Skip to main content

Passwords May Soon Be Passé

Image
By

The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable.
But the Time Warner Cable hack is far from being the worst case of identity theft.
In fact, it’s quite insignificant compared to some of the more severe cases we’ve seen in the past year, including the five million user records stolen from toy manufacturer VTech, the 21 million federal employee records stolenfrom the Office of Personnel Management and the 80 million customer records stolen from healthcare service provider Anthem.
When it comes to stealing identities, hackers seem to have an unlimited stash of weapons, including brute-force attacks, dictionary attacks, phishing, social engineering, man-in-the-middle, key-loggers, password resets from recovery emails and wholesale theft of passwords from databases.
And when hackers gain access to our credentials, they can virtually ruin our entire lives by stealing our information or money, or by defaming us through doxing our secrets or posting profanity and obscenities in our names.
On the other hand, when it comes to protecting passwords, there seems to be no end to the pitfalls that one has to avoid, including weak passwords, shared passwords, unchanged passwords, default passwords… And even if you stay true to all the security best practices, some things remain out of your control, including how committed your provider is to encrypt and protect your credentials on its server.
The password dilemma isn’t new, and has been raised on numerous occasions inprevious years. However, the solutions offered have often proven to be frustratingly complex and expensive, or flawed in their own way.
Whatever’s destined to substitute passwords will have to be simple, robust, affordable and flexible.
For the most part, we prefer to continue relying on plain passwords for our online accounts. In light of the continuing rise of data-breaches and identity fraud cases, tech firms are addressing this issue in earnest, and are focusing on ways to strengthen and facilitate the password paradigm, or to have it replaced altogether. Here are some of the newer trends that might change our authentication habits in the near future.

PIN and software token

While classic two-factor authentication methods have proven to be fraught with frustrating user experience or hardware complexities, the PIN and software token combines the simplicity of password entry with the added security of two-factor authentication.
This is the method adopted by British tech firm MIRACL through its new technology, the M-Pin crypto application, a two-factor authentication protocol that involves a user-selected four-n length PIN and a related software token to create a unique key that runs a zero-knowledge proof authentication protocol against its server.
The token is stored on the user’s browser or mobile device, and the PIN is only known to the user. The fact that M-Pin stores no passwords on the server “will make password smash n’ grab attacks a thing of the past,” says Brian Spector, the company’s CEO.
The technology adds further safeguards by distributing its master keys between two D-TAs (Distributed Trust Authorities), one being the customer server, where the server application resides, and the other being the central MIRACL D-TA. This further complicates identity theft by requiring attackers to breach four different sources for each account they wish to hack.
MIRACL offers M-Pin in two flavors, a JavaScript code snippet and library embedded within websites, or a mobile version that allows users to control browser access to their accounts through a mobile app.
M-Pin will get its shot at delivering on its promise of improving both simplicity and security, as it was recently selected by certified identity assurance provider Experian to provide highly secure authentication to millions of U.K. citizens in a government-led project aimed at providing in a safe, secure and straightforward manner services such as driving license renewal and tax-form filing.

NFC two-factor authentication

Two-factor authentication through physical USB keys has been around for a while on desktop computers, but mobile devices have been slow to catch up. That has changed, as tech company Yubico launched a physical device that allows you to log in to your online accounts through Near Field Communication (NFC) technology.
Dubbed YubiKey NEO, the device is meant to be held against the back of an NFC-enabled phone and tapped to confirm user authenticity during login. The key generates a login code specific to the user and service at hand each time it’s pressed. After account access has been confirmed through YubiKey, that account can remain authenticated for a period of time (depending on the service), unless the service provider detects unusual activity, in which case the user will be prompted for YubiKey authentication again.
YubiKey NEO also offers the same multiple protocol support (OTP, U2F, PIV, OpenPGP) as the YubiKey 4, which means the device can be plugged into desktop computer USB ports to be used as a normal physical USB key during logins. YubiKey has been well received by some of the leading names in the tech industry, including Google, Dropbox and GitHub.
The YubiKey stores no personal details and is linked to an account, meaning that anyone with your credentials will also need the key to log in to your account. The only catch is that you’ll have one more device that you have to avoid losing.

Fingerprint authentication as a service

With more mobile devices sporting fingerprint scanners and cloud computing becoming cheaper, Qondado, a Puerto Rican tech startup, is trying to ease the way for developers to integrate biometric authentication into their web applications through a flagship platform it calls KodeKey.
The system, which is composed of a mobile app and a web service, ties users to their phone numbers via biometrics and allows clients to use that number and a PIN for authentication. The authentication platform can be integrated into any client site via an API or plug-ins (there’s currently a WordPress plug-in available).
When it comes to stealing identities, hackers seem to have an unlimited stash of weapons.
Registered users enter their phone number plus the associated PIN in the log-in page; they subsequently receive a notification on the KeyKode app which prompts them to scan their fingerprint. The web service will only allow access to the account if the mobile’s fingerprint scanner authenticates the user. The app is available on both Android and iOS, but will only function on newer handsets that have fingerprint scanners.
The company hopes to provide enterprise-level security for banks, credit card companies, cable providers, wireless providers and cloud services, and plans to develop plug-ins for a wide range of platforms in the future.

Mobile authentication

As the use of mobile devices is becoming increasingly widespread, users have an ever-present and personal tool to store and present their digital identity. This is becoming especially more feasible as newer mobile operating systems are offering trusted execution environments and hardware-secure elements to store sensitive data, such as cryptographic credentials.
This is a trend being embraced by two

Comments

Post a Comment

Popular posts from this blog

The EHang 184 Is A Human-Sized Drone Taking Off At CES

By
We’ve seen some pretty cool stuff on day 1 of CES 2016, but probably nothing more eye-catching than the EHang 184, a human-sized drone built by the Chinese UAV company  EHang . Yes you heard right — a giant autonomous drone that fits a human. It’s basically what you would expect to see if someone shrunk you down to the size of a LEGO and stuck you next to a DJI Inspire. Except no one was shrunk, and the giant flying machine was sitting smack in the middle of the CES drone section. EHang, which was founded in 2014 and has raised about $50M in venture fundingto date, was pretty gung-ho about telling everyone at CES that the 184 was the future of personal transport. And for the most part, people were too in awe to question them. But the reality is that the company probably was using the 184 as more of a marketing tool for their standard-sized drones like the  Ghost . Not that we’re saying that the 184 will never be a real thing, just that it probably isn’t co...
Post a Comment
Read more

Western Union Brings Money Transfer And Its Tricky Fees To Chat Apps

By
Remittance has always been a shady business. Migrant workers need to send money they earn home to their families, but get hit with fine print fees so less cash comes out the other side than they might assume. Remittance companies earn extra by keeping the margin between their own made up exchange rate and the real one. Western Union is the best known remittance company, with 500,000 brick-and-mortar locations around the world. But tech startups like TransferWise, Azimo, and WorldRemit are gunning for the business. They hope to increase convenience and reduce fees to lure customers away from Western Union, Moneygram, and other old-school remittance providers. So  Western Union  is going digital thanks to partnerships with big messaging apps. It launched its Western Union Connect system in October last year, followed by a partnership with WeChat for sending up to $100. Now it’s getting into bed with  Viber , which has over 664 million “unique” users, thou...
Post a Comment
Read more

Google Calls Out EFF Over Bogus Claims That It Snoops On Students With Its Chromebooks

By
The Electronic Frontier Foundation (EFF) caused quite a stir this week when it alleged that Google is using its Chromebook platform, which has made a significant impact in the education sector, to snoop on students. The charges were damning, with the EFF claiming that Google was violating its own corporate policies and using students’ personally identifiable browsing data/habits to refine its services, in addition to sharing that data with partners. "EFF bases this petition on evidence that Google is engaged in collecting, maintaining, using, and sharing student personal information in violation of the 'K-12 School Service Provider Pledge to Safeguard Student Privacy' (Student Privacy Pledge), of which it is a signatory,” alleged the EFF in its initial FTC complaint. Google takes such allegations very seriously, and has thus responded to every claim brought forth by the EFF. “While we appreciate the EFF’s focus on student data privacy, we are confid...
Post a Comment
Read more

Following Patent Deal, Every Time Apple Sells An iPhone, Ericsson Gets A Bit Of Money

By
Telecommunications infrastructure company Ericsson just  announced  that it has reached an agreement with Apple over an ongoing patent dispute. For the next seven years, Apple will pay a fraction of its iPhone and iPad profit to Ericsson in royalties. Back in February, Ericsson filed suits in many different jurisdictions for patent infringement (the International Trade Commission, the U.S. District Court for the Eastern District of Texas, the U.S. District Court for the Northern District of California, as well as courts in the U.K., Germany and the Netherlands). According to the Swedish company, Apple has been violating 41 patents over the past few years with its iPhone and iPad, in particular patents related to GSM, UMTS and LTE technologies. As expected, the two companies have reached an agreement and Ericsson is dropping all of its lawsuits. Today’s news isn’t particularly surprising as Ericsson holds more than 35,000 patents. Many of them are related to wireles...
Post a Comment
Read more

NVBOTS Wants To Make 3D Printers As Easy As Toasters

By
Right now 3D printing curriculums, if they exist, are fairly sparse. Putting a two thousand dollar machine in front of a grade schooler usually ends up in a lot of 3D printed Yoda heads and not much education while the learning curve for most 3D design tools is steep. That’s what the founders of NVBOTS, AJ Perez, Forrest Pieper, Christopher Haid, and Mateo Peña Doll, are looking to solve. Their product, the  NVPRO , is a 3D printer with a few interesting features. The two most interesting are the automatic removal system which pops parts off of the build plate when they are done and a built-in print server that allows you to print from any device. This means you can run large batches of prints from different users with each part popping off as its printed. This means a class of students can send jobs to a printer and then pick them up just as they would a laser printer. The printer also supports a central “admin” who can check jobs before they are printed as and offers a ...
Post a Comment
Read more