Edward Tessen Tanaka
Mar 22, 2012
Featured

Replacing the password: More secure high-tech alternatives to traditional alphanumerics

Alphanumeric passwords are easily within reach of shadowy cyber handsIdentity theft. Financial fraud. Cybercrime. These words have been integrated into our daily jargon seemingly overnight. It has become nearly impossible to turn on the television or read the news without hearing about a recent hacking or a court case in which the criminal bypassed encrypted or password-protected files. This has led to Americans being more concerned about cyber security than ever before, but studies show that we still aren’t great at protecting ourselves online.

The password is easily the weakest link in our security procedures. While this has been known (and talked about) for some time, people are surprisingly careless when it comes to choosing passwords to protect their data and accounts. To make things easier -- for ourselves and apparently for a lot of thieves – we often create passwords using easy-to-recall information related to our personal lives. Unfortunately such passwords can be easy to undermine, especially with the rising popularity of social media.  To contrast, when we create an extremely difficult password, we often write this information down for later reference, which as most of us are aware, is a bad idea. But we do it anyway. The National Institute of Standards and Technology (NIST) wants to solve this problem by funding up to $10 million in research in order to replace the username/password login method that we currently use.

Some alternatives to passwords already exist, many of which have been proven to be more secure than the alphanumeric combinations we use now. For instance, the pattern lock screen that is now an option on Android’s touch screen smartphones allows the user to create a custom pattern in a connect-the-dots style grid that triggers the unlocking mechanism. If too many incorrect “swipes” are made, then the email address and password associated with the phone must be entered to bypass the lock screen. This system has proven to be effective -- so effective, in fact, that not even the FBI can crack a pattern lock screen.

More than personal information is at stake, as ineffective passwords can lead to financial lossMozilla also recently launched its own alternative authentication system in the form of BrowserID, an application that “relies on asymmetric keys and ties the user's identity to their e-mail address rather than conventional usernames and passwords.” The user logs in to his or her “identity authority provider” (usually an e-mail account) which then uses a JavaScript API to create a pair of keys.  The public key is then sent to the identity authority provider and an identity certificate is generated (containing the private key). The browser then stores the key on a digital “key ring.” The user can then login to any site stored on the key ring with one click.  BrowserID was created to be a safer alternative to OpenID, which has been criticized for vulnerabilities as related to phishing attacks and redirect URLs.

Another approach is called two-factor authentication (TFA). In a method utilizing TFA, a person must possess two of the three authentication factors: something the user knows, something the user has and something the user is (i.e. biometrics). Simple versions of two-factor authentication are quite common. For example, an ATM requires the user to possess a physical bank card in addition to a password or PIN. Some websites require users to enter one-time passwords sent to their mobile phones in order to login for the first time. A one-time password is one of the most secure ways to login because it can never be replicated.

Recent TFA methods have become increasingly secure as well as creative. Passfaces is a graphical password that uses human faces to verify a user’s identity. According to the company’s website, the process looks like this: “Users are given a random set of faces (typically 3 to 7) to serve as their secret authentication code. They are then taken through a ‘familiarization process’ that imprints the faces in their mind. To authenticate themselves, users have to pick out their assigned faces, one at a time, from successive groups of nine faces.”

Passfaces is much more intuitive than a traditional alphanumeric password or phrase because humans have a remarkable capacity to remember faces. This also minimizes the problem of being locked out of an account due to a forgotten password. This method also scores highly in terms of security because even if someone observes the password being entered, it is much more difficult to remember and replicate.

Alternative identity verification technologies are making password bypasses exceedingly more rareFinally, it comes as no surprise that the most futuristic sounding concept comes from DARPA. The agency’s proposed solution to the password problem is called Active Authentication. This system would identify users based on computing behavior traits such as how a user interacts with the mouse, typing speed and style, and language used in email and other correspondences. DARPA calls these behaviors a “cognitive footprint” and says that a user’s identity can be accurately confirmed using typing speed and rhythm alone in 99.5 percent of cases.

The benefits for “non-traditional” password solutions are difficult to refute. The existing alphanumeric paradigm creates an illusion of security and reinforces behaviors that are ultimately detrimental to creating secure passwords. Instead of trying to get people to change their behavior, these new password security solutions appeal to and utilize our natural cognitive processes in a way that is easy to learn, easy to remember, easy to operate, but much more difficult to compromise.