Tag: passwords

Passwordless Future

Passwordless? Imagining the Future of Authentication by Gerald BeucheltGerald Beuchelt (The Security Ledger)

Employing Multifactor Authentication severely decreases the risk that a company will be successfully hacked, as it considers a multitude of factors (such as location, facial ID, IP address) verses only one (such as a password) prior to granting access to an application.

However, transparency as to where authentication data is stored for multifactor authentication is also necessary. This is particularly and especially true with biometric factors (such as facial recognition or touch ID). For example, consider facial recognition technology being used at security gates in airports. You scan your face or fingerprint, but where are they storing this data that they’re comparing to and is it in one centralized location? If so, not only is that data outside of the individual’s control, but it could be at risk if the airport does not protect it correctly. This highlights the need to respect and protect a user’s digital identity through decentralization capabilities.

Businesses looking to integrate biometrics, whether as a replacement to passwords or to complement them, should consider solutions where the biometric data is stored on the user’s device as opposed to a centralized repository. This respects the user’s privacy while providing one of the highest levels of protection.

Gerald Beuchelt, the Chief Information Security Officer at LogMeIn talks about how changes in authentication may deliver a passwordless future.

Passwordless? Imagining the Future of Authentication by Gerald BeucheltGerald Beuchelt (The Security Ledger)

Employing Multifactor Authentication severely decreases the risk that a company will be successfully hacked, as it considers a multitude of factors (such as location, facial ID, IP address) verses only one (such as a password) prior to granting access to an application.

However, transparency as to where authentication data is stored for multifactor authentication is also necessary. This is particularly and especially true with biometric factors (such as facial recognition or touch ID). For example, consider facial recognition technology being used at security gates in airports. You scan your face or fingerprint, but where are they storing this data that they’re comparing to and is it in one centralized location? If so, not only is that data outside of the individual’s control, but it could be at risk if the airport does not protect it correctly. This highlights the need to respect and protect a user’s digital identity through decentralization capabilities.

Businesses looking to integrate biometrics, whether as a replacement to passwords or to complement them, should consider solutions where the biometric data is stored on the user’s device as opposed to a centralized repository. This respects the user’s privacy while providing one of the highest levels of protection.

Additionally, eliminate the frequent password change requirements, only require password changes when there was a known or suspected compromised of account credentials, and scan new and existing passwords against known lists of compromised accounts credentials.

NIST password guidlines

NIST Special Publication 800-63B by NIST (nvlpubs.nist.gov)

Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes. Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.

The new NIST guidance on passwords recommend that:

  • passwords never expire
  • no required character complexity or variety rules be implemented
  • the maximum length for passwords be set to 64 characters
  • the minimum length for passwords be set to 8 characters
  • passwords are checked against known bad passwords, banned lists, etc.
  • no hints or knowledge-based questions be provided to someone trying to log in (like “Who was your best friend in high school?”)
  • passwords only are changed when forgotten

I would add two-factor authentication to that. Where possible, my online account passwords are sixteen characters or longer. I change them after notification of a data breach or in some cases, once a year. Where feasible, I have enabled two-factor or two-step authentication for my accounts. Even on my iMac at home, I have a 24 character password. I use a different password for each online account. I use a password vault application such as 1Password or LastPass to track my passwords. I protect the password vault with a sixteen character password that I don't use anywhere else.