By Taylor Armerding
Jan. 19, 2017
The campaign to eliminate passwords has been ongoing, and growing, for close to a decade. There are even some declarations that this might be the year, or at least ought to be the year, that it happens.
Don’t hold your breath. Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology.
The goal of FIDO, a nonprofit created in 2012, is to supplant passwords with what it calls, “an open, scalable, interoperable set of mechanisms,” for secure authentication.
But McDowell said last fall, and said again this past week that passwords will, "have a long tail," that is unlikely to disappear anytime soon – certainly not this year.
There are a number of reasons for that, even though the security problems with passwords are well known and well documented. As Phil Dunkelberger, CEO of Nok Nok Labs, put it, “the username and password paradigm is fundamentally broken. It was never designed for, and is inherently incapable of addressing, the use cases of modern society.
And of course it is not just technology that has made it easier for attackers to compromise them. Users frequently make it ridiculously easy as well. They use short, simple passwords that wouldn’t even take a machine to guess – like “admin,” “password,” “12345,” etc. They continue to use the same user name and password for multiple sites, since they know they won’t be able to remember a couple dozen of them.
The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords.
And even if users do have somewhat rigorous passwords, far too many can still be tricked into giving them away through social engineering attacks.
Yet, passwords are such an embedded part of authentication systems – most popular websites still use them – that, as McDowell said, it will take considerable time for them to disappear.
Or as Scott Simkin, senior group manager, threat intelligence cloud & security subscriptions at Palo Alto Networks, put it, “We have decades of legacy systems and behavior to change, and it will take years for the industry to catch up.”
Beyond that, there are at least some in the security community who say we should be careful what we wish for. They note that cyber criminals have always found a way around every advance in security. So while biometric credentials – fingerprints, iris scans, voice recognition etc. – are much tougher to compromise than passwords, they may not be a magic bullet. And if attackers can find ways to steal or spoof them, those will obviously be much more difficult to change or update than a password.