How much longer will the password last? Entering a username along with a password has been a trusted authentication method for decades, but this classic combo's primacy could be nearing an end, as attackers have become more adept at wearing down password security and vendors are now exploring multi-factor and/or biometric alternatives.
The technology press has anointed wearable devices as the next big thing after smartphones and tablets, and while many observers may be familiar only with products such as Google Glass and the Pebble smartwatch, perhaps even more pivotal gadgets are emerging in the security space. Sensors that can analyze fingerprints and recognize voice timbre, along with hardware that serves as an extra token, could revolutionize how users authenticate to everything.
In one respect, such a change couldn't come too soon, especially in light of the lax attitude that many individuals and organizations take toward password security. Easily guessed codes such as "password" and "123456" run rampant, but they do so in large part because users have to keep up with so many different services. Rather than take the suggested route of creating unique credentials for each site, many people settle for reusing one weak password everywhere they go.
Certainly, there are already viable ways out of this conundrum. Software such as 1Password dramatically simplify password management across different services and endpoints, and even Apple has gotten into the game with iCloud Keychain. But these tools seem to have affected only particular niches such as tech-savvy early adopters, and of course they don't solve the problem at the other end of the spectrum, wherein service providers often suffer security breaches that result in millions of credentials being published to the Web.
This year's Consumer Electronic Show produced a new twist on alternative authentication, with mechanisms embedded in hardware rather than software. Can such an approach build on the success of the iPhone 5s's fingerprint sensor and further consumerize two-factor authentication, finally putting the password out to pasture?
Biometrics, wearable technology could spur more users to move past passwords
It would take something powerful yet intuitive to shake current prevailing password habits. Analysis of passwords leaked from breaches at Adobe and elsewhere found that obvious ones such as "password" were still popular, indicating that many users have not set up complex credentials that mix different types of characters and avoid common words and phrases.
Moreover, the very services that users are logging in to may be enabling this behavior. Many of them don't automatically lock someone out after more than 10 failed attempts, don't require special characters and still transmit recovered passwords in plaintext.
To address this multifaceted problem, some vendors have placed their bets on wearable devices. Items such as the Nymi wristband monitor the wearer's heartbeat, creating a unique biometric authentication token free of the traditional vulnerabilities – guessability, theft – associated with text credentials. Promisingly, such a device builds upon technology that has already fared well in the consumer space, most notably the iPhone 5s with its biometric sensor, plus fitness and health trackers such as the Jawbone Up.
Some solutions are a little more far-out, such as a headband that can analyze brain waves, but the underlying logic is still the same. The security industry could get a windfall from reimagining and hardening consumer technology for the enterprise, and the implications could extend far beyond just passwords.
"Imagine doing away with wallets, house keys, passwords, and toll-booth devices," wrote Forrester Research's J.P. Gownder in a blog post. "If Wearables 1.0 was about creating technologies, Wearables 2.0 is all about crafting rich business models."
Prominent companies are targeting this space. The Fast ID Online Alliance, which intends to think authentication for laptops and client devices, was started by PayPal, Lenovo and others, and was recently joined by Google and Microsoft. Apple's foray into fingerprint recognition is well known, but it's possible that it and other phone makers could eventually explore iris scanning, a biometric authentication technique already used at the Amsterdam Airport to allow passengers to cross national borders without producing a passport.
But what if passwords aren't really dead?
The wearable and biometrics trends appear strong, but this isn't the first time that the technology community has proclaimed the death of the password. For example, Microsoft's Bill Gates predicted the password's imminent demise in 2006, and that prognostication hasn't exactly panned out.
The key to the password's persistence may be its cost-effectiveness. Unlike wearable technology or sensors embedded into smartphones, a password doesn't require any dedicated hardware. It's also more user friendly – perhaps too much so, given the minimal effort that many individuals devote to authentication.
Perhaps the problem isn't that the password is fatally flawed, but that it's mismanaged. The aforementioned software tools such as 1Password are powerful utilities that relatively few people actually use, yet they use complex, computer-generated and updated passwords to produce much better results than almost anyone could get working on his/her own.
Password management software solves the issue of password amnesia. Users don't have to write passwords down on paper or share them with over other unsecured channels. For most solutions, passwords are automatically created and a master PIN grants access to the management console.
That's not say they're a silver bullet solution. Without assistance from access management tools, a password management system can still leave an organization vulnerable to credential theft via phishing. It may make sense for companies to look into zero-knowledge solutions, in which something such as single sign-on takes the user out of the position of even knowing a password to supply to a phisher.
Two-factor authentication could make this debate less of an either/or – passwords can stick around, but be strengthened by working in concert with tokens such as biometric data. The rise of wearable devices is certainly a major trend, but it's important for the security community to step back and see how it affects authentication, and if possible take a gradual approach that ensures maximum user safety and comfort. To this end, using solutions such as Trend Micro DirectPass streamlines password management and promote better authentication security, even as individuals and organizations have to deal with an increasingly large number of applications.