Issue No. 01 - January/February (2012 vol. 10)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.5
Markus Jakobsson , PayPal
RIchard Chow , Palo Alto Research Center
Jesus Molina , consultant
Passwords have been used for authentication and authorization purposes since at least the time of Ali Baba. Generals used them to identify messengers, and sentries used them to restrict access to certain areas. Sometimes they were personal; other times they were shared by a group. Passwords are intuitive and were the obvious choice for access control at the dawn of the computer era. The emergence of the Internet changed our authentication needs as well as the risks—but passwords remained.
In fact, as the Internet became pervasive, password use mushroomed, resulting in usability problems: If you aren't supposed to use the same password at multiple sites, how do you create and remember tens of passwords, or hundreds? What do you do when you fail to remember? With easier access to accounts—anyone can try to gain access from anywhere at any time—what constitutes a secure password? The answer to this question has changed with the progression of computational power.
Secure passwords bring their own problems. Paradoxically, demands for increasingly secure passwords can lead to a decrease in security. Secure passwords typically increase the memorization burden and make input a chore, especially in mobile devices' constrained user interfaces. Users react to this increased burden with workarounds, which in turn undermine system security.
Is it possible to have secure passwords and maintain acceptable usability? We believe so, but we aren't certain that currently deployed solutions offer this balance. For example, many people employ password managers and proxies to manage their passwords, but these tools carry their own risks and challenges, such as accessing a password manager from multiple devices and securing it in the cloud.
A layperson might believe that if passwords have been good enough for ages, they're probably good enough for the next 10 or 20 years—but is that really so? Some experts argue that passwords should be replaced, but others quickly retort, "With what?" Embarrassingly, we don't have a consensus on the answer to that question. As a society, we've developed a dazzling array of authentication alternatives, but we haven't yet agreed on how to best integrate these methods, or even how to bootstrap trust between different entities. In addition, we have only a hazy understanding of the different authentication methods' relative strengths.
If passwords are "what you know," then methods that leverage "what you have" and "what you are" are natural complements to passwords. Biometric solutions in particular are well suited for local authentication, such as physical security applications. Can we replace passwords with biometrics? At first sight, yes. But what do you do if you can't authenticate? You could use a password then—or some backup authentication method, because you might have forgotten the password, not having used it for a long time. Biometric solutions have also proven difficult to apply on the Web.
In general, "what you have" authentication methods require additional hardware. In the enterprise, one-time password tokens are common (although usability issues make this solution less than perfect). Distributing hardware to consumers hasn't been as successful. For example, in the past, some banks provided free smart card readers to customers to access their accounts through a smart chip embedded in their credit cards. They were rarely used.
Another approach is to embed the hardware in the computer. Most modern laptops come enhanced with a Trusted Platform Module (TPM), a chip that can securely store authentication credentials. The vision is that authentication will become simpler and more trustworthy given a hardware-based root of trust. However, only a small percentage of users, usually in an enterprise environment, take advantage of this feature. The reasons for the lack of adoption are complex, but many are concerned that TPM use leads to a loss of privacy and reduced control of the computer. Of course, in a complete authentication solution, users must authenticate to the TPM to protect against device theft.
The general problem of authenticating to a device is most acute for mobile phones. This is an interesting corner of authentication that has its own set of technologies and associated usability concerns. The password is again the usual answer, but how do we avoid the tiresome unlocking of a phone tens of times a day? Many simply take their chances and leave their phones unlocked. New approaches such as graphical passwords are more usable, but are they secure enough? What else can be done?
Whether the user is authenticating to a device or to a remote server, we must find new and better solutions to address the need for strong and convenient authentication, not only because the threat is changing but also because our technology use is. We're now in the middle of the mobile revolution, and suddenly, authentication has become ubiquitous. We're mashing services, leveraging remote computation, and remotely controlling all sorts of devices. Easy and fast authentication is becoming critical. Will people accept traditional authentication methods, or will the restricted user interfaces demand new solutions? Will the richness of contextual data allow simpler or more secure methods?
Add to that a problem that was almost entirely nonexistent just 10 years ago—large-scale, automated theft of credentials, or phishing. This is an additional dimension along which we need to measure any method's security. The same goes for malware-based credential theft, although the defenses against these attacks are likely to be very different from those that address phishing. Are some of our existing approaches more vulnerable to such abuse than others? Can we design authentication methods to reduce the impact of such attacks?
One modern trend is to combine multiple authentication factors to strengthen security. For example, it's not uncommon these days for a bank to couple a password with a device fingerprint. The device fingerprint is simply a set of parameters that are specific to the device, including the set of software running on it, its versions, and its configuration. If the bank hasn't seen the device fingerprint before, it requests another secondary authentication factor. More complicated methods might compare users' access and typing pattern with previous accesses. However, the science of combining multiple factors is still young. Researchers and companies are experimenting with a wide variety of contextual data in the hope of improving authentication. For instance, how can we combine various types of data and develop thresholds with an understanding of the resulting false-positive and false-negative rates?
In This Issue
In this special issue, we present the transcript of a roundtable discussion with leaders in authentication technologies from established companies, startups, and academia. They discuss their views on the biggest problems in authentication, potential solutions, and the direction in which the field is moving. Also in this issue are three articles providing valuable insight into the authentication landscape, including the present and future of passwords, usability issues, and large-scale government deployments.
Any authentication discussion begins with the password. Cormac Herley and Paul C. van Oorschot survey the current state of affairs in "A Research Agenda Acknowledging the Persistence of Passwords." They argue that passwords will be with us for some time and that we should devote time to understanding them better, rather than inventing new schemes to supplant them. The authors point out that even after decades of research, simple questions related to passwords remain unanswered.
Authentication systems often require grappling with issues of user psychology and human-computer interaction. Amir Herzberg and Ronen Margulies's article, "Training Johnny to Authenticate (Safely)," illustrates the difficulty of designing authentication systems that interact with the user. They present results on training users to avoid credential theft through phishing. Here, as in many areas of authentication, there is much work to be done in coupling security with usability. This is a relatively young field, with interest intensifying only in the late 1990s. Now it's commonly recognized that users aren't the problem, and any practical system must take human foibles and weaknesses into account.
Andreas Poller, Ulrich Waldmann, Sven Vowé, and Sven Türpe's "Electronic Identity Cards for User Authentication—Promise and Practice" illustrates the challenges of large-scale government and enterprise authentication deployments. Some see such large deployments as an authentication panacea, for example, the now common RFID-enabled passports or the Unique Identification Authority of India's rollout of a country-wide biometric-based authentication system. In these systems, authentication is often at odds with individual privacy, and the overall design must take this into account. Authentication processes often reveal identity, and in a system without pseudonyms, revealing identity means a loss of privacy.
We're neither alarmists nor fatalists, but we think authentication is an important issue that deserves more attention. It's the neglected first objective of computer security and the wobbly cornerstone of commerce. Better authentication will make the Internet, secured workplaces, and connected homes safer and more convenient for us all. We hope these articles will provide not only information but also ideas for possible next steps.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.
Markus Jakobsson is Principal Scientist of Consumer Security at PayPal. He spends most of his time thinking about trends in authentication and how to design better authentication techniques. Jakobsson has written/edited three books relating to different aspects of authentication: Phishing and Countermeasures (Wiley, 2006), Crimeware (Symantec Press, 2008), and The Death of the Internet (Wiley, forthcoming in 2012). He's currently studying mobile authentication ( www.fastword.me) and how to suppress spoofing ( www.spoofkiller.com). Contact him via www.markus-jakobsson.com.
Richard Chow is a research scientist in the security and privacy group at the Palo Alto Research Center. His current research interests include using data mining and applied cryptography to improve privacy, security, and fraud detection. Contact him at email@example.com.
Jesus Molina is a researcher, inventor, independent consultant, and occasional artist (when nobody is looking). He currently divides his time between standardization committees aimed at improving the security of emerging infrastructures, such as the smart grid and the cloud, and developing cutting-edge authentication solutions for them. Contact him via www.jesusmolina.com.