Are passwords dead yet?

Last updated: 19 March 2014

Picture it: 2004, RSA Conference. Bill Gates proclaims that passwords are dead, explaining “People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

Flash forward to 2011: despite frequent reports of email hacks and enterprise data breaches, the username and password method for authentication is still one of the primary security measures used today. What is wrong with this picture?

Think about how your online life was the first time you connected to the Internet, and compare it to now. Very likely it is a lot less about reading news and chatting on AOL, and a lot more about storing private or work-related information, banking, and filing taxes. In a recent study The NPD Group found that three quarters of U.S. consumers had used a cloud computing service, where you use a provider to actively store information on the Internet, in the past 12 months.

In other words, our online lives are a lot less anonymous and a lot more personal.

The costs of your data being breached – personal, financial or corporate – are high. A recent study conducted by the Ponemon Institute found that data breaches cost on average, $214 per compromised record in 2010, up significantly from $204 per compromised record in 2009. On a personal level, even losing 100 dollars out of a checking account by a fraudster can leave you feeling violated and vulnerable.

How can we prove that we are who we say we are when accessing online services? How do we create secure online identities?

When authenticating ourselves to cloud-based applications, banking and government sites, a good first step to adding a layer of security is one-time password (OTP) authentication. You may have a physical token or a mobile application for this solution, which a different password you must enter for every login. OTPs provide a higher level of identity assurance than a simple password. It makes your online identity stronger, which is why this is often called strong authentication.

An even stronger way to authenticate your identity online is through a solution that incorporates multi-factor authentication with smart card technology. With this method, you need both a password and a physical token, such as a smart card or encrypted USB token, before you can be logged in. Your physical device contains your unique identity credentials and relays to the service provider with a high level of assurance that you are you. Even if your password is stolen, a criminal cannot access your online services without your physical token.

In the future, our best bet is using a combination of the physical device, something the user knows, and “something we are.” This would add a biometric, like a fingerprint, to the mix. This type of multi-factor authentication approach will provide the strongest verification that we who we say we are.

There are many way to move toward stronger online identities. We must move forward and promote strong authentication until we can finally pronounce the beloved password as a security technology of the past. Then, we can all move on with more confidence in our online existence.

If you got this far then you might be interested in contributing a question to our CIO survey. What would you like to ask Heads of IT about security and authentication? When will they phase out static passwords perhaps? If you have a suggestion let us know here.

Leave a Reply

Your email address will not be published. Required fields are marked *