Why may Bob be wrong
27 Feb 2006
Bob Blakeley, one of my favorite bloggers, recently blogged about the evil nature of passwords:
Static passwords are an unacceptable hazard, good alternatives exist, we should get rid of static passwords in favor of those alternatives, and we should do it fast.
He also issued a call for action:
I believe that this community should commit itself to achieving the goal, before this decade is out, of providing every computer user with a strong authentication device and the infrastructure required for its universal acceptance.
While I can understand Bob's motives, I'm afraid that he is too optimistic and
maybe even partially wrong. I think we just can't get rid of passwords. Not
in a soon
future. The reason is quite simple, but the explanation is quite long.
Here it goes:
(for all of you impatient readers, you may skip
directly to the point)
It is a common knowledge that we have three types of authentication:
- Something you know: passwords, PINs, ...
- Something you have: tokens, mobile phones, ...
- Something you are: biometrics
Another (but not-so-common) knowlege is, that just one type of authentication is not enough. Why?
- Something you know: can usually be easily compromised. See all Bob Blakeley's arguments.
- Something you have: can be stolen. Even if we accept Bob's requirement that the theft has to be quickly noticed, "quickly" may easily be several hours. Consider that you are asleep in a hotel and that one of the hotel employees steal your device. You will detect that in the morning at the earliest. And that may be too late.
- Something you are: There is nothing about you that one device can read and the other cannot. You leave you fingerprints all around you, and it takes just a few gummi bears to exploit that. A little more effort is paid to iris, and you even leave lots of your DNA around. It seems that once you get inexpensive biometric reader device, there are only few steps that lead to the inexpensive method to fool that device.
So called "two-factor" authentication can address the vulnerability of single authentication mechanism. You just have to use two types of authentication to lower the risk of breaking one of them. For example combine tokens and PINs or biometrics and passwords. Now, you have three different combinations of two-factor authentication mechanisms, and only one does not involve passwords: tokens + biometrics. And how would we implement that? Putting fingerprint reader in your notebook does not help much. As Bob correctly said: the workstation is not secure. And even if it was, fingerprint authentication is not. And I can't really imagine portable token with DNA analyzer being affordable anytime soon. And I don't even dare to think about consumer acceptance.
Well, what we have left? Tokens + passwords and biometrics + passwords. I will not ponder about the feasibility of these in detail. All we need to know is that they both involve passwords. May they be in form of PIN, passphrase or whistled-morse-code-signal, these are still passwords.
(There is another issue while using tokens for authentication, and that is the number of tokens needed in day-to-day business. Just recall how many keys are on your keyring. Why do you think that you will not have that many tokens? But more about this later. Maybe.)
One way or another, we cannot get rid of passwords anytime soon. But the one thing that we can change is the way how we use and manage them. First of all we need to get rid of one-factor password-only authentication for all important transactions. We should use two-factor authentication instead. And make sure that we enter our passwords into secure devices, not into our workstations. We shoule have the secure device do the "strong" authentication, not your notebook.
We have to assume realistic goals. We cannot get rid of passwords, but we can change the way that we use them. This should be the goal of the decade.