I
very much like the idea of needing to remember just one secret that I can use
to logon to all of my online services, so the concept of a password manager is
in many ways very appealing. However, this week I was not at all surprised to
read that a UC Berkeley report
has found five popular password managers contained critical vulnerabilities.
My
problem with this type of solution is the fact that every single one I have
investigated to date uses a password at the front-end! Yes it is true that this
approach means you only need to remember just one password, so one major
bugbear of password usage has been nullified. But if someone cracks that code,
then they now have access to all your accounts, meaning halcyon days for the identity
thieves and fraudsters out there.
Meanwhile,
it seems that not a day goes by without the revelation of a new biometric innovation
that is heralded as the next big thing in authentication. We have had
fingerprints, palm vein, voice and facial recognition, and now in a story
published online by Time it seems we can now all
be identified by our heart rhythm using an ECG-authenticating wristband.
Authentication in a heartbeat if you will!
However, in an
article published by the Washington Post entitled ‘We know the password system is broken. So what’s next?’ Hayley Tsukayama takes a closer look at the viability of using some
of the mainstream biometrics as an alternative to passwords. Having experienced
biometrics first-hand (I once lived in South Africa in a gated community) I am
very dubious about their effectiveness. When I first moved in we were issued with
a card to gain access, but these were soon replaced by fingerprint readers and
they often failed. As a result the security guard on duty would check to see if
he recognised me and would then use his fingerprint to open the gate. My point
is that if a biometric fails, what do you do? And therefore biometrics will
only ever be as strong as the back-up you have in place.
Meanwhile,
amongst the masses of news stories bemoaning passwords an article published on DARKReading by Corey Nachreiner stands out like a
sore thumb as he bravely puts a case for the defence of passwords. He argues
that if you adhere to best practice you are likely to be OK. He may have a
point, but the problem with this approach is that it means creating many
different and complex passwords for each of the online resources that you use,
and that brings us back to the reason password managers have grown in
popularity!
A password
manager that doesn’t rely on a password would be an immense step in the right
direction in marrying convenience with security.
Author:
Alissa Lang, Winfrasoft