2017 Your body won’t replace your passwords · PDF filepasswords: they are secure, they don’t tax your memory or rely on your ability to keep them a secret, and you can’t lose,

An Intelligent Environments White Paper

Your body won’t replace your passwords


2017

P 3



““ Effective passwords rely on

randomness, something that we just aren’t equipped to generate or remember.

P 4



When you hear that the most common password is ‘123456’ it is easy to conclude that passwords are a flawed idea.

Effective passwords rely on randomness, something that we just aren’t equipped to generate or remember. Creating and remembering one good password is a serious challenge, but most of us need 25i. No wonder, then, that a third of people claim they forget a password at least once a weekii.

Worse still, under Moore’s Law passwords are becoming easier to crack with every passing year. Yet, despite decades of user education, we aren’t making our passwords any stronger.

The time seems ripe for biometrics to take over from passwords as the principle way we authenticate ourselves. But then again we’ve been saying that for a very, very long time now.

Somehow, despite the existence of numerous body-based alternatives, the password and all its flaws is still with us.

For more information please [email protected]

The five most common passwords

1. 123456

2. password

3. 12345

4. 12345678

5. qwerty

Source: SplashData

i. https://www.microsoft.com/en-us/research/publication/a-large-scale-study-of-web-password-habits/

ii. https://www.buzzfeed.com/josephbernstein/survey-says-people-have-way-too-many-passwords-to-remember?utm_term=.anW5L479v#.gwXa3B9Y4

P 5



““ ... required no additional

hardware, were easy to implement, and required few resources.

Passwords

Your body won’t replace your passwords P 6


Authentication became an issue for the first time when shared computing was taking off in the 1960s. Passwords were an obvious solution because they required no additional hardware, were easy to implement, and required few resources.

By the time other forms of authentication became practical or desirable, passwords were well dug in. Users understand how they work without any explanation, they can be entered quickly using a keyboard, they can be reset quickly and easily, companies know how to implement and support them, they’re cheap, require few computing resources, and work with hardware users already own.

So why, then, is there so much pressure to switch to something else?

“Putting a password on for each individual user as a lock seemed like a very straightforward solution... and nobody wanted to devote many machine resources to this authentication stuff.”

- Fred Schneider, Professor of Computer Science, Cornell Universityiii

iii https://www.wired.com/2012/01/computer-password/



A flawed designVerizon’s 2016 Data Breach Investigations Report found that 63% of confirmed data breaches involved weak, default or stolen passwordsiv.

iv http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/v https://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?&_r=0vi http://www.dailymail.co.uk/sciencetech/article-2950936/Forget-roses-loved-one-access-EMAIL-half-people-think-sharing- passwords-sign-true-love.htmlvii A https://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/viii http://www.comp.lancs.ac.uk/~yanj2/ccs16.pdfix http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/

Theft

Phishing is a form of social engineering attack that uses fraudulent emails to coerce users into entering usernames and passwords into fake websites that then steal their credentials. It has been a cost-effective form of attack for criminals for years and is the root cause of some of the biggest data breaches in history, not least the enormous 2014 breach of Sony Picturesv.

Coercion

Many of us are happy to share passwords with friends, family, colleagues or even strangers. A study by Samsung revealed that 40% of us already know our partner’s email password, and more than a quarter know their Facebook login detailsvi. An eye-opening study by the journal Computers in Human Behaviour found that more than 40% of participants were happy to share a password with researchers after a simple gift of chocolate.

Cracking

A stolen password database is at the mercy of specialist password cracking hardware and software capable of generating billions of password hashes a second. A team of hobbyist password crackers with access to the leaked Ashley Madison database cracked 11 million of its users’ passwords in just 10 daysvii. Recent research showed that, armed with a little personally identifiable information, a targeted attack against an individual had a 73% chance of discovering their password after just 100 guessesviii.

Reuse

Hackers are wise to the fact that many of us reuse passwords, and will try stolen passwords on a range of popular websites. The problem is so commonplace that Facebook scours the internet for stolen credentials and locks out users found to have reused their passwordsix.



Pros Cons

Well understood by users Users struggle to create strong passwords

Easy for users to set up and reset Responsible for 20% of support callsx

Easy to implement and integrate Behind 63% of confirmed data breaches

Quick to enter using a keyboard Slow to enter with a touchscreen

Poor identity check

System only as strong as the weakest password

Table 1: Pros and cons of password authentication

x Forrester Q2 2015 Global Password Usage And Trends Online Survey

P 9



“

“ they are secure, they don’t tax your memory or rely on your ability to keep them a secret, and you can’t lose, forget or share them.

Biometrics



For a long time, biometric authentication (authentication based on measurable biological traits) has seemed like the technology most likely to supplant passwords. The strengths of biometrics deal directly with the weaknesses of passwords: they are secure, they don’t tax your memory or rely on your ability to keep them a secret, and you can’t lose, forget or share them. Biometrics are often easier to use than passwords (Apple’s TouchID is often described as ‘frictionless’) and are a better identity check because they are implicitly tied to a single individual.

Illustration: List of biometrics by typexi

VisualRetina Iris

Ear Face

Signature

Fingerprint

Finger vein

SpatialFinger geometry

Hand geometry

BehaviouralLip reading

OtherVoice DNA

Electrocardiogram

Body odour

Typing

Writing

Gait

xi http://www.biometricsinstitute.org/pages/types-of-biometrics.html



Biometrics in banking

UK retail banks have already started to adopt biometrics within their digital banking solutions and initiatives.

Smartphone fingerprint sign-in is now commonplace in banking apps

Santander is piloting ‘friction free’ payment authorisation by voice in their SmartBank appxiii

HSBC’s telephone banking customers can log in with a ‘voiceprint’xii

Atom bank lets customers log in using a choice of their face, voice, or traditional passcode

MasterCard’s identity check solution, commonly known as selfie-pay, allows customers to use face recognition for online purchases

Barclays’ business customers can use finger vein scanners to authenticate themselves

In the USA, Diebold and Citibank have both tested iris scan technology at ATMs.

xii https://www.hsbc.co.uk/1/2/voice-idxiii https://www.biometricupdate.com/201702/santander-adds-voice-authentication-to-mobile-banking-app



Costly, complex and fragmented

Biometrics typically rely on specialist hardware and software, which can be costly to produce and difficult to distribute and update. There is no consensus about the right way to do it and there are countless combinations of devices, apps, metrics and implementations.

Personal and occasionally awkward

Biometric data is sensitive, personal information that users may be reluctant to share. Users may also be unwilling to use some types of biometrics in situations where they’d be happy to type a password, such as using voice recognition in a crowded office.

Analogue not digital

Password authentication is binary - you either enter the right password or you don’t. Biometrics say how likely it is that somebody is who they claim to be and need to be tuned.

Difficult to reset

The success of Biometrics is chequered and can’t be reset if they’re compromised.

• The Choas Computer Club famously hacked the iPhone’s TouchID within two days of its debut xv.

• Microsoft Surface tablets and Apple iPhones have been unlocked with simple Play-Doh fingersxvi .

• Face recognition systems have been fooled by Apple’s “Live Photo” feature (in effect, a short video portrait of a face) xvii and at Finovate recently one vendor’s live demo of their ability to defeat video imitation went spectacularly wrong in front of an audience of more than a thousand.

Pros Cons

Convenient, easy to use, even ‘frictionless’ Can’t be reset

Users are all equally secure Costly, particularly compared to passwords

Good identity check May raise privacy concerns

Can’t be shared, lost or stolen Non-deterministic

Table 2: Pros and cons of biometrics

xiv https://www.biometricupdate.com/201501/history-of-biometricsxv http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchidxvi https://twitter.com/ArjunKharpal/status/702535248412856323?ref_src=twsrc%5Etfwxvii http://uk.businessinsider.com/bank-apps-facial-recognition-hacked-using-iphone-live-photos-2016-8?r=DE&IR=T

Biometrics has been “the next big thing” in authentication for decades now. The first commercial tool for biometric access control, a hand recognition system, was produced back in 1974xiv. However, the lack of progress suggests there are some serious intrinsic issues.

Always the bridesmaid

P 13



Challenging the status quo

“

“ The traditional strengths and weakness of both passwords and biometrics are being challenged by recent developments in both fields



The traditional strengths and weakness of both passwords and biometrics are being challenged by recent developments in both fields.

Lowering the costs of biometricsThe FIDO Alliance, whose members include Alibaba, Google, ARM, Lenovo and MasterCard, aim to get on top of the “reinventing the wheel” that occurs in biometrics by creating a standardised back-end that will accept any compliant form of authentication.

The need for specific hardware for biometrics may disappear as implementations emerge that can use the cameras and microphones embedded in our computers, TVs and phones.

Behavioural biometricsBehavioural biometrics (the study of how you do something) promises to provide capabilities missing from traditional forms of biometric authentication.

• User behaviour can be observed using commodity equipment (keyboards, mice, cameras, touchscreens and other sensors), removing the need for specialist hardware.

• Behavioural biometrics can be reset, like a password

• Behavioural biometrics can provide continuous, real time authentication without users ever ‘logging in’.

P 15



“[our authentication] measures the pressure someone puts on the screen as they type, the angle they’re holding the phone, and how quick they move across the screen... We can monitor typing in real-time to verify a person is who they say they are just by watching their typing behaviour... Computationally what we do is quite light, so it’s not as if we need faster and better phones.”xviii

- Dr. Neil Costigan, CEO of BehavioSec

xviii http://www.techradar.com/news/world-of-tech/future-tech/behavioural-biometrics-the-future-of-security-1302888/2

Two factor authentication

Two-factor authentication (2FA) combines two forms of authentication, typically a password and a one-time passcode generated by a smartphone app or sent by SMS. 2FA nullifies the threat of stolen passwords and password guessing attacks, because by themselves the passwords are of no use.

2FA is less convenient for users than using a password or biometric, but significantly more secure. Google uses its own take on 2FA, called two-step authentication, extensively and has reduced the burden on users by using it to authorise devices rather than sessions.

Users logging in to Google from an unknown device have to enter a password and a one-time code when they log in. From then on they’ll only be required to provide a password to log in provided they do so from the same device (the device itself is now a second factor). Anyone trying to log in from another device will have to provide both the password and passcode.

2FA could extend the life of password authentication into the foreseeable future.



Passwords 2.0?Password authentication puts a significant and unfair responsibility on the shoulders of users: one bad password choice can endanger an entire system and its users. The historical answer to this problem has been to try and educate users or to enforce length, complexity and expiration standards on their passwords. Both have failedxix.

In the last few years the emphasis has begun to swing away from training users to make good choices towards protecting them from bad ones. Microsoft Research, amongst others, has taken a long look at real world password use and advocates the following techniques:

• Stop users from choosing millions of known bad passwords

• Focus strengthening efforts on passwords that are vulnerablexx

• Use password strength meters that are proven to work, such as zxcvbn

• Use algorithms like bcrypt and scrypt for password storage

• Limit the number and rate of log in attempts

Adopting this approach puts security professionals, rather than users, in the driving seat and could give passwords a new lease of life.

Table 3: Comparison of passwords, 2FA, a visual biometric and two behavioural

biometrics

xix https://www.microsoft.com/en-us/research/publication/password-guidance/?from=http%3A%2F%2Fresearch.microsoft.com%2Fpubs%2F265143%2Fmicrosoft_password_guidance.pdf

xx https://www.microsoft.com/en-us/research/wp-content/uploads/2016/09/pushingOnString.pdf

Password Password 2FA Fingerprints Type / touch Behavioural

Setup speed Fast Medium Fast Slow Fast

Can be reset

Continuous

Sensor requirement

Replay attacks Easy Very hard Hard Very hard Very hard

Sharable

Deterministic

P 17



Conclusions Biometrics can certainly offer a more intuitive and, in some cases, more secure customer experience. However they are also expensive and complex. They will increasingly play an important role, but as part of an overall risk-based strategy.

To say they are better than passwords is wrong - your body won’t replace your passwords.

Password authentication will continue to enjoy the considerable advantages of low cost, incumbency, simplicity, familiarity and freedom from concerns about privacy, for a long time to come.

Biometrics wins for convenience: especially in phone apps where risks are low, typing is difficult and the cost of sensors is carried by the customer. They are perfect for checking the status of financial products that are accessed infrequently, such as mortgages, savings and car finance.

But even where the strength and convenience of biometrics make them attractive, passwords have a role to play. Used together, biometrics and passwords create a form of two-factor authentication that’s better than either on its own: easier to use than other forms of 2FA, highly secure, deterministic and easy to reset.

P 18



About the Author

Simon Cadbury,

Director of Strategy & Innovation Intelligent Environments

Simon is a product marketer and strategist with 18 years’ experience working for a range of major international brands. Simon’s role is to work with Intelligent Environments’ investors to set and deliver the company’s mid and long term strategy, as well as overall responsibility for the product development and management of Interact; the company’s core product offering.

Simon joined in 2013 from Lloyds Banking Group where he was responsible for payment technology and also sat on the Credit Card divisions leadership team. Prior to this he worked on the launch of a number of firsts in new technology – the Blackberry (BT Cellnet), BT Openzone (BT Retail), 3G Live! (Vodafone Australia) and Sky HD (BSKYB).

About Intelligent EnvironmentsIntelligent Environments is an international provider of innovative financial services technology. Our mission is to enable our clients to deliver a simple, secure and effortless digital customer experience.

We do this through Interact®, our digital financial services platform, which enables secure customer acquisition, onboarding, engagement, transactions and servicing across any digital channel and device. Today these are predominantly focused on smartphones, PCs and tablets. However Interact® will support other devices, if and when they become mainstream.

We provide a more viable option to internally developed technology, enabling our clients with a fast route to market whilst providing the expertise to manage the complexity of multiple channels, devices and operating systems. Interact® is a continuously evolving digital customer engagement platform that ensures our clients keep pace with the fast moving digital landscape.

We are immensely proud of our achievements, in relation to our innovation, our thought leadership, our industrywide recognition, our demonstrable product differentiation, the diversity of our client base, and the calibre of our partners.

For many years we have been the digital heart of a diverse range of financial services providers including Generali Wealth Management, HRG, Ikano Retail Finance, Lloyds Banking Group, MotoNovo Finance, Think Money Group and Toyota Financial Services.

If you’d like to hear more please contact Simon Cadbury

+44 (0)20 8614 9861 [email protected]

Kingston Upon ThamesRiverview House20 Old Bridge StreetKingston upon ThamesSurrey

KT1 4BU

+44 (0) 20 8614 9800

Belfast, Northern IrelandSuite 1B Ground FloorConcourse Building 1Northern Ireland Science ParkQueens RoadBelfastNorthern Ireland

BT3 9DT

+44 (0) 2890 785 795

Digital Financial Solutions

[email protected]

Documents

2017 Your body won’t replace your passwords · PDF filepasswords: they are secure, they don’t tax your memory or rely on your ability to keep them a secret, and you can’t lose,