23/01/2015

By François Amigorena, CEO, IS Decisions


People have been predicting the death of the password for just about as long as it has existed. In fact Mr Microsoft himself, Bill Gates, famously predicted its demise back in 2004. Currently we hear voices calling for its disposal every time we see a major security leak in the news.

The fact of the matter is that yes, the password is flawed. Or to put it more accurately, human use of passwords is flawed. We pick simple ones, we forget complex ones, we share them with our colleagues or our boss, or anyone else that appears to have an air of authority. IS Decisions research has shown that as many as 23% of desk-based workers in the US and the UK have shared their work-related password with one or more colleagues.

Biometric dreams

So it is no wonder that the next generation of password security technology looks appealing. Biometrics is a strong contender to take over, and the advantages are clear.

You cannot forget your fingerprint, or your eye’s retina. Anyone with an
an iPhone from the last two generations knows the ease of unlocking their device or paying for an app using their fingerprint, and how simple and easy the process is. It is secure, but a very simple user experience, lowering friction.

Biometric reality

However, low friction is not necessarily an advantage in network security terms. Fundamentally, biometrics represent a different approach to passwords. Where a password is something you know, a biometric is something you are. We can also talk here about using physical tokens, or keys, which is something you have.

Each has its own advantages and disadvantages, and yes it is difficult to share a fingerprint, but it is not impossible to spoof fingerprint scanners. Then you get into the issue of permanence; if a password is compromised, you can change it. You can’t change a compromised fingerprint.

The reality is that biometrics are not likely to be used as a security measure in isolation. Even Apple, in its implementation of fingerprint scanning, uses the technology alongside passwords. Turn your phone off and you’ll need the passcode, buy something from iTunes for the first time in a while and you’ll need your password. In Apple Pay measures are taken to keep card details secure and even if a thief could somehow clone your fingerprint, he would still run into trouble trying to use a credit card without other security information.

The biometric technology is used in conjunction with the humble password, as the two factors in combination can be stronger than one in isolation. This isn’t a given, however. If two factor authentication is employed it can lead to users using weaker passwords, meaning if one factor is compromised then a weakened second factor is left vulnerable.

Speed of adoption

The other side of the coin when talking about biometrics being rolled out into the enterprise, is that it isn’t likely to happen very quickly. Enterprise technology is acknowledged to move a lot slower than consumer tech nowadays, and there’s no reason to believe biometrics will be any different.

In fact, organisations that are most concerned about security are generally among the slowest to move. Many in the finance, defence and law sectors are only now upgrading their networks from Windows XP, a 13-year old operating system, to Windows 7, itself three generations behind, due to security concerns. And they’re only switching from XP because Microsoft has halted support for it. When you are really concerned about security, you take your time to watch how a new technology works for everybody else before you risk adopting it yourself.

Biometric security technology is relatively untested, and going to be expensive to implement. It will be a long time before the most security conscious organisations consider relying on it.

Strengthening the password

But this is not the end of the world. The (distant) future may be bright for biometrics, but for now we have a lot of work we can do with the password to make it stronger.

Passwords, like biometrics, are just a single security measure and no security measure is 100%. The right approach to security is always to take the appropriate measures to mitigate all possible risks. This may mean a tailored approached; in the same way you don’t have the same level of security on your house’s front door as your bank does on its vault.

Relying solely on any one measure is inevitably going to lead to vulnerabilities, which is why we are entering the age of security layers, not the death of the password. And passwords are just one of those layers. One day perhaps biometrics will be tested enough for enterprise to adopt them as another layer, but for now security choices have to be appropriate and usable. Strengthening the password is a very appropriate and usable solution today.

All of these precautions reduce the ‘user error’ factor of the traditional password, and help strengthen your network. And even when the day comes that we do see widespread use of biometric security, we know that having better user access controls and password security will continue to be of great benefit.