Books written by Ray Sullivan

Thursday, 16 May 2013

Passwords Are Barking Up The Wrong Tree

There's an organisation called FIDO - yes, I know, it featured in at least one Scooby Doo episode and a couple of Tom and Jerry cartoons too - that wants to change the way we shop and interact generally with the internet.

You see, most on-line transactions are only relatively secure.  Sure, the retailers you use will have a secure server, there's encrypted messages and of course, your password.  I say password because most normal people have just the one, maybe two.  Because remembering Aunt Mabel's wedding anniversary and the title of the first film you ever saw in the cinema are difficult enough to remember.  Add another couple of random facts and your mind is going to meltdown.

In fact the industry would be rather pleased if everyone used passwords as complex as the one I've suggested - and if any wannabe hacker is looking up my family tree, I don't think I've ever had an Aunt Mabel.  I'd hate to waste your precious if illegally spent time.

But the reality is that remembering truly complex passwords - you know, random combinations of letters, numbers and punctuation marks - is hard work, especially if you have a lot of accounts out in cyberspace.  And it's not as though the holders of the secure servers have been immune to successful attacks over the last year or so.  Sony was hacked - that we know because they owned up.  There have been other high profile hacks recently, too.  My guess is not all organisations, when hacked, tell us.

This is where Michael Barratt, PayPal's Chief Information Officer comes in. Not content with working tirelessly at managing PayPal's information, he's also the president of the Fast Identity Online (FIDO) Alliance.

FIDO is keen to migrate us away from secure passwords because basically they're not really secure.  They note that while we may have a few very secure passwords we do have a habit of using them in a number of locations and therefore the password is only as secure as the least secure location.  They also realise that being mostly human, we'll continue to do this until we're all compromised.

So, what's better than a secure password?  No password, reckon FIDO.  They make the observation that most of us carry out our transactions on a limited number of devices - sure, you may hop onto a mate's iPad to bid for something on eBay once in a blue moon, but most of your online transactions will be on a finite and auditable number of computers.

They want us to migrate to FIDO enabled devices that use a combination of fingerprint matching, hardware tokens and USB memory sticks plus some trick software.  They've developed the standard and hope that FIDO enabled equipment will start shipping this year.

OK, details are necessarily scant, but for me I'm not wholly on-board.  I agree that passwords are an imperfect solution to the problem but I'm not convinced about the FIDO approach, either.  Fingerprints, while largely unique, are reproducible, hardware tokens sound like they will work until they won't, and that day will be the day I want to access my bank account, USB memory sticks are becoming persona non grata in many ways and software - don't talk to me about software.

There will be a way to solve this problem and biometrics will probably be part of it - as the FIDO fingerprint standard suggests - and I suspect that the solution will be simpler than the proposal.  I think FIDO do have a point about us using a finite number of devices and that insight is probably pure genius - maybe we will need a super password to access our stuff when away from any of our normal devices, but if a way of carrying out our transactions using our regular devices can be devised then that will make hacking harder.  After that it probably boils down to finding a sensible biometric we can use.  It may even be staring us in the face.


                                                          Visit my Book Website here

        Visit Project: Evil Website here                                        Visit DLF Website here

        Follow me on Twitter  - @RayASullivan

        Join me on Facebook -  use to find me

No comments:

Post a Comment