Monday, May 06, 2013

Bye bye passwords

The age of the password has come to an end; we just haven’t realized it yet. 

And no one has figured out what will take its place. 

What we can say for sure is this: 

Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. 

The Internet doesn’t do secrets. 

Everyone is a few clicks away from knowing everything.
Instead, our new system will need to hinge on who we are and what we do: where we go and when, what we have with us, how we act when we’re there. 

And each vital account will need to cue off many such pieces of information—not just two, and definitely not just one.
This last point is crucial. 

It’s what’s so brilliant about Google’s two-factor authentication, but the company simply hasn’t pushed the insight far enough. 

Two factors should be a bare minimum. 

Think about it: 

When you see a man on the street and think it might be your friend, you don’t ask for his ID. 

Instead, you look at a combination of signals. 

He has a new haircut, but does that look like his jacket? 

Does his voice sound the same? 

Is he in a place he’s likely to be? 

If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.
And that, in essence, will be the future of online identity verification. 

It may very well include passwords, much like the IDs in our example. 

But it will no longer be a password-based system, any more than our system of personal identification is based on photo IDs. 

The password will be just one token in a multifaceted process. Jeremy Grant of the Department of Commerce calls this an identity ecosystem.
What about biometrics? 

After watching lots of movies, many of us would like to think that a fingerprint reader or iris scanner could be what passwords used to be: a single-factor solution, an instant verification. 

But they both have two inherent problems. 

First, the infrastructure to support them doesn’t exist, a chicken-or-egg issue that almost always spells death for a new technology. 

Because fingerprint readers and iris scanners are expensive and buggy, no one uses them, and because no one uses them, they never become cheaper or better.
The second, bigger problem is also the Achilles’ heel of any one-factor system: 

A fingerprint or iris scan is a single piece of data, and single pieces of data will be stolen. 

Dirk Balfanz, a software engineer on Google’s security team, points out that passcodes and keys can be replaced, but biometrics are forever: 

“It’s hard for me to get a new finger if my print gets lifted off a glass,” he jokes. 

While iris scans look groovy in the movies, in the age of high-definition photography, using your face or your eye or even your fingerprint as a one-stop verification just means that anyone who can copy it can also get in.
Does that sound far-fetched? 

It’s not. 

Kevin Mitnick, the fabled social engineer who spent five years in prison for his hacking heroics, now runs his own security company, which gets paid to break into systems and then tell the owners how it was done. 

In one recent exploit, the client was using voice authentication. 

To get in, you had to recite a series of randomly generated numbers, and both the sequence and the speaker’s voice had to match. 

Mitnick called his client and recorded their conversation, tricking him into using the numbers zero through nine in conversation. 

He then split up the audio, played the numbers back in the right sequence, and—presto.
None of this is to say that biometrics won’t play a crucial role in future security systems. 

Devices might require a biometric confirmation just to use them. 

(Android phones can already pull this off, and given Apple’s recent purchase of mobile-biometrics firm AuthenTec, it seems a safe bet that this is coming to iOS as well.) 

Those devices will then help to identify you: 

Your computer or a remote website you’re trying to access will confirm a particular device. 

Already, then, you’ve verified something you are and something you have. 

But if you’re logging in to your bank account from an entirely unlikely place—say, Lagos, Nigeria—then you may have to go through a few more steps. 

Maybe you’ll have to speak a phrase into the microphone and match your voiceprint. 

Maybe your phone’s camera snaps a picture of your face and sends it to three friends, one of whom has to confirm your identity before you can proceed.
In many ways, our data providers will learn to think somewhat like credit card companies do today: monitoring patterns to flag anomalies, then shutting down activity if it seems like fraud. 

“A lot of what you’ll see is that sort of risk analytics,” Grant says. 

“Providers will be able to see where you’re logging in from, what kind of operating system you’re using.”
Google is already pushing in this direction, going beyond two-factor to examine each login and see how it relates to the previous one in terms of location, device, and other signals the company won’t disclose. 

If it sees something aberrant, it will force a user to answer questions about the account. 

“If you can’t pass those questions,” Smetters says, “we’ll send you a notification and tell you to change your password—because you’ve been owned.”
The other thing that’s clear about our future password system is which trade-off—convenience or privacy—we’ll need to make. 

It’s true that a multifactor system will involve some minor sacrifices in convenience as we jump through various hoops to access our accounts. 

But it will involve far more significant sacrifices in privacy. 

The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA.
We need to make that trade-off, and eventually we will. 

The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. 

We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. 

We live there now. 

So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.
That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. 

It sounds creepy. 

But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. 

Times have changed. 

We’ve entrusted everything we have to a fundamentally broken system. 

The first step is to acknowledge that fact. 

The second is to fix it.
Mat Honan 

No comments: