The Password Is Passé

The question is, how to replace it with something more secure? One promising avenue lies in a standard developed by tech companies that belong to the FIDO Alliance.

Since the birth of the personal computer, consumers have held tight to the belief that user names and passwords are secure. Those credentials, after all, are a secret consumers keep close to the vest, much like their debit card PIN. Hence consumers’ oft-repeated mantra: “Nobody knows my password but me, and since I am not revealing it to anyone, it must be safe.”

But payments and security professionals have known better for years. They know hackers are breaking into Web sites and stealing that information by the gross. Twitter is only one of the most recent victims. In June, the social-media company had 32 million user credentials stolen.

What makes passwords and user names attractive to criminals is that they are the gateway to personal data held by banks, merchants, social-media sites, and other companies with which people do business online. Once in possession of a consumer’s credentials, a hacker can masquerade as the accountholder and pilfer personal data that can be used to steal a consumer’s identity and commit fraud.

“User names and passwords are a not good consumer-authentication tools because, if stolen, the server has no way of knowing the person using the credentials is who they claim to be,” says Arshad Noor, chief technology officer for Sunnyvale, Calif.-based StrongAuth Inc., a provider of key-management solutions.

‘A Big Weakness’

Exacerbating the inherent weaknesses of user names and passwords is that most consumers fail to regularly change online credentials, as security experts recommend. More than 50% of consumers don’t change their passwords, says a recent study by Livermore, Colo.-based Lawless Research.

Even worse, consumers use the same password to guard more than one online account about 73% of the time because it is easier to remember a single password for multiple accounts than a different password for each account. In addition, many consumers use their email address as a universal username for the same reason, security experts say.

Hackers are well aware of these trends, which is why, after stealing someone’s credentials, they will enter them on numerous Web sites to see what other account data they can unlock.

“If a consumer has their credentials to one account breached, it is scary how many other accounts can be opened using them,” says Ryan Disraeli, founder of TeleSign Corp., a provider of account security and two-factor authentication solutions. “Relying on consumers to properly manage their passwords is a big weakness in account security.”

Employees, too, are at risk of account takeovers through stolen credentials. Once in control of an employee’s account, a hacker can gain entry to the employer’s network and locate databases containing consumer information such as credit and debit card account numbers, pilfer that data, then sell it on the black market.

Almost 800 data breaches occurred in the United States during 2015, exposing more than 169 million records, according to Lawless Research. In many of those incidents, stolen credentials were used to log on to the site. Chinese hackers used stolen credentials, for example, to breach the United States Office of Personnel Management database in 2015.

Hackers typically capture consumer credentials through emails that, when opened, launch malware onto the consumer’s device. This code captures data by recording every keystroke, along with the addresses of Web sites users visit. With that information, hackers can link a consumer’s password to the Web sites where she has online accounts, then use her credentials to open the account and steal her identity.

“Passwords have become a broken form of authentication, which is why businesses and consumers can no longer rely on them to keep unwanted visitors out,” says Conor White, president for the Americas for Daon Inc., a Reston, Va.-based a provider of biometrics and identity-authentication software.

Advances in Biometrics

What’s needed, cyber-security experts say, is to move away from passwords by introducing new online authentication methods that create minimal friction for consumers and keep consumer credentials in a secure location where hackers can’t get at them.

The push to leave passwords in the rearview mirror is already under way. Thirty-six percent of companies surveyed by Lawless Research foresee doing away with password authentication within four years, and another 36% predict they will no longer rely on passwords within five to nine years.

An early frontrunner to replace passwords is biometrics. The technology is the equivalent of electronic DNA, which makes it nearly foolproof for consumer authentication.

Biometric technology identifies an individual by measuring such physical traits as voice, fingerprints, heart rate, and retinas, and then comparing them to the original biometric record stored in a secure location, such as a device used by the consumer and registered with the company with which he does business.

Further increasing the appeal of biometrics is that the technology is becoming standard on smart phones, tablets, and personal computers. These devices include voice-recognition applications, fingerprint scanners, and cameras with high quality lenses that can be used for selfies.

“As the cost of biometric technology comes down, device manufacturers are making it standard, which brings it into the mainstream,” says Philip Andreae, secretary of the Mountain View Calif.-based Fast IDentity Online (FIDO) Alliance, a standards body for reducing reliance on passwords, and vice president of field marketing for France-based Oberthur Technologies, a FIDO member.

Be Sure to Blink

Two early adopters of biometrics for authenticating consumers are MasterCard Inc. and USAA.

MasterCard Identity Check is a mobile app that displays a pop-up window on a consumer’s mobile device when she is completing an online transaction. To authenticate herself, the consumer selects her preferred biometric authentication method, such as snapping a selfie with the device or pressing her finger to the screen to scan her fingerprint.

Phones can be lost or stolen, allowing criminals to try to fool the app by showing an image of the device’s owner. So MasterCard requires a consumer to blink her eyes several times to prove she is a live person before she can take a selfie.

The app has also been programmed to take into account changes in a consumer’s appearance, such as weight loss or gain, a new hair style or color, or adoption of glasses or contact lenses. It does this by measuring physical characteristics and patterns around the eyes and nose to reduce the odds of false negatives.

The same principle can be applied to voice recognition by tracking a consumer’s verbal cadence to balance out changes in the sound of someone’s voice caused by a sore throat or cold, digital security experts say.

MasterCard, which has piloted Identity Check with ICS bank in the Netherlands, First Tech Federal Credit Union in the U.S., and Bank of Montreal in the U.S. and Canada, says more than 1,000 consumers have used the app when shopping online. MasterCard plans to roll out the app to additional countries by year’s end.

Of the consumers using Identity Check, 92% say it is more convenient than entering a password and 83% say it is more secure than a password, MasterCard says.

Banking giant USAA is offering its customers several biometric options, including facial, voice, and fingerprint recognition. As of July, 1.7 million customers were making use of the technology.

‘Persistent Authentication’

An alternative form of biometric authentication is to track a consumer’s heart or pulse rate on an ongoing basis using a wristband. Toronto-based wristband maker Nymi Inc. has been testing its wristband for authentication with MasterCard, as well as in corporate settings to authenticate employees entering buildings or attempting to unlock computers in the office.

The Nymi Band measures unique physical attributes, such as heart rate. After a consumer creates an authentication profile, he puts on the device and taps his finger on the sensor to authenticate himself to the device. The wristband also gathers changes in the user’s biometric data, such as fluctuations in heart rate.

The company tested its technology with TD Bank in Toronto last year as part of a pilot with MasterCard. To make a payment, Nymi users wave their device in front of a contactless payment terminal. If a consumer loses her Nymi band, biometric authentication prevents another wearer from using it to make a payment or authenticate himself to a security device.

“Persistent authentication establishes a higher level of trust between the consumer and the company she is authenticating herself to,” says Karl Martin, founder and chief technology officer for Nymi.

While biometrics is considered a significantly stronger form of authentication than user names and passwords, those identifying features must still be protected from hackers. This is where the FIDO standard comes into play.

Rather than keep consumer’s biometric records in a central database, the FIDO Alliance recommends authenticating consumers to the device they are using to log on to their account. This approach runs counter to the current practice of transmitting credentials over the Internet to a database and seeing if the data match those on file.

“FIDO’s philosophy is that keeping consumer credentials, such as biometric records, in a central repository is too risky, because databases can be breached,” says Martin. “Performing authentication locally to the device is more secure.”

Device Fingerprinting

The FIDO standard, which allows Web sites and cloud applications to interface with FIDO-enabled devices, mandates that users first register their device, such as a smart phone, with a Web site on which they have opened an account. To register her phone, a consumer must first download the service provider’s app.

Once the app has been downloaded and opened on the consumer’s device, it creates a set of private and public cryptographic keys. The private key is stored on the device and registered with the Web site.

Next, the consumer selects the authentication method that unlocks the private key. If the Web site is relying on biometrics for authentication, for example, the consumer would either snap a photo of herself with the device’s camera, press her finger on the device’s screen to record her fingerprint, or speak into the device’s microphone to register her voice print.

When it comes time to log on to her account, the consumer opens the app, which connects with the Web site’s server holding the public key. After the consumer makes the log-in request, the public key issues a request to the device requesting proof the consumer has authenticated herself. The app then prompts the consumer for her biometric, which is scanned by the private key.

If the biometric feature matches the one on file in the device, the private key sends an algorithmic code to the public key confirming consumer authentication. Even if a hacker breaks into the database where the public key is stored, the public key contains none of the consumer’s biometric, rendering it useless for fraudulent purposes.

Consumers can also load private keys onto USB fobs that can be plugged into different computers to prove to the public key that the consumer is in possession of the private key, regardless of the computer the consumer is using.

“FIDO’s standard includes requirements for device fingerprinting to validate the consumer’s device and its security properties,” says Brett McDowell, executive director of the FIDO Alliance. “If a device is lost or stolen, the service provider can deactivate the private key after being notified by the consumer.”

Founded in 2013, FIDO now has more than 200 members, including tech, banking, and payments heavyweights like Bank of America, Discover, Google, Intel, MasterCard, Microsoft, PayPal, Samsung, and Visa.

Whether biometrics or some other technology ends up replacing passwords as the dominant form of consumer authentication, security experts agree the password’s best days as an authentication and security tool are long gone.

“The security risks posed by passwords are real and aren’t going away,” says StrongAuth’s Noor. “The FIDO standard mitigates the risk posed by the current authentication process built around passwords, which is why Web sites should start adopting it now.”

The password’s bleak future

69% of companies say that usernames and passwords alone no longer provide sufficient security.

36% of companies plan to stop using passwords within 4 years.

36% predict they will no longer use them in 5 to 9 years.

Source: Lawless Research