The Heartbleed Bug has shown how fragile passwords can be as a means of secure authentication
As a result of the Heartbleed bug that has made data on two-thirds of the world's servers potentially accessible to hackers, users have been told to change their passwords. It goes to show that not only is the security of passwords fragile, but they are impractical too. So what are the alternatives?
Passwords have been around as long as the Web. In short, they are the quickest and simplest means of securing user accounts. They do, however, have a number of drawbacks. If they are too simple they can be cracked by computer programs. If a server is hacked they can be uncovered. If the same password is used for more than one account, then an uncovered password can compromise a user's whole Web presence. It is inconvenient to remember lots of different passwords, but they can be easily forgotten.
In short, we use passwords online because they were a "good enough" means of security at the dawn of the Web and because they are now the status quo. Experts have been predicting for some time that passwords will be superseded, though. Indeed, Bill Gates declared them "dead" in 2004. Premature that may have been, but vulnerabilities in the architecture of the Web, such as Heartbleed, serve to demonstrate quite explicitly that they do need to be killed off – at least in their current form.
One problem with replacing passwords on the Web is that, not only do alternatives need to be more secure, but they need to be comparatively convenient in order to gain traction. We're so used to rattling through passwords on our keyboards or having them saved by our browsers that people are unlikely to accept alternatives that add a great deal of time or inconvenience to their login processes. Below are a few areas in which potential alternatives being developed.
Biometrics
Biometric authentication is the most well-known alternative to passwords. Everyone knows that fingerprints can be used to identify people, and devices like the Samsung Galaxy S5 and Apple's iPhone 5S have fingerprint scanners built in. Other methods of biometric authentication include iris scanning, as used by the Myris Eyelock, and using a person's heartbeat, like the Nymi wristband.
However, Chester Wisniewski, Senior Security Advisor at Sophos, warns us that although biometric information may be more secure than passwords, the consequences of such data being uncovered is far more severe. "Can you imagine if you used a fingerprint or iris scan instead?" says Wisniewski. "Now we would be leaking your biometric data to crooks. Time to change your fingerprints?".
Tokens
For token authentication, users are provided with a unique piece of data that allows them to login to a website. Illiri, for example, sends a sound to smartphones that users play to their computer as a means of authenticating login. Similarly, Clef sends an image to smartphones that is shown to the computer's webcam. Such smartphone apps add an extra layer of security to your authentication as they themselves can be protected by one or more passwords, but they suffer from being less convenient that just using a password and require contingencies if a phone is lost or out of charge.
Two-factor
The added layer of authentication used by Illiri and Clef, however, is the key to our future security, Wisniewski tells Gizmag. "Clearly passwords alone are not an adequate security measure," he argues. "When combined with other factors though, they can be a part of the solution."
"A single factor is not enough. Passwords are certainly the best option we have for one of the two factors we should be using in two-factor authentication. I think I would stick with a password plus a dynamic second factor like a token or an SMS message."
Two factor authentication is not a new idea. Banks use it routinely and users can set it up on their Google, Facebook and Twitter accounts, as well as on other sites. It's not as quick or convenient as a simple password, but there has been a lot of talk about it since Heartbleed, as the most immediate means by which security can be improved on websites. Authy and Duo are just two providers that are pushing the uptake of two-factor authentication.
Where do we go from here?
As a means of authentication, there is a widespread consensus that passwords alone are not enough. The technology may already be out there and we may just be waiting for a simple and convenient enough implementation of it.
"Momentum is certainly part of it, but I have yet to see a replacement that is as affordable, ubiquitous and easy to use," says Wisniewski.
"It is all about being simple. The mad genius who solves this problem will become very famous. The problem is that it needs to make sense to random individuals and be free to use and implement. That is how we got here and it is how we will get out."
copyright © Gizmag 2003 - 2014