Eric Sachs has a problem with recycling. Not paper or plastics, mind you. Passwords.
“About five years ago, we started to see a significant increase in the hijacking of Google accounts,” says Sachs, the group product manager for identity for Google. “We came to recognize it was a password reuse problem.”
Indeed, one recent study from the University of Cambridge concluded that the password reuse rate was at least as high as 31 percent and could be as high as 49 percent if one counts similar passwords. This means, if a hacker gets access to at least one of your passwords, he could have access to at least half your other accounts.
Sachs and his team immediately set out to improve the security of Google’s accounts, and to offer guidance to other companies struggling with authentication security. Nowadays, Google’s login process encompasses a “very explicit two-step verification” for users, Sachs says. The internet search engine company has also invested in risk-based management – similar to what is also used by Facebook and many financial institutions – that reviews at every new login for potential bad IP addresses or concerning geolocation coordinates, which might point out bad actors trying to get in. More recently, Google has adopted the mobile phone as a “key enabler” for what Sachs calls “smart identification.”
“Combining traditional risk signals, like IP address, with a second factor, like the mobile phone, reduces the risk,” he says. But, it also comes at a cost. Sachs, who will not share specific numbers, says his identity team increased four-fold during this development period.
OUR EXPERTS: Beyond the password
Brennen Byrne, CEO, Clef
Frank Dickson, network security industry principal, Frost & Sullivan
Phillip Dunkelberger, CEO, Nok Nok Labs
Steve Kirsch, CEO, OneID
Charles McColgan, CTO, TeleSign
Eric Sachs, group product manager for identity, Google
Google’s commitment to enhance its authentication procedures points up a growing problem with passwords. By most accounts, the password or PIN (at least as the sole form of verifying identity) is dead. However, the problem, as many experts see it, is that dead as they may be, passwords are still on life support. “Passwords were great when they were invented 50 years ago,” says Michael Barrett, president of the FIDO (Fast IDentity Online) Alliance, to which Google belongs. “Even a decade ago, passwords worked adequately on the internet. If you asked the average internet user how many user IDs and passwords they had back in 2004, they’d respond, ‘Maybe five or six. Why do you ask?’ Now, they say, ‘I’ve got 30…and I can’t cope any more.’”
Increasingly, the way consumers and employees cope with password overload is “to use the same password absolutely everywhere,” says Barrett. “That basically means that the security of their most secure account is now the security of the least secure place where they’ve used that same password.” Criminals know this, he adds, which, combined with data available about passwords, has led to an explosion in the number and scale of data breaches. In turn, Barrett claims, this has led to tens of billions of dollars (perhaps hundreds of billions) in losses for online service providers, financial institutions and other “relying parties” [co-operating sites using the OpenID standard] who are beginning to develop more complex risk-based authentication systems. “These systems staunch the bleeding, somewhat, for those organizations, but don’t solve the problem for all of the other companies which provide internet-based services,” he says. “Passwords have had a good run, but they are clearly nearing the end of their lives,” says Barrett.
The Target breach is just the latest of incidents sprung from password weakness, according to Phillip Dunkelberger, CEO of Nok Nok Labs, a company that develops stronger authentication. (Nok Nok Labs also developed the code that has become the basis for the FIDO Alliance’s authentication protocol, he adds.) Passwords have remained well-entrenched, however, because “people think they’re cheap,” Dunkelberger says. Aside from the untold expense of exposures and breaches, the maintenance of passwords can be more considerable than people realize. Password resets account for as much as 80 percent of the support costs associated with some companies’ help desks, Dunkelberger claims. “They are not very secure, they don’t help with privacy, and they are, in fact, really costly,” he says. “It used to be data was currency, now authentication is currency.”
Other experts agree. “We’re stuck using 30-year-old technology,” says Steve Kirsch, CEO for OneID, an authentication security vendor. “People keep using the same password security and expecting a different result. When you have something this fundamentally insecure, it’s not a question of if, but when you will be breached.”
The problem with passwords “is that they pit our memory against the computer’s brute force, and we’re reaching a point, as computers get stronger, where our memories just can’t hold up,” says Brennen Byrne, CEO of Clef, a mobile authentication startup. “This is a long-term problem. An incredibly important part of the internet is about to fail.”
But, at least two factors are driving change, he says: The first is that “we’re seeing the topics of security and privacy in the mainstream news every day now.” Between Edward Snowden’s leaks and the recent Target breach, the amount the average person hears about identity and security “rose dramatically in the past year.” Secondly, Byrne says, technology to help offer second forms of authentication or stronger authentication are becoming more accessible and easier to use and understand. Case in point: Apple and Samsung have introduced devices with built-in biometrics readers.
“Improving [authentication] is becoming an imperative,” says Dunkelberger. “Between the user dissatisfaction, the merchant breaches…It’s a perfect storm of drivers.”
But, just because other solutions may be rising up to enhance authentication security, it doesn’t mean the password is completely going away. “The password is dead, but we’re in the zombie apocalypse phase now,” says Charles McColgan, chief technology officer for TeleSign, a mobile identity solutions firm. Like many emerging firms in the authentication space, TeleSign relies on the ubiquity of the mobile phone to provide a second factor of authentication – in this case, via a verification code sent by SMS or voice.
In fact, biometrics, long discussed as the ultimate “what you have” factor of authentication, is emerging as a more likely form of security as the technology is more and more integrated into mobile phones. Although, as McColgan points out, there is a downside: “If someone’s biometric [data] is stolen, it’s gone forever.” In other words, you can’t change your fingerprint with the same ease you could swap out another one-time password (OTP) or replace a key fob.
Indeed, the strong authentication and one-time password market is seeing steady growth due to several factors, according to research released in February by Frost & Sullivan, which credits the movement to cloud-based services; the demand for single, federated sign-on to software-as-a-service (SaaS) apps; the continuing growth of the threat landscape; open standard approaches; and innovative methods for stronger authentication. Biometrics is now the largest segment for strong authentication, with much of its momentum driven by the use of voice biometrics in call center and interactive voice response applications, according to the research findings. Frost & Sullivan expects this market to grow from revenues of $1.52 billion in 2013 to an estimated $2.16 billion in 2018 – a compound annual growth rate of nearly seven percent – as newer, less expensive authentication methods outpace OTP generators.
“Everyone is looking for one nirvana form of authentication,” says Frank Dickson, network security industry principal at Frost & Sullivan and the report’s author. “It is more likely that not one single method alone will replace passwords.” Instead, he suggests that companies combine “baskets” of factors of authentication, based on the transaction or interaction, the inherent risk, the user base and other relevant issues. “Let’s make sure our authentication is commensurate with the action,” he says.
As an industry, Barrett says, many approaches to improving authentication have been tried in the past, but none of them have worked well because they didn’t address the totality of the overall requirements for authentication, or because they had complex architectures (for example, he points to X.509, a PKI standard). “Today, we’re stuck in the situation where there is much innovation in the authentication market,” he says. There are more than a hundred authentication vendors today, and that number has been rising by about a dozen a year for the last several years, he says. But the market penetration is very low, in part because relying parties can’t afford the integration costs over and over again to try different solutions. He says the benefit of the FIDO Alliance is that it “allows relying parties to throw some mud at the wall and see what sticks.”
For its part, Google has experimented with a number of strategies for better authentication, including last year a USB dongle, called the YubiKey Neo, based on work with Yubico. This tool would essentially act as a skeleton key for all of a user’s online accounts.
“No one knows the right approach here,” says Sachs (left). “We all have our hopes.”
A few fundamental underpinnings are essential though, according to Barrett. He says the FIDO Alliance supports open standards where relying parties only need to integrate once to the standards-based APIs. Users should authenticate to their local devices, and then the relying parties should authenticate the devices themselves. Users should be able to choose which authenticator they wish to use, and users should be offered authentication methods which are easier to use than passwords.
“Within the FIDO Alliance, we don’t know whether [the solution] will be fingerprints, voice prints, facial recognition, eye recognition or secure input of a PIN…or some kind of authentication that we haven’t even thought of yet,” Barrett says. “The point is that users need easy-to-use solutions, but yet for far too long the information security industry has simply given them ‘solutions’ that merely add friction in the name of security.”
Barrett believes that authentication standards could well be the “rocket fuel that gives identity programs a real lift off.” The FIDO Alliance has found noteworthy support for its standards lately: In late February, Samsung and PayPal announced that the new Samsung Galaxy S5 smartphone will use the FIDO standard to activate and confirm PayPal payments using the Samsung S5’s fingerprint sensor. Dickson, a self-proclaimed “huge proponent” of the FIDO Alliance, says the embrace of open standards for authentication will be critical to expanding the market.
Moving beyond the password may take time, experts say. While the motivation is there, standards are being embraced, and leaders like Google are pointing the way, though developing a more advanced authentication system can be an expensive and seemingly unwieldy proposition. Two-thirds of the additional costs from Google’s recent identity-improvement efforts came from development costs. “Because we’re talking about risk-based, not rules-based authentication, it needs to change over time as the bad guys change their methods,” says Google’s Sachs.
Kirsch points out that the development and support costs for new authentication systems are far outweighed by the costs of exposures. “Look at Target,” he says. “They are spending millions to clean up that mess.”
Byrne, who helped organize the public advocacy campaign Petition Against Passwords, says that the goal is for the cost of greater security to be wrapped into the cost of owning a smartphone, as mobile authentication technologies take hold. “There are two sides to this challenge,” Byrne says. “We have to convince companies that this is in their best interest, and we have to get consumers to use a better solution.”
A few things need to happen, says Dickson, before we see more companies moving beyond passwords. Namely, he says more vendors have to offer solutions, preferably cloud-based, that are easier to use, and more companies need to embrace standards like those put forth by the FIDO Alliance. “The problem is that a lot of organizations are not rewarded for innovation,” Dickson says. “But the momentum for stronger forms of authentication is unstoppable. The era of authentication with only a username and password is almost over.”
Barrett says that what matters is not how many FIDO-enabled products are offered by technology vendors, but which companies start deploying those solutions. “At this point, I don’t believe that anything is delaying the process, except the intrinsic difficulty of ‘changing the engines on the jet plane in flight.’ We’re talking about changing the authentication experience for hundreds of millions of internet users, on a global basis, and getting all relying parties to integrate to a new authentication modality,” says Barrett. “It seems perhaps a little Eeyore-ish to say so, but that’s not going to happen instantaneously. That said, given the pressure from users frustrated by passwords, and from relying parties who are equally fed up with losing large sums of money to criminals, it’s quite possible that in a couple of years things may look quite different.”
Dunkelberger agrees. “It took 50 years to dig the hole we’re in with username and passwords. It won’t get fixed in a year or two.”