult to imagine a widespread rollout of devices fitted with dual biometric sensors without these costing a fortune. In short, biometric processes are not sufficiently reliable when used alone.
FIDO2: the advantages and limitations of passwordless technology
Last February, a press release from Microsoft reopened the debate on the scrapping of passwords with the announcement that passwordless technology was to be included in their AzureAD environment. FIDO2 makes it possible to verify the user’s identity based on a strong authentication key contained on a physical medium. The FIDO token can therefore be used as an additional authentication factor. The advantage of the FIDO2 technology is its low cost, making it accessible to both private individuals and companies.
Two-factor authentication: possibilities and limitations
According to Microsoft, two-factor authentication can also prevent 99% of attempted intrusions. Nevertheless, the FIDO key is first and foremost a physical medium, which doesn’t eliminate all constraints. Passwordless but not yet painless. What do you do for example if it gets lost, stolen or forgotten? The telephone is often used as a short-term backup to receive a “token” sent by text message or e-mail. However, recent studies have revealed that attackers can get around this second authentication factor, like for example the Cerberus malware.
This solution is therefore not infallible, especially if you don’t have the FIDO key on you at all times, although it does enable you to increase your security level, particularly for critical networks or infrastructure.
A password vs. a pass phrase
As we have seen, recent developments provide some comfort for users but certainly do not offer the prospect of passwords disappearing any time soon, particularly in dual authentication scenarios. But what exactly makes for a good password? Standards concerning the right complexity level generally require a combination of upper-case letters, numbers and special characters, with the combination being changed regularly.
A recent paper from the NIST (National Institute of Standards and Technology, in the United States) has challenged some of these certainties however, followed by another paper, this time from the BSI, the Federal Office for Information Security in Germany. According to the researchers interviewed by the NIST, the great complexity of certain passwords is simply not viable for daily use, when users are required to type in a combination several times a day. They therefore recommend using a phrase, which is easier to remember and just as difficult to crack for any possible attackers, as there are so many possible combinations of words. This begs the following question: what should the limit be in terms of the number of words? The paper does not mention this. Concerning the BSI, the agency has reconsidered its recommendations concerning the need to regularly change passwords. One of the German researchers even stressed that: “You can securely use the same password for years”. The German agency’s position is simple: regular password changes would cause more harm than good as this would result in individuals using weaker passwords created based on a certain “template”, making them easier to crack by a cyber-attacker.
Fewer but better
If it proves impossible to use either biometrics or a FIDO2 key, it’s always possible to follow a simple rule: choose fewer passwords but better quality ones. Based on the BSI’s recommendations for example, it would be possible to select 5 complex passwords and to assign them to groups of websites ranked in advance according to their importance. A technique which has the benefit of being accessible to all.
As you have seen, we still need passwords, even in the case of strong authentication. There are plenty of possible combinations to help achieve optimal security however. One recommendation would be to always use:
- Something you know (like a password),
- Something you own (like a FIDO2 key),
- Something you are (a biometric element).
The challenge for the IT departments is to ensure that everyone finds the right compromise where security is concerned, the method best able to avoid intrusions while also making daily life manageable. Because as we have seen with the shadow IT phenomenon, the more constraints you add, the more the users will be tempted to try and get around them.