Are passwords becoming passe?

Two announcements last week signalled that the need to remember a password as an authentication mechanism may be reaching end of life. 

Yahoo announced an on-demand password (ODP) solution, while Microsoft provided some marketing fluff about Windows Hello, the company’s biometric authentication capability, hailed for release in Windows 10.

Yahoo has built ODP as a solution to replace passwords, where users are sent an SMS text message containing a one-time password for each login session.

Windows Hello is a biometric authentication service that uses facial recognition, iris scanning or fingerprint scanning to unlock the hardware, and can also unlock online applications or services by mapping the identify (verified by Hello) to the previously recorded password for that service, verified by a PIN.

The race to be the first company to eradicate the password has been long and hard fought.

Passwords have been with computer systems since the beginning, and have been the primary focus of hacking for just as long.

Both announcements sound enticing, giving us some element of convenience in the login that remains as secure, or betters the security afforded by the password. However, what are the risks?

Let’s start by looking at Yahoo’s positioning of ODP which claims to be “like two-factor authentication, minus the first factor.”

As a seasoned security guy, this is one of the most ridiculous statements I’ve ever seen. They give us a secure second factor then take away the first. Two minus one leaves one, so it’s still a single factor of authentication, with its own inherent set of weaknesses.

From an enterprise standpoint, the SMS message and one-time password has been around for some time.

Banks have been using them for many years, while social networking sites, such as Facebook and LinkedIn, have their own defenses: Facebook has its code generator and LinkedIn sends an SMS as part of the authorisation process for new browsers accessing your account. These are good additional security measures and really add value to the system.

So, there are sound security precedents at the heart of Yahoo’s ODP system and the security community is relatively happy with this process as a standalone control. However, like any control, it must be looked at in context of the rest of the system around it.

Security cannot be assessed in the context of a single mechanism, instead you need to understand the whole system, where weaknesses might be and mitigate the risks holistically. This is the same for personal computing as it is enterprise computing.

Yahoo has certainly introduced something that stops brute force attacks against user’s weak passwords, something that has plagued many a system administrator. It also prevents users from reusing the same password on Yahoo that they have on Amazon or any other site, but what about the rest of the system? 

For starters, users need to actually own a phone. Let’s make that an assumption. There are a variety of threats to consider.

How confident are you that your hardware is not compromised? Could there be malware lurking on the phone that could compromise your access or ability to receive text messages? Could the SMS be intercepted? What happens if you lose your phone? Do you have a pass lock set up? What if your phone gets cloned?

If another user can access your phone, Yahoo’s security system is worthless, in fact it makes life easier for the hacker.

The attack surface has changed, but the overall risk of being hacked may be the same or even higher. Now you don’t need to remember a password, because Yahoo sends it right to you, making the assumption that you are the only one that has access to your phone.

There is a lot to think about, but as an end user, Yahoo has craftily shifted blame for any attack to you. So your device security and your ability to control that device become paramount.

Microsoft’s Hello sounds like it’s well considered. The devil will always be in the detail, but on the surface of what I’ve seen so far, it does sound like it’s been designed well.

The sensors all rely on infrared to detect the presence of a real human as well as the multi-point feature check. But who’s to say a well-crafted physical attack won’t be able to supply a picture and heat signature that matches?

There are plenty of resources online that show you how to create fake fingerprints that can fool modern scanners, so these aspects of the security system become the foci of research and will inevitably have their weaknesses.

Having the PIN included in the solution is a good one, but then we are simply introducing something that government and military systems have implemented for a long time: two-factor authentication, using something you know (PIN), something you have and something you are (one of the biometrics). The something you have, in the case of Yahoo is your phone, but they have not considered the need for any of the others. 

If Yahoo had a PIN system tied to the SMS password, this would be much better and would mitigate the issues tied to your phone been attacked. 

The simple message from all of this is that while cool new technology is making headway into a world without passwords, do your research, consider the security of the whole systems and make good choices that really do reduce your overall risk.