+
EDITOR’S QUESTION
JONATHAN KNUDSEN,
SENIOR SECURITY
STRATEGIST AT SYNOPSYS
///////////////////
I
t was more than six years ago that the Defence Advanced
Research Project Agency (DARPA), a research and development
arm of the Department of Defence (DoD), issued a ‘broad agency
announcement’ seeking research proposals for developing biometric
authentication through analysis of various activities and behaviours –
keystroke patterns, mouse use, sentence structure and use of language
– that add up to what the agency calls a ‘cognitive fingerprint’.
Those mechanisms go beyond ‘something you know’ (the password)
and ‘something you have’ (a token or wearable) to enhanced
‘something you are’ (biometric authentication such as fingerprint,
voice, face, retina). Implemented correctly, a user’s biometric
measures are stored only on the user’s device.
Passwords are ‘shared secrets’ that reside on both the device and
on a server that, as we all know, can get hacked in various ways.
To compromise biometric authentication, an attacker would need
physical access to the device.
But between now and when passwords really
do become as rare as phone booths, be sure
to use a password manager, which holds all
your passwords in a ‘container’ locked by a
master key that only the user knows.
That means all you have to do is create
one really complex password that you can
remember. The manager will also help you
create unique passwords for new websites
or apps.
Passwords are convenient for software
creators but hard for humans to use correctly.
Being human, we want to use the same
password for every service, which is a terrible
idea. We want to use passwords that are easy
to remember, which is also a terrible idea.
We see passwords as a hurdle that must be
jumped before we can actually start getting
work done.
www.intelligentcio.com
Authentication, or proving identity, is always based on something
you know, something you have, or something you are.
“
AUTHENTICATION,
OR PROVING
IDENTITY, IS
ALWAYS BASED
ON SOMETHING
YOU KNOW,
SOMETHING
YOU HAVE, OR
SOMETHING
YOU ARE.
Multi-factor authentication combines
these. For example, a website might require
you to supply a password (something you
know) and also send a text message to your
phone (something you have). Some apps
these days will also rely on a fingerprint
(something you are).
Passwords are definitely on the decline, as
fingerprint sensors become widespread
in smartphones, a variety of USB
authentication devices (something you
have) are available, and smartcards now
function as a physical manifestation of a
private cryptographic key.
These newer authentication methods
will be easier for humans to use correctly,
as the concept of the security of a USB
device, a smartcard, or a fingerprint is much
easier to understand than the problem of
remembering a password, or knowing how to
pick a password that is hard to guess. n
INTELLIGENTCIO
29