Skip to main content

Passwords May Soon Be Passé


The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable.
But the Time Warner Cable hack is far from being the worst case of identity theft.
In fact, it’s quite insignificant compared to some of the more severe cases we’ve seen in the past year, including the five million user records stolen from toy manufacturer VTech, the 21 million federal employee records stolenfrom the Office of Personnel Management and the 80 million customer records stolen from healthcare service provider Anthem.
When it comes to stealing identities, hackers seem to have an unlimited stash of weapons, including brute-force attacks, dictionary attacks, phishing, social engineering, man-in-the-middle, key-loggers, password resets from recovery emails and wholesale theft of passwords from databases.
And when hackers gain access to our credentials, they can virtually ruin our entire lives by stealing our information or money, or by defaming us through doxing our secrets or posting profanity and obscenities in our names.
On the other hand, when it comes to protecting passwords, there seems to be no end to the pitfalls that one has to avoid, including weak passwords, shared passwords, unchanged passwords, default passwords… And even if you stay true to all the security best practices, some things remain out of your control, including how committed your provider is to encrypt and protect your credentials on its server.
The password dilemma isn’t new, and has been raised on numerous occasions inprevious years. However, the solutions offered have often proven to be frustratingly complex and expensive, or flawed in their own way.
Whatever’s destined to substitute passwords will have to be simple, robust, affordable and flexible.
For the most part, we prefer to continue relying on plain passwords for our online accounts. In light of the continuing rise of data-breaches and identity fraud cases, tech firms are addressing this issue in earnest, and are focusing on ways to strengthen and facilitate the password paradigm, or to have it replaced altogether. Here are some of the newer trends that might change our authentication habits in the near future.

PIN and software token

While classic two-factor authentication methods have proven to be fraught with frustrating user experience or hardware complexities, the PIN and software token combines the simplicity of password entry with the added security of two-factor authentication.
This is the method adopted by British tech firm MIRACL through its new technology, the M-Pin crypto application, a two-factor authentication protocol that involves a user-selected four-n length PIN and a related software token to create a unique key that runs a zero-knowledge proof authentication protocol against its server.
The token is stored on the user’s browser or mobile device, and the PIN is only known to the user. The fact that M-Pin stores no passwords on the server “will make password smash n’ grab attacks a thing of the past,” says Brian Spector, the company’s CEO.
The technology adds further safeguards by distributing its master keys between two D-TAs (Distributed Trust Authorities), one being the customer server, where the server application resides, and the other being the central MIRACL D-TA. This further complicates identity theft by requiring attackers to breach four different sources for each account they wish to hack.
MIRACL offers M-Pin in two flavors, a JavaScript code snippet and library embedded within websites, or a mobile version that allows users to control browser access to their accounts through a mobile app.
M-Pin will get its shot at delivering on its promise of improving both simplicity and security, as it was recently selected by certified identity assurance provider Experian to provide highly secure authentication to millions of U.K. citizens in a government-led project aimed at providing in a safe, secure and straightforward manner services such as driving license renewal and tax-form filing.

NFC two-factor authentication

Two-factor authentication through physical USB keys has been around for a while on desktop computers, but mobile devices have been slow to catch up. That has changed, as tech company Yubico launched a physical device that allows you to log in to your online accounts through Near Field Communication (NFC) technology.
Dubbed YubiKey NEO, the device is meant to be held against the back of an NFC-enabled phone and tapped to confirm user authenticity during login. The key generates a login code specific to the user and service at hand each time it’s pressed. After account access has been confirmed through YubiKey, that account can remain authenticated for a period of time (depending on the service), unless the service provider detects unusual activity, in which case the user will be prompted for YubiKey authentication again.
YubiKey NEO also offers the same multiple protocol support (OTP, U2F, PIV, OpenPGP) as the YubiKey 4, which means the device can be plugged into desktop computer USB ports to be used as a normal physical USB key during logins. YubiKey has been well received by some of the leading names in the tech industry, including Google, Dropbox and GitHub.
The YubiKey stores no personal details and is linked to an account, meaning that anyone with your credentials will also need the key to log in to your account. The only catch is that you’ll have one more device that you have to avoid losing.

Fingerprint authentication as a service

With more mobile devices sporting fingerprint scanners and cloud computing becoming cheaper, Qondado, a Puerto Rican tech startup, is trying to ease the way for developers to integrate biometric authentication into their web applications through a flagship platform it calls KodeKey.
The system, which is composed of a mobile app and a web service, ties users to their phone numbers via biometrics and allows clients to use that number and a PIN for authentication. The authentication platform can be integrated into any client site via an API or plug-ins (there’s currently a WordPress plug-in available).
When it comes to stealing identities, hackers seem to have an unlimited stash of weapons.
Registered users enter their phone number plus the associated PIN in the log-in page; they subsequently receive a notification on the KeyKode app which prompts them to scan their fingerprint. The web service will only allow access to the account if the mobile’s fingerprint scanner authenticates the user. The app is available on both Android and iOS, but will only function on newer handsets that have fingerprint scanners.
The company hopes to provide enterprise-level security for banks, credit card companies, cable providers, wireless providers and cloud services, and plans to develop plug-ins for a wide range of platforms in the future.

Mobile authentication

As the use of mobile devices is becoming increasingly widespread, users have an ever-present and personal tool to store and present their digital identity. This is becoming especially more feasible as newer mobile operating systems are offering trusted execution environments and hardware-secure elements to store sensitive data, such as cryptographic credentials.
This is a trend being embraced by two

Comments

Popular posts from this blog

How ad-free subscriptions could solve Facebook

At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...

South Korea aims for startup gold

Back in 2011, when South Korea won its longshot bid to host the 2018 Winter Olympics, the country wasn’t widely recognized as a destination for ski and snow lovers. It wasn’t considered much of a tech startup hub either. Fast forward seven years and a lot has changed. For the next 10 days, the eyes of the world will be on the snowy slopes of PyeongChang. Meanwhile, a couple of hours away in Seoul, a burgeoning startup scene is seeing investments multiply, generating exits and even creating a unicorn or two. While South Korea doesn’t get a perfect score as a startup innovation hub, it has established itself as a serious contender. More than half a billion dollars annually has gone to seed through late-stage funding rounds for the past few years. During that time, at least two companies, e-commerce company Coupang and mobile-focused content and commerce company Yello Mobile, have established multi-billion-dollar valuations. To provide a broader picture of how South Korea stacks ...

Trump cites Facebook exec’s comments downplaying Russian ad influence on election

You’d be forgiven for missing Donald Trump’s multiple retweets of Facebook executive Rob Goldman over the weekend. Perhaps you were spending time with family, watching Black Panther or just attempting to forget politics for a moment by ignoring the manic flurry of social media updates from the leader of the free world. But in amongst a deluge of tweets that blamed Democrats for failing to preserve DACA, called out the FBI over the recent school shooting in Florida on the FBI and affectionately referred to a member of congress as “Liddle’ Adam Schiff, the leakin’ monster of no control,” the President cited Facebook’s VP of Ads as evidence against claims that his campaign colluded with Russia. “The Fake News Media never fails,” Trump tweeted over the weekend. “Hard to ignore this fact from the Vice President of Facebook Ads, Rob Goldman!” Trump was citing Goldman’s own Twitter dump over the past week, responding to Special Counsel Robert Mueller’s recent indictment of 13 Russian...

3D printing company New Matter is shutting down this month

Perhaps 2014 wasn’t the ideal time to get into the 3D printing game. After years of hype, the even the biggest names have been struggling to stay afloat. Pasadena startup New Matter is joining the growing list of companies who’ve unsuccessfully made a go at it, announcing that it will be closing up shop by the end of the month. It’s not for lacking of trying — and the company’s MOD-t printer was met with decent reviews when it launched in 2016. In his writeup, John praised the pricing ($300 or $400, depending on where you picked one up) and ease of use, though added cautiously, “you get what you pay for.” Initially funded on Indiegogo, the company went back to the crowdfunding well last year, this time taking to Kickstarter to pay for a Model 2. The project managed to exceed its goal in five days, but New Matter still pulled the plug. The company says it ultimately wanted to go back to the drawing board. “We have always strived to listen closely to our customers’ feedback, and...

Here’s how to keep track of Elon Musk’s Roadster and Starman in space

Elon Musk’s Starman, the mannequin driver of the Tesla Roadster SpaceX launched aboard its Falcon Heavy rocket, is taking a trip around our solar system, in a large elliptical orbit that will bring him relatively close to Mars, the Sun and other heavenly bodies. But how to track the trip, now that the Roadster’s onboard batteries are out of juice and no longer transmitting live footage? Thanks to the work of Ben Pearson, a SpaceX fan and electrical engineer working in the aerospace industry, who created ‘Where is Roadster,’ a website that makes use of JPL Horizons data to track the progress of the Roadster and Starman through space, and to predict its path and let you know when it’ll come close to meeting up with various planets and the Sun. The website tells you the Roadster’s current position, too, as well as its speed and whether it’s moving towards or away from Earth and Mars at any given moment. It’s not officially affiliated with SpaceX or Tesla, but it is something Elon...