fire
Security

Ban passwords, say advocates of alternative authentication

Passwords are a thing of the past and they need to go, according to a group of Silicon Valley-based tech companies who are part of a public advocacy campaign called Petition Against Passwords.

Passwords are the keys that enable access. At the same time, they're also the weak link that smashes the security chain, according to many experts, who for years have warned that passwords simply don't work as they used to, and that password protection alone isn't enough.

The problem with passwords is twofold, according to the advocacy group, which aims to influence large digital service providers to move toward "password-less" authentication and identity protection. On one hand, users either create easily remembered passwords that are entirely too weak or they are forced to pick passwords that are hard to remember, but quickly cracked by machines. The other side to that is a lack of password policy enforcement, and the gaps in basic data protection that can lead to breaches that expose millions of passwords. When breaches expose passwords, they often make their way online and wind up in wordlists that are used by password cracking software.

Last April, LivingSocial, a website dedicated to offering consumers daily deals on local products and services, was compromised and some 50 million users were urged to change their passwords. The concern was that many of the users that were exposed faced additional risk due to password recycling. The incident also highlighted the importance of properly protecting user data, especially passwords.

Alternatives gain support

"Because passwords must be stored on a central server, sites are tasked with protecting them from a persistent onslaught of attacks. Even the best protected servers eventually fall. The results can cost the company millions of dollars and drastically impact consumer trust," wrote Brennen Byrne, the CEO of Clef, an Identity Management and Protection firm that leverages smartphones as a means of authentication, which is part of the campaign. Other companies, including OneID, LaunchKey and Nok Nok Labs have also joined in support of the movement.

Byrne's words come from a manifesto of sorts, calling for Internet users to demand something different when it comes to authentication. Over the last few years, there has been a push to replace passwords, or at least augment them with additional layers of security. For example, Two-Factor Authentication is one such augmentation. It works, and it has seen wide adoption by businesses and consumers alike. However, there are others that wanting to move far beyond Two-Factor and similar advancements.

In May, Motorola's Regina Dugan made headlines when she suggested tattoos and pills as alternate means of authentication. A month before that, researchers at the University of California, Berkeley, released research on using brainwaves as a means of authentication.

To date identity companies LaunchKey, Nok Nok Labs, Clef, and leading consumer advocacy group TechFreedom have signed on to support the petition. The Petition Against Passwords initiative will go live on July 24, 2013.

Subscribe to the Security Watch Newsletter

Comments