Passwordless Future

Passwordless? Imagining the Future of Authentication by Gerald BeucheltGerald Beuchelt (The Security Ledger)

Employing Multifactor Authentication severely decreases the risk that a company will be successfully hacked, as it considers a multitude of factors (such as location, facial ID, IP address) verses only one (such as a password) prior to granting access to an application.

However, transparency as to where authentication data is stored for multifactor authentication is also necessary. This is particularly and especially true with biometric factors (such as facial recognition or touch ID). For example, consider facial recognition technology being used at security gates in airports. You scan your face or fingerprint, but where are they storing this data that they’re comparing to and is it in one centralized location? If so, not only is that data outside of the individual’s control, but it could be at risk if the airport does not protect it correctly. This highlights the need to respect and protect a user’s digital identity through decentralization capabilities.

Businesses looking to integrate biometrics, whether as a replacement to passwords or to complement them, should consider solutions where the biometric data is stored on the user’s device as opposed to a centralized repository. This respects the user’s privacy while providing one of the highest levels of protection.

Gerald Beuchelt, the Chief Information Security Officer at LogMeIn talks about how changes in authentication may deliver a passwordless future.

Continue Reading

NIST password guidlines

NIST Special Publication 800-63B by NIST

Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes. Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.

The new NIST guidance on passwords recommend that: passwords never expire no required character complexity or variety rules be implemented the maximum length for passwords be set to 64 characters the minimum length for passwords be set to 8 characters passwords are checked against known bad passwords, banned lists, etc. no hints or knowledge-based questions…

Continue Reading