Upload
vannhu
View
215
Download
3
Embed Size (px)
Citation preview
An Intelligent Environments White Paper
Your body won’t replace your passwords
An Intelligent Environments White Paper
2017
P 3
An Intelligent Environments White Paper
Your body won’t replace your passwords
““ Effective passwords rely on
randomness, something that we just aren’t equipped to generate or remember.
P 4
An Intelligent Environments White Paper
Your body won’t replace your passwords
When you hear that the most common password is ‘123456’ it is easy to conclude that passwords are a flawed idea.
Effective passwords rely on randomness, something that we just aren’t equipped to generate or remember. Creating and remembering one good password is a serious challenge, but most of us need 25i. No wonder, then, that a third of people claim they forget a password at least once a weekii.
Worse still, under Moore’s Law passwords are becoming easier to crack with every passing year. Yet, despite decades of user education, we aren’t making our passwords any stronger.
The time seems ripe for biometrics to take over from passwords as the principle way we authenticate ourselves. But then again we’ve been saying that for a very, very long time now.
Somehow, despite the existence of numerous body-based alternatives, the password and all its flaws is still with us.
For more information please [email protected]
The five most common passwords
1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
Source: SplashData
i. https://www.microsoft.com/en-us/research/publication/a-large-scale-study-of-web-password-habits/
ii. https://www.buzzfeed.com/josephbernstein/survey-says-people-have-way-too-many-passwords-to-remember?utm_term=.anW5L479v#.gwXa3B9Y4
P 5
An Intelligent Environments White Paper
Your body won’t replace your passwords
““ ... required no additional
hardware, were easy to implement, and required few resources.
Passwords
Your body won’t replace your passwords P 6
An Intelligent Environments White Paper
Authentication became an issue for the first time when shared computing was taking off in the 1960s. Passwords were an obvious solution because they required no additional hardware, were easy to implement, and required few resources.
By the time other forms of authentication became practical or desirable, passwords were well dug in. Users understand how they work without any explanation, they can be entered quickly using a keyboard, they can be reset quickly and easily, companies know how to implement and support them, they’re cheap, require few computing resources, and work with hardware users already own.
So why, then, is there so much pressure to switch to something else?
“Putting a password on for each individual user as a lock seemed like a very straightforward solution... and nobody wanted to devote many machine resources to this authentication stuff.”
- Fred Schneider, Professor of Computer Science, Cornell Universityiii
iii https://www.wired.com/2012/01/computer-password/
Your body won’t replace your passwords P 7
An Intelligent Environments White Paper
A flawed designVerizon’s 2016 Data Breach Investigations Report found that 63% of confirmed data breaches involved weak, default or stolen passwordsiv.
iv http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/v https://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?&_r=0vi http://www.dailymail.co.uk/sciencetech/article-2950936/Forget-roses-loved-one-access-EMAIL-half-people-think-sharing- passwords-sign-true-love.htmlvii A https://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/viii http://www.comp.lancs.ac.uk/~yanj2/ccs16.pdfix http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
Theft
Phishing is a form of social engineering attack that uses fraudulent emails to coerce users into entering usernames and passwords into fake websites that then steal their credentials. It has been a cost-effective form of attack for criminals for years and is the root cause of some of the biggest data breaches in history, not least the enormous 2014 breach of Sony Picturesv.
Coercion
Many of us are happy to share passwords with friends, family, colleagues or even strangers. A study by Samsung revealed that 40% of us already know our partner’s email password, and more than a quarter know their Facebook login detailsvi. An eye-opening study by the journal Computers in Human Behaviour found that more than 40% of participants were happy to share a password with researchers after a simple gift of chocolate.
Cracking
A stolen password database is at the mercy of specialist password cracking hardware and software capable of generating billions of password hashes a second. A team of hobbyist password crackers with access to the leaked Ashley Madison database cracked 11 million of its users’ passwords in just 10 daysvii. Recent research showed that, armed with a little personally identifiable information, a targeted attack against an individual had a 73% chance of discovering their password after just 100 guessesviii.
Reuse
Hackers are wise to the fact that many of us reuse passwords, and will try stolen passwords on a range of popular websites. The problem is so commonplace that Facebook scours the internet for stolen credentials and locks out users found to have reused their passwordsix.
Your body won’t replace your passwords P 8
An Intelligent Environments White Paper
Pros Cons
Well understood by users Users struggle to create strong passwords
Easy for users to set up and reset Responsible for 20% of support callsx
Easy to implement and integrate Behind 63% of confirmed data breaches
Quick to enter using a keyboard Slow to enter with a touchscreen
Poor identity check
System only as strong as the weakest password
Table 1: Pros and cons of password authentication
x Forrester Q2 2015 Global Password Usage And Trends Online Survey
P 9
An Intelligent Environments White Paper
Your body won’t replace your passwords
“
“ they are secure, they don’t tax your memory or rely on your ability to keep them a secret, and you can’t lose, forget or share them.
Biometrics
Your body won’t replace your passwords P 10
An Intelligent Environments White Paper
For a long time, biometric authentication (authentication based on measurable biological traits) has seemed like the technology most likely to supplant passwords. The strengths of biometrics deal directly with the weaknesses of passwords: they are secure, they don’t tax your memory or rely on your ability to keep them a secret, and you can’t lose, forget or share them. Biometrics are often easier to use than passwords (Apple’s TouchID is often described as ‘frictionless’) and are a better identity check because they are implicitly tied to a single individual.
Illustration: List of biometrics by typexi
VisualRetina Iris
Ear Face
Signature
Fingerprint
Finger vein
SpatialFinger geometry
Hand geometry
BehaviouralLip reading
OtherVoice DNA
Electrocardiogram
Body odour
Typing
Writing
Gait
xi http://www.biometricsinstitute.org/pages/types-of-biometrics.html
Your body won’t replace your passwords P 11
An Intelligent Environments White Paper
Biometrics in banking
UK retail banks have already started to adopt biometrics within their digital banking solutions and initiatives.
Smartphone fingerprint sign-in is now commonplace in banking apps
Santander is piloting ‘friction free’ payment authorisation by voice in their SmartBank appxiii
HSBC’s telephone banking customers can log in with a ‘voiceprint’xii
Atom bank lets customers log in using a choice of their face, voice, or traditional passcode
MasterCard’s identity check solution, commonly known as selfie-pay, allows customers to use face recognition for online purchases
Barclays’ business customers can use finger vein scanners to authenticate themselves
In the USA, Diebold and Citibank have both tested iris scan technology at ATMs.
xii https://www.hsbc.co.uk/1/2/voice-idxiii https://www.biometricupdate.com/201702/santander-adds-voice-authentication-to-mobile-banking-app
Your body won’t replace your passwords P 12
An Intelligent Environments White Paper
Costly, complex and fragmented
Biometrics typically rely on specialist hardware and software, which can be costly to produce and difficult to distribute and update. There is no consensus about the right way to do it and there are countless combinations of devices, apps, metrics and implementations.
Personal and occasionally awkward
Biometric data is sensitive, personal information that users may be reluctant to share. Users may also be unwilling to use some types of biometrics in situations where they’d be happy to type a password, such as using voice recognition in a crowded office.
Analogue not digital
Password authentication is binary - you either enter the right password or you don’t. Biometrics say how likely it is that somebody is who they claim to be and need to be tuned.
Difficult to reset
The success of Biometrics is chequered and can’t be reset if they’re compromised.
• The Choas Computer Club famously hacked the iPhone’s TouchID within two days of its debut xv.
• Microsoft Surface tablets and Apple iPhones have been unlocked with simple Play-Doh fingersxvi .
• Face recognition systems have been fooled by Apple’s “Live Photo” feature (in effect, a short video portrait of a face) xvii and at Finovate recently one vendor’s live demo of their ability to defeat video imitation went spectacularly wrong in front of an audience of more than a thousand.
Pros Cons
Convenient, easy to use, even ‘frictionless’ Can’t be reset
Users are all equally secure Costly, particularly compared to passwords
Good identity check May raise privacy concerns
Can’t be shared, lost or stolen Non-deterministic
Table 2: Pros and cons of biometrics
xiv https://www.biometricupdate.com/201501/history-of-biometricsxv http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchidxvi https://twitter.com/ArjunKharpal/status/702535248412856323?ref_src=twsrc%5Etfwxvii http://uk.businessinsider.com/bank-apps-facial-recognition-hacked-using-iphone-live-photos-2016-8?r=DE&IR=T
Biometrics has been “the next big thing” in authentication for decades now. The first commercial tool for biometric access control, a hand recognition system, was produced back in 1974xiv. However, the lack of progress suggests there are some serious intrinsic issues.
Always the bridesmaid
P 13
An Intelligent Environments White Paper
Your body won’t replace your passwords
Challenging the status quo
“
“ The traditional strengths and weakness of both passwords and biometrics are being challenged by recent developments in both fields
Your body won’t replace your passwords P 14
An Intelligent Environments White Paper
The traditional strengths and weakness of both passwords and biometrics are being challenged by recent developments in both fields.
Lowering the costs of biometricsThe FIDO Alliance, whose members include Alibaba, Google, ARM, Lenovo and MasterCard, aim to get on top of the “reinventing the wheel” that occurs in biometrics by creating a standardised back-end that will accept any compliant form of authentication.
The need for specific hardware for biometrics may disappear as implementations emerge that can use the cameras and microphones embedded in our computers, TVs and phones.
Behavioural biometricsBehavioural biometrics (the study of how you do something) promises to provide capabilities missing from traditional forms of biometric authentication.
• User behaviour can be observed using commodity equipment (keyboards, mice, cameras, touchscreens and other sensors), removing the need for specialist hardware.
• Behavioural biometrics can be reset, like a password
• Behavioural biometrics can provide continuous, real time authentication without users ever ‘logging in’.
P 15
An Intelligent Environments White Paper
Your body won’t replace your passwords
“[our authentication] measures the pressure someone puts on the screen as they type, the angle they’re holding the phone, and how quick they move across the screen... We can monitor typing in real-time to verify a person is who they say they are just by watching their typing behaviour... Computationally what we do is quite light, so it’s not as if we need faster and better phones.”xviii
- Dr. Neil Costigan, CEO of BehavioSec
xviii http://www.techradar.com/news/world-of-tech/future-tech/behavioural-biometrics-the-future-of-security-1302888/2
Two factor authentication
Two-factor authentication (2FA) combines two forms of authentication, typically a password and a one-time passcode generated by a smartphone app or sent by SMS. 2FA nullifies the threat of stolen passwords and password guessing attacks, because by themselves the passwords are of no use.
2FA is less convenient for users than using a password or biometric, but significantly more secure. Google uses its own take on 2FA, called two-step authentication, extensively and has reduced the burden on users by using it to authorise devices rather than sessions.
Users logging in to Google from an unknown device have to enter a password and a one-time code when they log in. From then on they’ll only be required to provide a password to log in provided they do so from the same device (the device itself is now a second factor). Anyone trying to log in from another device will have to provide both the password and passcode.
2FA could extend the life of password authentication into the foreseeable future.
Your body won’t replace your passwords P 16
An Intelligent Environments White Paper
Passwords 2.0?Password authentication puts a significant and unfair responsibility on the shoulders of users: one bad password choice can endanger an entire system and its users. The historical answer to this problem has been to try and educate users or to enforce length, complexity and expiration standards on their passwords. Both have failedxix.
In the last few years the emphasis has begun to swing away from training users to make good choices towards protecting them from bad ones. Microsoft Research, amongst others, has taken a long look at real world password use and advocates the following techniques:
• Stop users from choosing millions of known bad passwords
• Focus strengthening efforts on passwords that are vulnerablexx
• Use password strength meters that are proven to work, such as zxcvbn
• Use algorithms like bcrypt and scrypt for password storage
• Limit the number and rate of log in attempts
Adopting this approach puts security professionals, rather than users, in the driving seat and could give passwords a new lease of life.
Table 3: Comparison of passwords, 2FA, a visual biometric and two behavioural
biometrics
xix https://www.microsoft.com/en-us/research/publication/password-guidance/?from=http%3A%2F%2Fresearch.microsoft.com%2Fpubs%2F265143%2Fmicrosoft_password_guidance.pdf
xx https://www.microsoft.com/en-us/research/wp-content/uploads/2016/09/pushingOnString.pdf
Password Password 2FA Fingerprints Type / touch Behavioural
Setup speed Fast Medium Fast Slow Fast
Can be reset
Continuous
Sensor requirement
Replay attacks Easy Very hard Hard Very hard Very hard
Sharable
Deterministic
P 17
An Intelligent Environments White Paper
Your body won’t replace your passwords
Conclusions Biometrics can certainly offer a more intuitive and, in some cases, more secure customer experience. However they are also expensive and complex. They will increasingly play an important role, but as part of an overall risk-based strategy.
To say they are better than passwords is wrong - your body won’t replace your passwords.
Password authentication will continue to enjoy the considerable advantages of low cost, incumbency, simplicity, familiarity and freedom from concerns about privacy, for a long time to come.
Biometrics wins for convenience: especially in phone apps where risks are low, typing is difficult and the cost of sensors is carried by the customer. They are perfect for checking the status of financial products that are accessed infrequently, such as mortgages, savings and car finance.
But even where the strength and convenience of biometrics make them attractive, passwords have a role to play. Used together, biometrics and passwords create a form of two-factor authentication that’s better than either on its own: easier to use than other forms of 2FA, highly secure, deterministic and easy to reset.
P 18
An Intelligent Environments White Paper
Your body won’t replace your passwords
About the Author
Simon Cadbury,
Director of Strategy & Innovation Intelligent Environments
Simon is a product marketer and strategist with 18 years’ experience working for a range of major international brands. Simon’s role is to work with Intelligent Environments’ investors to set and deliver the company’s mid and long term strategy, as well as overall responsibility for the product development and management of Interact; the company’s core product offering.
Simon joined in 2013 from Lloyds Banking Group where he was responsible for payment technology and also sat on the Credit Card divisions leadership team. Prior to this he worked on the launch of a number of firsts in new technology – the Blackberry (BT Cellnet), BT Openzone (BT Retail), 3G Live! (Vodafone Australia) and Sky HD (BSKYB).
About Intelligent EnvironmentsIntelligent Environments is an international provider of innovative financial services technology. Our mission is to enable our clients to deliver a simple, secure and effortless digital customer experience.
We do this through Interact®, our digital financial services platform, which enables secure customer acquisition, onboarding, engagement, transactions and servicing across any digital channel and device. Today these are predominantly focused on smartphones, PCs and tablets. However Interact® will support other devices, if and when they become mainstream.
We provide a more viable option to internally developed technology, enabling our clients with a fast route to market whilst providing the expertise to manage the complexity of multiple channels, devices and operating systems. Interact® is a continuously evolving digital customer engagement platform that ensures our clients keep pace with the fast moving digital landscape.
We are immensely proud of our achievements, in relation to our innovation, our thought leadership, our industrywide recognition, our demonstrable product differentiation, the diversity of our client base, and the calibre of our partners.
For many years we have been the digital heart of a diverse range of financial services providers including Generali Wealth Management, HRG, Ikano Retail Finance, Lloyds Banking Group, MotoNovo Finance, Think Money Group and Toyota Financial Services.
If you’d like to hear more please contact Simon Cadbury
+44 (0)20 8614 9861 [email protected]
Kingston Upon ThamesRiverview House20 Old Bridge StreetKingston upon ThamesSurrey
KT1 4BU
+44 (0) 20 8614 9800
Belfast, Northern IrelandSuite 1B Ground FloorConcourse Building 1Northern Ireland Science ParkQueens RoadBelfastNorthern Ireland
BT3 9DT
+44 (0) 2890 785 795
Digital Financial Solutions