Posted by Kevin on March 17, 2016.
Obama is wrong about passwords. He’s not alone, but given the quantity and quality of his advisers, it is very disappointing. This is what he said:
In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone.
Protecting U.S. Innovation From Cyberthreats
This is the received wisdom about passwords – one password doesn’t work, so we’d better use two – and it is wrong. It conflates human behaviour with security theory. It assumes that the failure of passwords means that passwords don’t work – and ignores the effect of human behaviour.
Human behaviour is like a ball rolling down a hill. It will always take the easiest path governed by just two universal laws: friction and gravity. We cannot influence gravity – so if we wish to change the path of human behaviour, we need to alter the friction. We need to decrease the friction that hampers the preferred route, and increase the friction that promotes the right path. Without that intervention we will continue, for good or bad, down nature’s easiest route.
It is not passwords that fail, but our use of them. Passwords are a hindrance to our ease. The more effective they are, the greater hindrance they become. So we revert to the easy path by making them easy to remember – like ‘123456’. They should be more like (and this is a random password generated by a password manager) ‘3wf1fDOqgqVbzL56nL6J’.
But it’s not just the user who fails in good password practice. Password theory demands that the service provider should store only a hashed version of the users’ passwords. If that provider gets compromised and the passwords are stolen, then the combination of a strong password and good hashing make it nigh on impossible for the thief to get the original password. 123456 would be cracked in micro seconds; but 3wf1fDOqgqVbzL56nL6J, well, probably never. But if the provider doesn’t hash the passwords, or stores them in any retrievable manner, then the strong password is as weak as the weak password. And that still happens, because providers are just as apt to follow the path of least resistance as are we.
Passwords are a form of active authentication. They require an action from the user. It is this need for an action that is the friction that sends us down the wrong path – it, rather than password theory, is what makes passwords fail. But what Obama is advocating is an increase in user actions. The Obama approach simply increases the friction that sends the ball in the wrong direction. If human behaviour makes us avoid simple active authentication, we will take extra steps to avoid or minimize complex active authentication (like fingerprints, additional passwords delivered by SMS, etcetera).
The solution to the password problem is not to increase the friction that sends us down the wrong path, but to eliminate that friction so that we automatically follow the right path. This can (relatively) easily be done by dumping active authentication and replacing it with passive authentication. Passive authentication requires no action from the user.
Virtually all computer screens, and certainly all modern phones, tablets and laptops, come with a camera. That camera could be configured to take regular snapshots of the current user and compare the result to the facial biometrics of the authorised user. Other passive methods (such as the geolocation of the users’ IP address and even keystroke biometrics – hell, you could even add heartbeat patterns and voice pattern recognition) could be combined to construct a continuous form of multi-factor passive authentication.
The key is that all of these methods are passive. The user does not have to do anything, so there is nothing for the user to avoid doing. And the bonus is that it is continuous authentication and is not just reliant on an initial password that could have been stolen. If the continuity of the authentication is broken, then the computer shuts down.
The bottom line is simple. Obama is wrong because he is proposing a continuation, indeed an escalation, of bad user behaviour friction. Instead he should be promoting a switch from initial only active authentication to continuous passive authentication.