The era of password protection is ending. That was the resounding message from the latest Information Age webinar.
One of the decisive blows against password protection as a means of authenticating online transactions came in October 2005 when the US Federal Financial Institutions Examination Council (FFIEC) issued new guidelines for banks’ on online authentication. It warned financial institutions that passwords alone provide insufficient protection as the sole means of authentication.
The experts gathered for the webinar expanded on this point, highlighting both the dangers presented by reliance on passwords, and the complex considerations that need to be weighed if business leaders are to assure customers are protected from identity theft.
Ryan Kalember, technology director of Internet security company Verisign, described how easy it was to compromise passwords: As an experiment “we asked those entering a security event if they would give us a password in exchange for a chocolate bar. The vast majority did so.”
Tipping point
While the FFIEC conclusions have an immediate consequence for US banks, there are many other businesses that are also realising the need for strong online authentication.
“I believe that if we are not careful we could be heading for a crisis of confidence within Internet security,” said David Lacey, former chief security officer of Royal Mail and now an independent consultant and member of the Home Office Committee on ID Theft. “We could reach a tipping point where customers start to desert online businesses, and that would be a disaster.”
The threat of customers abandoning online channels is resonating within boardrooms across the globe, said Bori Toth, an authentication expert at business advisory group Deloitte & Touche. “It might not have been possible to build a business case for investing in an identity management system 12 to 18 months ago. But today it has been recognised that there is a serious and growing concern – and businesses need to take action.”
But in moving beyond password protection, what are the alternatives? Part of the problem, said Kalember, is that there have been too many proprietary solutions. “If the consumer is going to end up with 20 different ‘dongles’ [secure, tamperproof tokens that generate unique, one-time numbers used to complement passwords or pin numbers] they’re going to get fed up,” he said.
Users will simply not put up with numerous authentication devices, agreed Lacey. “Ideally we would move to one solution that everyone uses, although in reality there will probably be two or three.”
However, as a matter of urgency, industry groups need to work on common authentication standards, he added.
In part, the UK government’s plans for identity cards will go some way towards educating the public about authentication technologies. But the cards themselves will do little to alleviate the problems of online authentication, unless smartcard readers become far more prolific.
Even when passwords, pins and cards or tokens are used, the key advantage to biometric recognition is that it can bridge the gap between the ID record of an individual and the actual person, said Toth.
Technical analysis shows that even the most sophisticated biometric solutions can potentially be spoofed, warned Toth. “There are no absolutes in security. Even biometrics is not 100% foolproof. It is difficult to spoof iris patterns or fingerprints, but not impossible.”
The widespread use of biometrics will focus attention on methods of violating the technology. That is a natural consequence of trying to combat organised crime, said Lacey: “It’s a bit like a squeezing a balloon: you apply pressure at one end, and the air pushes to the other end.”
• Replays of Information Age webinars are available for readers for six months after the original broadcast. To access the webinar series, visit Information Age's events section.