In my previous blog, I briefly touched on the fact that many Internet of Things (IoT) devices today have defaulted to the lowest common denominator for security and authentication: passwords. IoT devices -- particularly mobile devices -- introduce security and privacy risks because most have a limited user interface that can only handle short, easy-to-crack passwords.
The proliferation of mobile and IoT-connected devices has accelerated the need for user authentication that moves beyond passwords, and there is evidence that individuals increasingly view password-based authentication as ill-suited for today’s complex threat landscape.
This blog will examine the strengths and weaknesses of passwords for mobile and IoT authentication, and what alternatives exist for businesses and individuals to move beyond passwords.
Password strengths are their weaknesses
Let’s face it: The prevalence of password authentication for security is no accident. There are several attributes of passwords that make them the popular choice, but each of these strengths is also related to a major weakness. For example:
- Users have a comfort level with passwords and understand them, but humans are really bad at picking secure passwords. Choosing a unique, random-enough password for each site is basically impossible for more than a handful of sites. Password recovery is often as easy as emailing a link to the user, but account recovery is the source of one of the most significant vulnerabilities: If an attacker gains access to your email, they can take over all your related accounts.
- Internet "cookies" mean that users can go weeks or months without typing their password, butthey often don’t work: cookies expire; users forget passwords that they don’t type frequently; browsers remember older, incorrect passwords; and account recovery is challenging if users forget which email address they registered with.
- Browsers now offer support for password storage, but they are often stored unencrypted. Storing passwords in the cloud is a solution, but opens up new attack vectors.
- Email addresses are naturally unique usernames,but people can lose access to their email account or must deal with multiple accounts and lose track of which is which.
Mobile devices introduce new vulnerabilities
The use of passwords for security becomes even more problematic on mobile devices -- an issue given that individuals are storing an increasing amount of sensitive data on their smartphones and tablets. A recent survey of consumer behaviors by CTIA -- The Wireless Association, finds that 61% of wireless consumers use either a PIN or password to lock their mobile device -- up 20% from a similar survey conducted in 2012.
The use of passwords on mobile devices is complicated by the fact it is hard to type random letters into a mobile keyboard; they are optimized to complete words and phrases. Random letters are important because attacks against passwords use dictionaries. Attackers can even crack “creative” combinations of words.
It’s even harder to type numbers and symbols into a mobile keyboard, but that’s important to increase the randomness. Since passwords are so hard to type, apps tend to store the password (or a cookie/token) to let you log in by just starting the app. This means that if the phone is stolen, a bad guy can get access to your apps and any sensitive personal information stored in them -- and if that includes your email, other accounts can be hijacked by resetting passwords since the reset link gets sent to your email.
A final important note is that two-factor authentication is the equivalent of a security Band-Aid for the few people who actually use it. We use it in addition to passwords to try to make up for some of the weaknesses of passwords.
Moving beyond passwords
Simple passwords are easy to remember, which makes them easy to break. Complex passwords are hard to remember, which often leads individuals to manually store them. Either approach leaves individuals vulnerable to security threats.
On the other hand, your mobile phone is always with you, and it has built-in security, crypto, and networking features that the security community can leverage to create innovative ways of logging in.
Mobile devices serve as a unique identifier, bringing together something the individual knows with something they have. Smartphones can eliminate the need for usernames and passwords, for that reason one could argue that instead of being second-factor authentication as is the case today, smartphones can be the first and only factor. Remember that multi-factor authentication has a primary purpose: patch the horrible vulnerability of passwords. Without passwords, you don’t necessarily need multi-factor authentication.
Multi-factor authentication that does not involve passwords has several logical use cases, including logging into websites, logging into mobile apps, single sign-on, and logging into devices with limited interfaces. How could mobile device authentication without passwords work? Consider the following scenario:
- You click “login” on the website
- Instead of a password, you get a phone notification with an “approve/reject” button for login
- If you approve on your phone, the website refreshes and you are logged in.
When you approve the login, some crypto happens in the background. This crypto uses asymmetric keys and other strong security features above and beyond what is found with password security. But at the same time, it’s easier to use; you don’t have to generate, type, remember, or store passwords.
There are indeed concrete efforts underway to move beyond passwords for mobile security. Many smartphones today include a fingerprint scanner that app developers can leverage to increase security, while mobile phone manufacturers are including hardware-backed key storage that makes it extremely difficult for attackers to try to steal your keys, tokens, or cookies.
At the end of the day, passwords have a lot going for them: They’re ubiquitously understood, free to implement, and relatively easy to use. For that reason, many have argued that they will always be with us. But we are starting to see cracks in the facade of password ubiquity, particularly when it comes to mobile devices and the expanding IoT ecosystem. For this reason, the time is ripe to push for broader adoption of new authentication mechanisms that are both easier to use and more secure than passwords.