Archive for April, 2013

Want to replace passwords? Try…

Monday, April 29th, 2013

Every so often, I run across discussions about the end of passwords, and what will come next. Seems like a popular topic on linkedin discussion forums, of late.

So why is it, really, that we’re still using passwords? We all thought they’d go away years ago, right?

It turns out that every type of credential is some sort of compromise, so let me try to capture all in one place what’s nice and what’s not so nice about every approach (in general – I won’t pick on any products here):


  • Well understood.
  • Work well on any device that supports text input (which is pretty much any device, right?).
  • Nothing physical to carry, that can be lost or stolen or just left at home.
  • Work both locally on the device (decrypt a key with the PW as the primary key) and on the network (web forms, Kerberos, etc.).

  • Pick a simple password, get hacked.
  • Share your password, get abused.
  • Avoid changing your password, create a comfortable time window for someone to hack you.
  • Easily forgotten, especially if they are strong/hard to guess/changed often.
  • If some app or web site implements them badly (happens often enough!), your password gets compromised along with everyone else’s. If you use the same PW elsewhere, all your accounts are potentially compromised.
Other kinds of secrets:
  • PINs are just short, numeric passwords.
  • Security questions are the most common.
  • Also images that you remember, or randomly rearranged symbols where you click on your password, etc.
  • Same basic pros/cons as passwords.
  • Some methods lose the compatibility advantage, because the login form of an app has to be altered to work with them.

  • Measures something you are.
  • You can’t forget parts of yourself.
  • Often quite user friendly, and sometimes perceived as “cool.”

  • Revocation is impossible.
  • Some technologies not very secure. For example, finger print scans that can be fooled by gummy bears or voice print by audio playback.
  • Other technologies just implemented poorly — looks cool, but under the covers just injects a password anyways.
  • Generally require a special sensor (fingerprint, retina, etc.) — so not compatible with all your devices.
  • If no special sensor required, then there are extra compatibility requirements: face-print verification? Good lighting. Voice print verification? Usually only on the telephone, and may not work if it’s really loud around you.
  • Often does not work when off-line, since the biometric database is on a server somewhere (that you can’t connect to from your airplane seat or car or …).
  • Typically 1% or 2% of users can’t use any given biometric. Amputee? No finger prints for you! Blind? Retina may not work. Used to go diving a lot? Finger vein may not pick up. etc.
  • Most apps are not compatible, so you either have to modify your apps or front-end authentication and then inject passwords (and we’re back to passwords again, but with the illusion of extra security).
One time password devices
  • Most commonly “hard” tokens like RSA SecurID and Vasco. Sometimes “soft” tokens where the special hardware is replaced by software on your phone or PC – which is more convenient but less secure.

  • Secure against password replay attacks. Does not assume channel security between the client and server.
  • Compatible – what you type is just a string, so looks a lot like a password, which makes integration with systems and applications relatively easy.

  • Expensive per-user hardware (but at least no reader).
  • Some implementations have been spectacularly compromised (RSA token key material was hacked/exfiltrated, compromising 40,000,000 tokens world-wide!).
  • Nuisance for users to carry “one more thing” – which may be left at home, lost or stolen.
  • Only works while connected to the network (the authentication server is most definitely not on your PC), so useless for applications such as PC login, which should work when your laptop is somewhere without WiFi coverage.
Smart cards:
  • Usually a card, but sometimes another physical shape, like a key fob, that carries PKI certificates and possibly other key material. Notably US federal PIV cards and US DoD CAC cards – other implementations are much smaller.

  • Can support both physical (i.e., door) and logical (e.g., PC login) access in a single device. Handy.
  • Works in off-line mode (you can sign into your PC while it’s away from any network using a smart card, something you cannot do with OTP and most biometrics).

  • Hardware (the card) deployed to each user: costly.
  • Hardware (the reader) deployed to each user: even more costly.
  • Depends on a PKI infrastructure, which is also notoriously expensive and complex.
  • Not compatible with devices that do not have / cannot get a card reader.
  • Sign into site A through a trust relationship with site B.
  • Many “standard” protocols such as SAML, WS-Federation and OAuth.
  • Technically, Kerberos looks a lot like federation.

  • Convenient. Reduces login burden for users and administrative burden for IT organizations.

  • Requires trust between domains. Want to sign into your local newspaper with your Facebook account? The newpaper has to trust Facebook to authenticate you.
  • Does not really make authentication (or passwords even) go away — it just externalizes it from one site to another. This is a good move, but not any kind of replacement / alternate authentication technology.
  • Too many standards – which ones to support?
  • Too many possibilities for who to trust – who do users want to use as an identity provider? Can we trust them?
  • Basically adding passwords or PINs to biometrics, OTP or smart cards.
  • More or less a given for 2 of those 3, since theft of the device (OTP/smart card) is an easy compromise.
  • Since the “extra” factor is a password or PIN, you can assume we aren’t replacing passwords or PINs any time soon.