Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, according to a Gartner analyst.
Speaking at the Gartner IT Security Summit in London on Wednesday, research vice-president Ant Allan warned that "passwords are no longer adequate as threats against them increase."
Those emerging threats are intimately linked to emerging technology, such as Wi-Fi and Web services. As the usage of these services grows, more cybercriminals will attempt to exploit them. There is a business value in adopting new technology, but security needs to keep up, according to Gartner.
The increasing sophistication of attacks and the professionalism of cybercriminal gangs have led companies to make passwords longer, or to change them more frequently. "This is a bad idea," said Jay Heiser, Gartner research vice-president. "Users respond by forgetting passwords, or writing them down, which can compromise security in a different way."
The future of authentication is "something stronger", according to Allan. "RSA security tokens, smart cards, and biometrics are becoming increasingly popular. The problem with those methods is that they are expensive to implement," he said.
Some security experts have been urging companies to use two-factor authentication — where users present a second form of identification as well as their password — for some time, though not all agree it is the way forward. Security guru Bruce Schneier summed up many of the arguments against two factor authentication in an interview earlier this year, saying: "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."
"We are finding that European companies are more accepting of the higher cost of these solutions, while the US back away because they don't want to burden users [with complex procedures]," Allan said.
Less expensive solutions include mobile phone tokens for one-time password authentication, or ID cards.
Colin Thompson, vice-president of enterprise sales for security company Aladdin, agrees that companies will need to start tying in some kind of physical ID with digital ID.
"To access your bank account you need a bank card and PIN. If you lose that card you know your security has been compromised. We need some kind of smart card or certification because individual users in companies are still at risk," he said.
"Two-factor authentication is the way forward. Once you're into a system, we need greater simplicity, though. No more different username and password for different sites."
The risk of passwords being compromised is becoming greater and greater, according to John Girard, another Gartner analyst, because it's becoming easier to download tools that will crack them.
"The 'Magical Jellybean' tool is downloadable, and will find your licence key if you've lost it," he told the audience at the security summit, referring to a utility that is freely available over the Web.
"'Free Word and Excel password recovery wizard' enables you to crack passwords by brute force. It's good for shorter passwords. Longer passwords take about 16 hours, but if you really want to get in, you can," Girard warned.
The problem with most passwords is that there is nothing in the system to stop you looking again and again, so they are susceptible to brute force, according to Girard.
Talkback
Let's be careful to align "cures" with the corresponding problem, because it is by no means self-evident that "two-factor" (or n-factor) authentication measures create a net reduction in risk. Indeed, in many cases authentication ('who you are") presents fewer risks than authorization ("what you can access and do"), and the latter depends on backoffice database accuracy, freshness and fined-grainedness. Also, as identity theft cases highlight, often the "prize" is not one-by-one cracking of passwords, but the wholesale capture of portions of these back office databases (often by authenticated users). Therefore one has to take a holistic view of the overall process before concluding "Rome is Burning."
Biometrics tokens are the safest bet for prevention of identity theft and various frauds. The most widely used biometric tokens include those of fingerprints, irises, faces and palms. The fraudster can match everything but he can never match the biometric peculiarities. The companies must also use customised softwares that records relevant information automatically so that they can establish whether an unauthorised access or attempt has taken place or not.
For many years I have been in the security industry. And have always felt that passwords was just as effective as having a door knob. It will keep out the honest, but those are not will just turn it. The overall problem that is faced in corporate america. Is that most don't impose good security password policy. And better yet the art of desktop security has been sweeped under the carpet.