The FIDO (formerly Fast Identity Online) Alliance is out to kill the password.
It wouldn’t seem to be a tough sales job. There is little debate among security experts that passwords are a lousy, obsolete form of authentication.
The evidence is overwhelming. Most people in spite of exhortations to use long, complicated passwords, to change them at least monthly and to avoid using the same one for multiple sites, don’t.
The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords.
And even if passwords are complex, they keep getting stolen. Just in recent months, there have been a string of reports of catastrophic password breaches – 33 million from Twitter, 165 million from LinkedIn, 65 million from Tumbler, 360 million from MySpace, 127 million from Badoo and 171 million from VK.com.
Nick Bilogorskly, senior director of threat operations at Cyphort, noted in a recent blog post that there are now more than a billion accounts with credentials sold online. He compared them to hundreds of millions of keys capable of unlocking bank safe-deposit boxes, littering the ground.
“All you need is to pick them up and find a match to open any box you would like,” he wrote. “In fact, it is worse, because for most people, this same key is used to open their office, car, and house.”
And, of course, with automation, it is possible to try keys in millions of “locks” in seconds.
Things are even worse in the health care industry, according to a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that medical staff efforts to circumvent passwords was "endemic – to avoid any delay in using a device or getting access to supplies, they routinely wrote passwords on sticky notes.
According to the report – a portion of the headline is “You want my password or a dead patient?” – medical staffers are just trying to do their work in the face of often onerous and irrational computer security rules.”
The solution to such a porous “security” standard is to get rid of it, according to FIDO. But the Alliance, which describes itself as a “cross-industry consortia,” has to do more than convince experts or even web content providers. It has to convince users – the ones who are familiar and comfortable with passwords and who can display irrational amounts of resistance to change.
Gary McGraw, CTO, Cigital
There is no such thing as perfection. It is always going to be an arms race.'
Sign up for CIO Asia eNewsletters.