But those advocating the “death” of passwords say the other key to secure authentication is what security professionals have been preaching for years: multi-factor authentication.
In other words, they are not trying to mandate that biometrics be the sole replacement for passwords. Dunkelberger, who said the FIDO Alliance is using the authentication technology his firm created, said the core idea, “isn’t to replace passwords with biometrics, but rather to replace passwords with a strong, secure signal of any kind.”
McDowell agreed. He said many FIDO implementations do use biometrics for authentication, but that the specifications are “technology agnostic.”
It is implementers, he said, who decide what mechanisms it will support. It could be, “a local PIN code for user verification vs. biometrics if you prefer.”
He said FIDO specifications, “allow the use of authenticators built into a device, such as biometrics or a PIN, and/or external, second-factor authenticators, such as a token or a wearable.”
The message from Stickland is similar. “The only current defense is multifactor authentication, using two or more biometrics – for example, fingerprint and face, or voice. At the very least fingerprint plus a long, randomized PIN would be good.”
He said his firm created an authentication tool that, “uses a combination of hardware, secure certificates, biometrics, and other information to validate not only the biometric, but every communication between a remote device and a server, basically verifying that not only is the user valid, but the hardware the user is using is also valid.”
Simkin also said multifactor authentication, “of which there are many options available today,” should be used, “for all critical resources and applications. The more time and resources you require attackers to expend, the lower the chances of a successful breach.”
Stephen Stuut, CEO of Jumio, said organizations will still have to balance security with convenience, since “friction” in the process of signing on to a site may cause users simply to give up on it.
“Companies should focus less on one single technology but rather on the correct combination that meets their business requirements and customer needs,” he said. “Adding too many steps to the process may increase session abandonment, especially on mobile, where attention spans are short.”
All of which sounds like, passwords could for some time remain as a part of multi-factor authentication: Something you know, something you have and something you are.
Zohar Alon, Co-Founder and CEO of Dome9, said he doesn’t think they will ever disappear. “They remain one of the simplest means of proving identity and gaining access,” he said. “We can design better security with multiple factors of authentication and authorization that are not correlated with each other, that cannot be compromised all at once.”
But Stickland said he believes they will eventually become obsolete. “Passwords are painful. We forget them, they are stolen, it’s time consuming to reset them. At some point, new technology will win.”
Sign up for CIO Asia eNewsletters.