Conversations At The Intersection Of IT Security And Society
Stina Ehrensvard | Joseph Carson
Sean Martin | Marco Ciappelli
It’s a password-less future. Or is it?
Passwords were supposed to be dead 15-20 years ago.
But, hey, here we are still talking about them.
To begin to answer this question, let’s start with why we are using passwords and what is seriously wrong with them.
Once upon a time, security for computers was a physical key to access the machine in the room. Soon, however, we had to authenticate the user to access what was on the machine, not just the machine itself, so we started with passwords. This wasn’t much of an issue until computers got connected to the Internet and we needed to manage multiple accounts to access multiple things.
Today, depending on what part of the world you live in, you likely have between 20 and 90 accounts that require a password. With this, it became hard to remember, keep track, and even manage the passwords — and user behavior surrounding this challenge has made it pretty easy for the bad actors to make their way in. It’s not that hard to guess (or even crack) someone’s password.
Now that technology is available such that reasonable alternatives can be employed, the question remains — and warrants asking yet again: Is there still a role for passwords in the future?
Given that roughly 80% of breaches today — such as phishing attacks and man-in-the-middle attacks — are due to a compromised password, one has to hope that there is a future where these types of compromises don’t happen at that scale. Only by introducing a multi-factor authentication system to supplement that password model have we been able to protect the user from malicious actors looking to capitalize on stolen or otherwise compromised account credentials.
This begs the next question: Is the future of authentication taking into consideration the growing complexity of devices and real-time, anywhere functionality that has become an intrinsic and fundamental part of the digital ecosystem and data-driven society? Do passwords have a place at the table in this world?
It pretty much boils down to whether or not we continue to augment passwords with additional technologies and processes versus replacing passwords altogether. The challenge with a full replacement is that passwords are relatively cheap to implement from a tech perspective, they are fairly easy to use from a user perspective (just use the same one for everything, right?), and they are replaceable — unlike our biometric authentication options of fingerprints, retina scans and voice recognition methods.
Ultimately, it will probably be a multi-factor authentication world. But not everything should be standardized on a single model; a number of factors need to be considered:
What is it that we are protecting?
What sorts of controls need to be present when the authentication takes place?
Is it a human or non-human interaction we are validating?
What environment are we protecting?
Of course, there are many more to consider; this is just a simple, illustrative list.
But if passwords do remain, what is their role going to be? Have we abused the password as a system by applying it everywhere with not enough consideration of the possible negative consequences of this practice, even when paired with a second or multi-factor strategy?
It’s likely that, in the future, static password solutions could present a real problem to the security of the ever-widening ecosystem and could find themselves left in the dust for an access control model where dynamically-generated and encrypted keys are used to grant access to the things we care about online and in our physical world.
From an individual/societal perspective, the example of cars and seatbelt safety is a fantastic metaphor that holds very true to this scenario from a psychological perspective. Freedom and excitement with no rules, no boundaries, and high risks, turned into acceptance of being responsible — thanks to the right technology, regulations and cultural changes all lining up together at the right time. Can this same stars-aligning moment happen for access control, authentication and passwords?
The answer to this may sit squarely in how we, as a society, look at trust. Trust is at the core of our human interactions and it scales according to different situations. But to start, it must be there as the base to be built upon. It is not a given, shouldn’t be taken for granted, and is a process that can be adapted for the online world and whole validation system if the model is defined in such a way that it works in conjunction with human nature, not against our natural inclinations.
New regulations may be required, additional privacy standards may need to be applied, and most certainly some cultural changes will be necessary to see these stars align. The good news is, our unusual gathering guests on today’s show all feel comfortable that the future of the Internet looks bright, safe, simpler and dynamic.