The industry has reached a point where we need to confront a legacy of 50 years of computing – the username/password problem. We’ve lived with this problem until now because it is the lowest common denominator. Everyone understands how it works, however it hasn’t scaled to meet the growing demands of modern computing.
As users, we have a large number of sites that we interact with to pay bills, shop, store our music or photos. All of these sites have different password requirements – multiple characters, secret words, additional dates to remember – it’s no wonder that many of us have given up, re-using passwords across multiple sites or defaulting to simple phrases. In addition to this, our primary tool is increasingly the mobile device with an even worse user experience around complex passwords.
The problem with password re-use has therefore become a major business issue. If I use the same credential across multiple sites, then no matter how much money and resources a company invests in their own information security, it is only as good as the other sites that share that password.
This problem has been exacerbated by the huge number of large password databases that have been hacked over the last 18 months – we’ve seen Yahoo, LinkedIn, Evernote and many others suffer at the hands of hackers, and academic research has shown that more than 76% of the passwords across these large databases are the same. The hackers know this and can exploit these common passwords, resulting in data breaches for businesses and the potential for identity fraud for consumers.
When speaking with various relying parties, I have heard quite a bit of anecdotal feedback about the situation. Current authentication systems assume that the mobile device can be used as a second factor (as we see with Twitter/Dropbox/etc.), however the problem is that this doesn't reflect the use cases seen by backed systems. The consumer wants to use their mobile device as the primary device; therefore we need native capabilities on the device to make this simple. Increasingly this looks to be biometrics, i.e. voice/facial recognition and, with the next generation of smartphones, probably fingerprint sensors.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.