Putting passwords out to pasture: Identity behaviour vs. identity authentication

Dominic Vogel writes that the days of relying on passwords, strong or otherwise, is an outdated security practice. What's the next step?

Since the dawn of distributed information systems username/password combinations have acted as the primary security mechanism. Twenty plus years ago, when systems were not widely remotely accessible, when the term advanced persistent threat referred only to acid reflux, passwords were highly effective. It was a time when authenticating the user's identity was easy to prove. Today, however, with high system complexity and a dizzying array of interconnected systems seemingly accessible anytime anywhere, relying on passwords for protecting systems of varying criticality (from your fantasy baseball team to your company's remote access site) equally, seems like a strange dichotomy. Authenticating a user's identity can no longer be done with a high degree of certainty. As information systems rapidly evolved over the course of the past two decades, corresponding security mechanisms failed to keep pace. Instead, the use of passwords became ingrained in modern society to the point that the average individual needs to keep track of five to seven different passwords.

The security cognoscenti have long preached the importance of having long (12+ characters) and complex (uppercase letters, symbols, and numbers) passwords and to not reuse passwords amongst different platforms. While in theory this is good advice, in practice it is severely flawed. It is human nature to take the path of least resistance, especially when the more difficult alternative provides little incentive. Hence, many people will use the same basic password for their Facebook as they do for the corporate business account. Can you recall five completely unique complex passwords? I'm relatively certain the average person can't (I can barely remember my shoe size). Yes, there are tools to alleviate having to remember multiple passwords (automated password managers like KeePass) or modifications such as using passphrases rather than passwords that are easier for the brain to recall. However, this is just making it easier for people to remember, it does nothing to address the underlying weaknesses of password security.

Even password best practices can be easily thwarted

For arguments sake, let's assume that every person magically uses lengthy and complex passwords (I doubt that even Harry Potter could conjure up a spell to make that happen). What about social engineering such as phishing? What about malware that leverages keyloggers for capturing keystrokes? Even with the assumption that every person follows password best practices, it is far too easy for a username/password to either be captured or found by a malicious outsider. All the energy that security professionals put into blaming users for failing to abide by their password standards is all for naught as a long and complex password does nothing against those aforementioned threats.

What about multi-factor authentication? Surely, that is the salvation that will extend the life of passwords (alas, it is not). Multi-factor authentication is purely a tactical move that forces cybercriminals to shift tactics (hardly a check-mate kind of move). Given that cybercriminals are highly motivated and agile, it was only a matter of time before multi-factor authentication controls were compromised. Well-respected security expert Bruce Schneier notes that "attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint." Schneier was right, as Man in the Browser (MitB) attacks eventually surfaced. This is malware that lives in the web browser and wedges itself between the user and the website. It is capable of altering what is seen by the user and changing the details of what is actually entered in the system.

Move beyond passwords

Passwords are no longer an effective security control; in fact they are a major liability. We are at a tipping point where it is time for a seismic strategic shift in how we view the security frontlines. Instead of attempting to hopelessly authenticate the user's identity, why not focus our efforts on identifying the behaviour of each user? The credit card industry has invested greatly in this security model with resounding success. They realized that the card holder (or the "user") was not best suited to mitigate risk associated with their account. By investing heavily in behavioral fraud detection systems, credit card companies focused more on the creating a baseline for the expected behavior of each user. Transactions that seemed out of character for a particular user would be prevented from going through or would warrant an out-of-band check. Such fraud detection systems could be applied in any corporate environment. Every employee carries out specific and expected tasks on a regular basis. Irregular activities such as emailing out the company's customer data list to an unexpected address, or intellectual property being covertly sent over an encrypted channel to a server in the Ukraine would be flagged as suspicious and could consequently be prevented and investigated.

Passwords have served us well, however it is time to begin focusing on expected behaviour and building appropriate user baselines so we can lessen our reliance on an outdated security measure. Further investments in tools such as data leakage prevention, would lead to the next generation of corporate fraud behaviour technologies. Tactical changes (such as multifactor authentication) will not allow for sustained success against cybercriminals (they have shown that they are very adept at quickly altering tactics). A major strategic change is required, one that will shift the balance of power to the defenders. This is not a simple change; there is 20+ years of inertia and system norms to overcome. Passwords have become entrenched as the de facto security standard that it will take a major culture change within the security industry and the world at large to successfully complete such an undertaking. Needless to say, it would take a lot of time and effort. The alternative? Playing a game of cat-and mouse that can never end.


Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

Editor's Picks