June 26, 2015 - Jan Valcke
The final days of user names and passwords

Last week’s announcement that the online password manager LastPass was hacked, made me realize that the term Secure Password has become the leading oxymoron of the 21st century. The issue of insecure passwords has resurfaced; this is once again a reminder to the need for one-time passwords.

The average internet user typically administers twenty-five accounts. These twenty-five accounts are protected by on average six different static passwords, but users seem to have a tender spot for certain kinds of passwords. Nicknames, dates of birth, children’s and pets’ names, and even the word ”password” are very popular.

Most surfers realize that passwords are a matter of the utmost concern. After all, passwords are the first, last and only safeguarding of an account against intrusion attempts. Long lists with tips and tricks to solve the problem can be found everywhere online: do not use real words, mix different character types and numbers, use different passwords for various accounts, change your passwords regularly… It becomes even harder when users are asked to change their passwords every ninety days. It is just an impossible task for the user to remember them all.

Online password managers seem to be a good solution to tackle this problem of inconvenience and to store all these different, complex and regularly changing passwords. However, there is an obvious irony in attempting to protect inherently weak passwords with another password.

We are seeing the final days of user names and passwords as hackers drive the industry to more secure methods of authentication. One-time passwords are the key solution. They only remain valid for about thirty seconds and become invalid after use. Each time a user wants to log on, they get a new password. This means that over a ninety day period, a user password changes not once, but more than 250,000 times. It goes without saying that this is much safer than changing your password only once. Moreover, user-convenience can be increased a lot, since the user does not have to think about the complex password.

The environments that used to be the most preferred target for online fraudsters, such as the banking market, have already abandoned weak static passwords and moved to the use of one-time passwords. At that time, hackers realized that they also had to tap new sources of income. They selected other sectors and looked for other points of supply they could capitalize on, such as confidential or business-critical information. Commercial companies, healthcare and medical providers, governments, educational institutes, and many more have all fallen prey to hacking attacks. It is time that we all move to one-time passwords to protect these sectors as well. Not only will the accounts be protected against fraudulent attacks, but users will also be relieved of the burden of having to remember a password.

5 Responses to The final days of user names and passwords
  1. You leave the question open: where will the OTPs come from?
    They will come from Smartphones and extra devices/tokens. My guess: 90% from smartphones, and 10% from hardware tokens, for the important accounts like financial, corporate, medical, email, etc.
    The main reason for hardware tokens will be security (severe and not avoidable danger: smartphone OS trojans), but there is also a usability aspect: every smartphone change (lost/broken/stolen/new) causes a lot of additional effort to the user concerning the stored credentials. This pain does not appear with hardware tokens.

  2. Interesting and insightful comments, and we agree with your observations. We see an evolution toward contextual authentication, which goes much further than generating one-time passwords. This means that the environment in which an application resides or the user’s behavior pattern, should be secure: is the phone jailbroken, is the user’s geographic location plausible, is the message sent via a secure channel, etc. The application as such is much more protected and the user is monitored and given a score. When unusual patterns and behaviors are identified, extra security may be required. In other words, the device itself will not be so relevant anymore. It will become a tool to collect risk and user behavior patterns, rather than simply a tool to generate one-time passwords.

  3. John–Could you give practical examples of contextual authentication vs. the common password systems in use and the concluding advantages of contextual. Thank you, Anthony J. Gullo

  4. OK, OTPs are much better than passwords, it’s obvious. But still it does not respond to threats connected to MITB, where a trojan injects some web inject directly into web page. In this case validity of 30 secs means nothing. In that time OTP and any other credentials could be easily redirected to unauthorized servers (drops).
    I would rather consider the future authentications with multi-channel communication where user submits logon action in one channel and confirms it in another (separated!) one.

  5. With risk-based or contextual authentication, access to the application or transaction goes through a series of trust hurdles, similar to how many of the next-generation firewalls operate with their own risk scoring tools of internal network packet behavior. Information is collected and scored based on a series of qualitative and quantitative, contextual and behavioral metrics. Unusual or riskier behaviors can be challenged by asking the user for additional information, and of course transactions can be allowed or denied. For example, for an online banking transaction, additional and more stringent authentication measures may be requested if:

    – The user lives in Canada, but is logging in from China
    – The mobile phone he’s using for the transaction is jailbroken or rooted
    – The value of an transaction is above a certain threshold
    – The user is doing something that doesn’t match typical history

    As for the benefits, the tools and analytics capabilities of risk-based authentication create a barrier that is much harder for a hacker or fraudster to circumvent, and it also improves the user experience. Because risk-based authentication is dynamic, it doesn’t force stringent requirements on a low risk situation, and since it works silently in the background, most users don’t necessarily even know that their logins are being vetted more carefully. Moreover, this all happens in real time, just like the typical multifactor methods.

    Hope this helps. We have a new white paper available that goes into more detail if you’re interested.

Leave a Comment