Most experts agree that a password killer is necessary to bolster website security. People’s fondness for easy-to-guess passwords that are often used across sites has severely weakened their effectiveness. In addition, sophisticated decryption technology has made even encrypted passwords easily acquirable by hackers.
Because a smartphone is the one device few people are without, it’s seen as the perfect place to store credentials. Add the many sensors in a phone that can be used to identify a user, and the case for using the device for authentication becomes stronger.
“I think it’s brilliant,” Trent Henry, analyst for Gartner, said of smartphone-based authentication. “We’re finding that this will be the type of authentication mode in the future.”
A number of vendors with the same view as Henry are trying their best to drive the industry in that direction. Authy, Clef and Duo Security are examples of such vendors.
Even large security companies are getting into the market. Last month, EMC-owned RSA acquired PassBan, which provides technology for using a smartphone for voice and facial recognition for multifactor authentication.
Today, most vendors use the mobile phone for two-factor authentication. If a website supports a vendor’s service, then when a person logs in, a unique personal identification number (PIN) is sent to the phone. Inputting the PIN completes the sign-in process.
Unfortunately, most consumers are unwilling to take those extra steps, so the search for an easier and more seamless method continues.
Authy moved in that direction last week with the introduction of an app that connects an iPhone or Android phone to an Apple computer via Bluetooth. From then on, when a person visits Facebook, Dropbox, Google Gmail or another supporting website, the credential stored in the phone is used to log into the site automatically.
Authy founder and CEO Daniel Palacio sees the app as only a beginning. In time, the same means of authentication could be used with Google Glass, a digital watch or some other type of wearable computer.
Authy’s work and that of its competitors reflect the industry’s search for the perfect solution, which is still a way off.
“The frothy experimentation in the market means we haven’t found the right sweet-spot solution yet, and we may never find a single one that suffices for all scenarios,” said Eve Maler, analyst for Forrester Research. “Passwords are unlikely to be entirely supplanted unless that single solution appears some day.”
For mobile phones to replace passwords, the devices will have to know when the actual owner is logging into a site and not a crook that either stole a phone or found it. Biometrics is one possible answer, as long as reliable and highly secure fingerprint scanners and voice and facial recognition technology can be developed.
Another possibility is phone sensors that can identify the user by the way he or she walks. Such technology, called gait recognition, is currently in the research stage at Georgia Institute of Technology and the Massachusetts Institute of Technology.
Once biometrics becomes rock solid in identifying a device’s user, “We’ll start to have a very, very, very secure authentication system that’s very hassle free,” Palacio said. “People just buy it and it works.”
While such a system may be much better than the passwords now in use, it does not mean hackers will be out of business.
“The attackers continue to go after these new techniques, so we have to be very careful about the security properties,” Henry said. “In other words, you still have to evaluate what kind of attacks could occur.”
by Antone Gonsalves, CSO (US)