Disclaimer 2: This is my personal blog. It does not represent the opinion of any organisation that I am affiliated with. At best I have talked this through with my cat, who wholeheartedly agreed with me (but only when offered a considerable amount of treats).(2)
That said, here we go.
As a community, we have been looking for ways to reach outside the "echo chamber" for quite a while now. There have been concerted initiatives and some individuals have gone out on their own to carry out the messages we/they believe are important for the general public, governments and industries. This in itself is not a bad thing were it not that the only industry that seems to capitalise on this trend is the media industry (and by extension, the ad networks). Under pressure of time, people are rushed into voicing opinions rather than speaking from experience. After all, we have ads to sell ... good enough is OK!
I personally believe that we, as an industry, can do better. It's OK to say no to a media outlet. It's OK to embargo a post until you've found the time to make it valuable to your target audience. It's OK to value quality over quantity. It's OK to keep the standard high.
The article that triggered my outrage today was titled "Will 2015 Be the Year We Say Goodbye to Passwords?" . It is hosted on CSOOnline which, by its own words, tries to achieve the following:
CSO provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.The answer to the question posed in the title of the article obviously is a resounding "hell no!" but allow me to dig further.
First: the target audience. On a platform that calls itself CSOOnline, one would expect the content to be geared towards Chief Security Officiers. One would expect the analysis and research to be of value for a person (m/f) who is known to have little time for useless diatribe and/or clickbait. I, for one, would expect data-driven analysis followed by solid recommendations and actionable information. I, obviously, expected too much :(
Already in the first paragraph, we change the original question (it was the title of the article FFS!) to "With this in mind will 2015 be the year that two-step authentication and non-standard password security methods like biometrics become the norm for forward-thinking businesses?" Maybe asking a question in the title isn't that smart if you're not going to answer it anyway.
2FA or two-step authentication and biometrics do not REPLACE passwords. They perpetuate their use! They obviously increase the challenge for attackers to gain access to a system but that's nothing news.
This is the moment where we digress into a load of missed opportunities ... I illustrate.
Other forms of two factor authentication include the use of security tokens, similar to the RSA SecurID tokens, or using biometrics such as peoples’ fingerprints, retina scanning or other items unique to them. Apple for example have introduced fingerprint readers to unlock their latest range of iPhones.Wrong ... Apple's introduction of fingerprint readers and their related APIs have ALREADY brought biometric authentication to the consumer and adoption is happening RIGHT NOW. As an example, my bank leverages Touch ID to allow me to authenticate on my mobile banking application. This is NOW, not years from know! The audience for this article may be interested to know that they too can leverage this right now with very little effort. Missed opportunity #1. But who cares?
What is interesting from the above developments is that it brings two factor authentication, previously an area mainly reserved for corporates, into the consumer arena. While this acceptance may make it easier for businesses to introduce two factor authentication to their workforce it may still be a number of years before we see this adoption take place.
Passwords, for all their weaknesses and issues, have the big advantage of being a very cost effective way of securing systems. Implementing and managing two factor authentication systems can introduce a lot of extra costs and overheads for companies to employ. Because of this the use of passwords will continue to be a necessary evil.
What we need to do is educate users on how to select and use passwords securely, for them to use password managers to help them cope with the multitude of passwords they may have to use, and get companies to properly secure the passwords being used to access their systems.This is probably the paragraph that irked me the most. We are talking to a CSO audience and all we can tell them is to tell users how to select "secure passwords" and to use "password managers"? Really? I've personally worked in complex IDM architectures for quite a while and I've custom built centralised authentication/authorization systems in heterogeneous IT environment from scratch. With all due respect, these recommendations don't cut it.
We are talking to an audience that, today, is responsible for a diverse set of technologies they didn't choose. An audience that is pressured into adopting cloud-based solutions to enable business units to do their actual job and keep their companies competitive. An audience that is challenged to respond to complex architecture questions and all we can tell them is to use stronger passwords and password managers? No, just no.
I agree that our challenge exists in breaking down very complex solutions into understandable chunks of information on an executive level but in all honesty, you can not address the password issue without talking about consolidation of directories (reducing the potential points of failure!), federated authentication and single sign on. This doesn't mean you have to quote RFCs on SAML, OAuth, etc. but if our common goal is to reduce the noise and to increase the signal, we have to start by being honest with ourselves and with our audience.
The article at hand is opinion more than it is something that shares experience/knowledge. As professionals we should hold ourselves to a higher standard when addressing the audience we care so much about. Next time when asked to write an article or partake in an interview or panel, I will ask myself "am I truly the person they want to talk about this subject" instead of letting my vanity get the better of me.
We can do better and we should.
(1) your messages of sympathy are much appreciated but I don't actually have bronchitis!! You just missed the Sweet Brown reference.
(2) I don't actually have a cat.