Heartbleed's lesson: Passwords must die

Heartbleed's lesson: Passwords must die

Summary: With the multitudes of accounts we have to deal with for email, social networking and other applications that require password authentication, we need a better solution.

SHARE:

Biometrics have been used effectively in computing applications for some time, primarily for high-security environments in which the recognizing the unique characteristics of an individual are of paramount importance. Typically, you see them used in in Government, TOP SECRET and Financial systems.

Usually, you see them in the form of either fingerprint or retina scan, and sometimes even voice print identification. There are other ways of doing biometrics, but these are the ones which are in common use.

One such system that used both fingerprint and retina is the CLEAR registered traveler service, which recently re-opened under new ownership with limited service at Orlando airport after its parent company, Verified Identity Pass ceased operations in June of 2009.

Despite the fact that the company had financial troubles and the service may have come before its time, their authentication system itself was one of the best I've ever seen, which used a combination of an electronic identity card containing a biometric signature, as well as retina and fingerprint scanning.

Fingerprint scanners are inexpensive, ranging from $40-$50 retail if you want to add one to your PC. Some higher-end business laptops, such as my Lenovo X1 Carbon Touch, already have them built in.

As a component cost of integrating into a USB keyboard, a laptop, tablet or smartphone, the price is significantly less if you start manufacturing them in the tens of millions. Apple has already proven this by integrating fingerprint scanners into their iPhone 5S, and by Samsung with their new Galaxy S5.

Built-In cameras in laptops and smartphones with high-resolution CCDs and constantly improving macro capability and miniaturized optics also could make retina scan on portable devices and PCs an affordable reality within a number of years.

These solutions could also be combined with RFID implants and/or voice print identification as well as Trusted Platform Modules (TPM) and virtual smartcards to have multiple points of identification, in order to minimize the risk of access due to biometric forgery or coercion under duress (such as being forced to authenticate under gunpoint). 

The cost and integration of the hardware is only part of the problem, though. What we really need is a standardized API that would work on every OS platform and the web, so that you have seamless session-based biometric logins for all the services and applications one might use.

And biometric enrollment must either get centralized, federated or a lot easier to do than it is now.

Given the continued importance of services such as Google Apps, FaceBook, Twitter and other services, as well as the amount of passwords that we now need to maintain, it's starting to look like we need a universal biometric API, and preferably one which has government buy-in in terms of accepted standards.

I'd like to see Google, FaceBook, Amazon, Microsoft, IBM, HP, Oracle and Apple as well as the Office of the CIO of the United States and equivalent organizations in the EU make this a priority.

There's far too much identity theft and password compromises going on and it's costing consumers, businesses and governments hundreds of millions if not billions of dollars a year, not to mention the aggravation and embarrassment of having your data compromised and the harm to your personal and business reputation when it occurs.

With the prevalence of Social Networking, smartphones and mobile applications, do we need a mass-adoption of biometrics? Talk Back and Let Me Know.

Topics: Security, Cloud, Collaboration, Mobility, Networking, Smartphones, Social Enterprise

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

123 comments
Log in or register to join the discussion
  • That won't work

    Even your pc has finger-printer scanner, how about your phone? How about going to library pc and access your account?

    Some centralized authentication may be the answer. The problem is who. Can we let goverment handles our account. Microsoft tried this a couple years ago, but few trusted them. Now we have this dilemma.

    Right now I am using one small applicaton I wrote myself. All username & password saved in xml file and encrypted, clicking the url link will bring me directly into login page, so I don't need remeber url too.
    FADS_z
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @FADS_z
      Sounds similar to LastPass.
      Real World
      • Yep LastPass

        Totally nailed it @Real World
        Aaron Klap
      • Biometrics are not the answer!

        In a networked world, biometrics won't work. In a closed, offline system with hardware security, biometrics will work. However, when working over a network, the server generally authenticates, meaning that the data gathered from your fingerprint or retina scan is just another password used to verify a stored hash. Problem is, it's a password that can't be changed, so once your fingerprint is compromised, you're screwed.

        THE WORLD NEEDS TO STAY AWAY FROM BIOMETRICS!!!
        NitzMan
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @FADS_z <br>Take a look at the new Motorola Atrix (the rage at CES, coming March 6 on AT&T - an iPhone killer). It has a built in fingerprint scanner, and I can tell you that every major manufacturer of devices is looking at adding fingerprint scanners for simplified locking and unlocking the phone. Add the right web-authentication software to it, and you will be able to swipe your finger on your phone or your PC to be able to authenticate to web sites.<br><br>My company, BIO-key, has already begun porting our WEB-key secure web authentication platform client to the Atrix, and when complete in 60 days or so, you will be able to swipe to authenticate to one or more of the major online authentication service providers that are integrating this platform, There WILL be trusted, non-goverment players offering fingerprint authentication in the cloud, and the explosion of mobile devices will be the catalyst for uptake. Standing there pecking in strong passwords while your friends swipe to instantly authenticate in context for secure access to apps, mobile payments, DEA approved ePrescibing of controlled substances (yep, to their credit, the DEA specifically went back and revised their rule last summer to allow ePrescibers to choose a biometric subsystem like WEB-key to secure that process) and BIO-key is already integrated into Allscripts and Eclipsys, Sentillion, EPIC, McKesson, plus most of the commercial enterprise authentication platforms (IBM TAM ESSO, HID/ActivIdentity, Oracle OAM & Passlogix, CA eTrust SSO and Evidian, to name a few). You can also upgrade your laptop's "free" (ie bad) software algorithm to replace it with a better one.<br><br>Unfortunately, based on the misperceptions that are expressed in the comments, most people don't realize how big a difference there can be between old or inferior fingerprint systems they may have experiences with, and the state of the art in secure fingerprint authentication today. Tablets and smart phones have had false starts as well, if you recall the failure of the units 5-10 years ago to widely catch on. Did that mean the concept wasn't worthy? No, it meant that the implementation wasn't worthy. Fingerprint biometrics is the same way. Please keep an open mind to how this technology can help make sure that you are the only one who can access your privileges, and make it easier for you, as well. Everyone has the right to a secure identity, and that's what this industry is trying to help achieve.
      SecurityThroughObscurity
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @FADS_z
      A biometric doesn't have to be the only way into your secure accounts - just the most easy + secure way. You can still allow "plan B" access methods, such as smart questions, password plus SMS, etc, but use them only on the occasions that you don't have your fingerprint scanner available. The nice thing about fingerprint authentication is it's the rare case of the strongest authentication ("Who you are") being the easiest.

      I see several people raise the question of replay attacks and that you can't create more fingerprints for you if some are compromised. I addressed this below in another reply, but it's important enough simply say here that quality web fingeprint authentication platforms mitigate this threat by creating a secure tunnel protocol all the way to the scanners (even the cheap ones in phones and laptops offer this, and liveness detection to prevent the negative mythbuster exposure that some inferior scanners fell victim to).

      As for your fingerprints being of limited supply and vulnerable if compromised, this is a misconception about biometrics, which are different than passwords, which obviously must be kept secret. Intrinsic to biometrics is the idea that you don't have to keep the thing being measured - you - secret. You can show it to the world, but you are the only one who can meet the measuring standard at authentication time.

      The misperception is that the fingerprint is the credential, when actually, your finger is the credential. The system's job is to make sure that a real finger is on a real scanner when an authentication takes place. The fingerprint is just an artifact of your finger being scanned, and a quality web fingerprint authentication system will secure that pipeline so an imposter with a perfect image of your fingerprint cannot inject it into the system and claim to be you. The good thing about an all-software platform that is interoperable across all readers is that you can leverage today's enrollment with tomorrow's new scanners and devices that contain them, versus having to start over and re-enroll.

      Our customers who enrolled years ago can start identifying their users, customers, and patients over the web using the Motorola Atrix phone on Android OS with our upcoming WEB-key client for Android. Stay tuned!
      SecurityThroughObscurity
      • Real live finger would be preferable

        Fingers can be severed.
        John L. Ries
    • Biometrics will come, it is only a matter of time

      Apple's recent inclusion of a fingerprint activator is a primitive baby step, and since it is only single factor, easy to bust.

      But multifactor biometric authentication? Put enough measures in, and you have to be you (or your identical twin.) Someone might be able to mimic your prints... but not your prints, retina, and voice. And the sensors needed for this could be built into the existing camera and microphones are devices come with.

      In about 15 years, I suspect we'll see this displace passwords.
      Mac_PC_FenceSitter
      • Well ...

        At some point all of this identity information goes over the network as data. If someone ever manages to sniff it and replicate it. Its over. And its not like a password where you could just change it. I really believe that when biometrics appears it will get hacked and will create a real Orwellian mess.
        George Mitchell
        • Re:"identity information goes over the network" - not so

          That's not true of the iPhone 5S.

          On the iPhone 5S all biometric data is stored on a hardware encrypted area (called "Secure Enclave") of the A7 SoC and it never leaves there.
          Slurry
          • Yes, but...

            This applies to a completely offline system. The iPhones hardware manages the authentication for itself. When you have a server based system, the server needs to perform the authentication. Hence data is passed over the wire. Any data over the wire or residing on a remote server should be regarded as compromised.

            Passwords are still the best method of security. The problem is they're not complex enough and people can't remember them. So we have to solve the problem and not introduce a new problem. Biometrics is a problem within itself and something that should never be introduced into a networked system.

            You can change your password, but you can't change your finger or eyeball.
            NitzMan
      • biometrics do not solve passwords with regards to heartbleed

        what do all these biometric measures do in software?
        they just authenticate and then pass a "PASS" token to the server.
        the Token is the biometric equivalent of a password.
        so heartbleed just reveals the token instead of a password.
        what's the technical difference?
        warboat
    • I agree

      I am just not wiling to freely give up my biometric info. Just imagine if that's ever compromised. It like the SSN debacle we have now.

      For me, the only acceptable solution is a credible alias. Smart people already get this.

      Mark my words: the value of an alias will only increase with time. -Cornhead circa 2013.
      CornheadsBack
      • alias

        Will you also agree that your alias will get to live your life, instead of you?
        danbi
        • The secret of an alias is...

          ...if it's ever compromised you just get a new one.
          CornheadsBack
    • What are those techies

      Biometrics are converted into data streams that quite easily are intercepted unless one use applied cryptology in the aim to make it more difficult to interpret such data.

      Check up how computers work b4 pulling together complex solutions.

      Status will be QO while making some hardware manufacturers happy and rich, only.
      X15meshman
  • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

    Probably 60-75% of the time I access Facebook/LinkedIn/Gmail/etc. from a mobile device that doesn't have the capability to do any type of two-factor authentication, let alone biometrics. I would also love to see the false-positive and false-negative rates on the various types of biometric ID, and to what extent that is based on the hardware and software combination used.

    In short, I don't think we're anywhere near being ready to support biometric ID across the board, but I'll grant you, we're closer than we were two years ago.
    Real World
    • RE: Google, Facebook: End Passwords, Get Biometrics. Now!

      @Real World

      Biometrics, unless you are talking military-grade, is VERY unreliable. Believe me, I tested a fingerprint scanner one time that my cousin brought home (they were thinking of using them on the police computers) and we couldn't get the thing to recognize the fingerprint scan as being authorized more than 1 out of 10 times.

      This was a consumer level device, but that is the point: it's what most people would use.
      Lerianis10
      • Seems to work for some and not others.

        @Lerianis10 We ran a test a while back at my office. The print readers worked well for some people but not for others. I was one of the people it just wouldn't work for (with results similar to your 1 in 10 example) while for others it worked most of the time.

        The other thing I have against this idea is that if it becomes widespread, every friend and relative I have will be calling me for their free tech support on it.
        cornpie
        • Re: it worked most of the time

          Would you agree to have a security system, that most of the time will let you in and most of the time will keep the bad guys out?
          danbi