The industry is buzzing today about a Russian gang who hacked and got its hands on 1.2 billion username and password combinations. It’s definitely a scary headline – but one that probably shouldn’t surprise us at this point. There is plenty of analysis out there on the risky nature of passwords – yet we still rely on them every day. What are our options and alternatives? How do we reduce the ‘importance’ of unintended access to username/passwords combinations as we know it?
There really is no simple answer. One time password technologies have been around for years (and what RSA has traditionally been known for), but that technology has mostly been leveraged by corporations and enterprise environments. And even in that realm – where we have had great success in for so long – we are constantly working on bringing new innovations to the space.
That being said, we are seeing OTP hit the mainstream here and there – just the other day I was resetting my email password and the service provider asked to text me a code to use along with my username/password to help verify my identity. There is also adaptive authentication that we see being use widely which will ask you challenge questions when the system deems your behavior risky. In addition, we are seeing even more innovations in the mobile space that take advantage of the built in capabilities of smartphones and tablets including high resolution cameras for facial recognition, high fidelity microphones for voice recognition, location & motion sensors, touch screen and fingerprint sensors, etc. These innovations coupled with real-time assessment of the risk are foundational to help secure sensitive data and limit the panic that one feels when their password is stolen. We need an intelligence driven model – one that can evaluate:
- Whether this application requires strong security?
- Whether the user is doing anything out of the ordinary based on their usual behavior?
Based on the level of risk and sensitivity of the action being taken, we can do a much better job of enforcing the type of user authentication required for the activity – helping to balance defense in depth with convenience.
Breaches like this also beg the question – do we need to store credentials on servers at all? Can we instead rely on device-based user identification? This approach transforms the threat surface from a server-side model (all credentials in the server basket) to one that requires hackers to first get full access to millions of user devices, and then hack into tamper proof credential stores on those devices, to end up with the same type of information; making it an impractical & tough challenge for the bad guys.
Regardless of the approach taken, we need to reduce our dependency on traditional usernames/password based user authentication. The security industry has been tasked with finding the right solution to this ever growing problem – one that balances user convenience with strong security. Many companies are doing some innovative things and I expect to see a lot of great options in the near future.