Article posted: Jun 01, 2016
By Per-Anders Fjärdsäter, CFO
At its 2016 I/O Developer Conference, Google introduced TRUST API, which aims to eliminate passwords on future Android platforms. Google expects to eliminate passwords by mixing in weaker but unique indicators of who you are. These techniques include obvious biometric indicators such as face shape and voice patterns, as well as less obvious ones like how you move, how you type and how you swipe on the screen.
We applaud Google’s efforts to eliminate passwords. Passwords are often the first and only line of defense to protect important assets ranging from your online bank account to your enterprise data. Passwords are a flawed security measure and are easily shared or simple to hack. Even as organizations attempt to make passwords more unique by adding characters and numbers, often times employees can’t remember them and use auto log-in features to access corporate data, leaving these assets vulnerable to simple theft.
According to the new 2016 Verizon Data Breach Investigations, which documented from more than 64,000 security incidents worldwide in 2015, legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords. The report identified stolen credentials as the number one threat action type among attacks that used legitimate credentials, followed by malware, phishing, and keyloggers.
Password elimination is a key step toward moving to more secure multi-factor ID solutions. Many organizations are already using encryption, but physical, biometric and virtual identification is growing in popularity. According to Markets and Markets Research, the Identity and Access Management market will grow to nearly $13 billion by 2020.
As organizations become less dependent on the password, there are several options to consider when integrating multi-factor ID to secure their enterprises. Following are some of the most popular:
Physical Smart Cards
Smart-cards are used to authenticate identity. They often employ a public key infrastructure (PKI). The card stores an encrypted digital certificate issued from the PKI provider along with other relevant information. Many world government organizations use smartcards to manage physical and network access for their employees. Smart cards can incorporate biometric identification data, providing superior two- or three-factor authentication.
Virtual Smart Cards
Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards mimic the functionality of physical smart cards, by using the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware. According to Microsoft, by utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
A security token or authentication token is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a physical smart card or may be embedded in a commonly used object such as a key fob. Security tokens provide the user with a personal identification number (PIN), which authorizes them as the owner of that particular device; the device then displays a number which uniquely identifies the user to the service, allowing them to log in. The identification number for each user is changed frequently, usually every five minutes or so. Unlike a password, a security token is a physical object. So even if the key fob falls into the wrong hands, it can't be used to gain access because the PIN (which only the rightful user knows) is also needed.
A password-free era is on the horizon and organizations will benefit from this development. As multi-factor authentication becomes more popular, it will be more difficult for nefarious players to infiltrate sensitive corporate data.