Passwords the Achilles' heel of 2013; will 2014 offer fix?

Passwords the Achilles' heel of 2013; will 2014 offer fix?

Summary: Password alternatives look to hit stride in 2014 and end-users are key to success.

SHARE:
TOPICS: Security, Networking
1

Chances are you had one stolen last year, or stole one (or a million) yourself.  

The password, that DARPA relic, morphed freely and frequently in 2013 from the secret-inside-your-head to hacker-fodder in full-monty on Pastebin, Dump Monitor, which tracks stolen password dumps, or any number of Internet black(hat) holes.

New cracker tools helped hackers break passwords that were up to 55 characters, giving IT and end-users that sense that perhaps the password gig is up.

Hundreds of millions of passwords went missing from sites such as Adobe (38 million), MacRumors (860,000), Ubuntu Forums (1.82 million), GitHub (unannounced). It seemed few, if any, were safe.

While initial grabs were mainly to access accounts on the sites passwords were stolen from; eventually hackers found value in using the stolen credentials at more lucrative sites like gamer networks and banks since users have taken to the convenience of re-using passwords across sites.

Stolen credentials also were used in other devious ways.

It was a phished password that brought down the New York Times earlier this year. The password was stolen from an Australian DNS registrar and used to poison DNS records and direct traffic away from nytimes.com.

In 2013, the pain point was not your (stolen) password, but how it was eventually used against you.

Two-factor authentication (2FA) options emerged in the mainstream on sites from Facebook to Google to GitHub to Twitter. Google talked about making 2FA mandatory. While not a panacea, 2FA is better than the traditional username/password credential.

From a user-perspective, anticipate 2FA to become a de facto "strong" authentication option in 2014. The ubiquitous nature of the smartphone will help drive this adoption, but persistent user attitudes around convenience will fuel rounds of 2FA frustration. Simply put, the inevitable resistance to 2FA today - tedious typing and re-typing of credentials - will not disappear even if the end-user has been burned in password hacks.

Look for biometrics to ease some of that pain. Apple's iPhone 5 Touch ID fingerprint reader may get new features - or even a dev community. And the company is putting more effort and more money into biometric-based authentication. The FIDO (Fast Identity Online) Alliance is developing a set of technical specifications to help ease vendor adoption of biometric and other authentication options.

Online identity services that take on the task of authentication and user ID management will increase in popularity. End-users will need to listen for key words to help pick out the services that are building for the future, while IT will need to pay attention as they construct hybrid identity infrastructures to leverage existing build-outs and regulatory-inspired internal security boundaries.

OAuth 2.0 and OpenID Connect are the emerging key words and an authorization and authentication tag-team for both mobile and laptops.

Earlier this year when the online service Buffer, which is used to schedule social media posts, had its database hacked it stemmed the bleeding by revoking OAuth tokens hackers had stolen and used to access Facebook and Twitter and post messages on behalf of Buffer's users.

To stem the attack, all Buffer had to do was revoke the tokens. And all end-users had to do was to re-authenticate to Facebook and Twitter to create a new token. This is a specific use case, where the service provider is logging in on behalf of a user, but it shows the power of emerging alternatives that isolate passwords in the authentication equation.

OpenID Connect also is one of those alternatives. Service providers will move toward that standard in user authentication, single sign-on and federation (similar to logging into Yahoo using Google credentials).

OpenID Connect is built on the OAuth 2.0 framework, as are other standards that will add features such as provisioning, which is defined as easier enrollment for end-users, and as better management for IT and service providers.

The maturity of this infrastructure won't garner attention from end-users, but its by-product should, a hardened authentication mechanism and an easing of password pain seen in 2013.

Of course, the key ingredient is to be safe out there. And that will take a change in attitude from end-users, a maturity unfortunately that can't be coded into any software, services or standards.

Topics: Security, Networking

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • SQRL

    I'm hoping that SQRL will establish itself. It certainly looks like a very nice system, which does away with passwords completely.

    With OAuth and OpenID you still have that pesky problem of it being controlled by a password. It might hand out tokens, but if the OAuth system is hacked, then all your accounts are open to hackers, until all the services respond by revoking OAuth tokens. It is just shifting the point of failure further up the line, but the line still exists.
    wright_is