Biometrics: A Stepping-Stone To Eliminating The Password Forever
September 13, 2017 - Once thought of as exotic and futuristic, the use of biometrics as a means of authentication is quickly becoming mainstream. The concept is based on the fact that each person is unique and can be identified by his or her intrinsic physical or behavioral traits. This premise can serve as a powerful security measure, proving extremely valuable to organizations and their employees.
The news of the massive Equifax data breach broke last week, and the collective shrug of yet-another-data-breach was deafening. The fact that it happened to a credit reporting service that is known for offering identity protection in the wake of other people’s data breaches is ironic, but beyond that, it’s just another in a string of data breaches that have impacted every American by this point.
Two-factor authentication and MFA were certainly significant improvements over the use of passwords for authentication. However, the definition of MFA was born in a different “day” and is based upon technology and approaches that are 20 years old. Technology has changed, so too has the approach of authentication. Technology buyers are strongly encouraged to look beyond the MFA standard for authentication and instead, consider a modern authentication approach.
Recently Troy Hunt released 320 million hashed passwords collected from breaches (https://haveibeenpwned.com/Passwords) so I thought I’d run an experiment on that data based on common password tweaking techniques. I wanted to see if I could find tweaked variations of a given password in Troy’s data set.
In my last blog post, I sounded the death knell for indicators of compromise (IOCs) — attributes that implicate an item as being associated with cybercrime. IOCs written for one environment rarely transfer into new environments without lots of false positives and false negatives because what’s abnormal (and therefore an IOC) for one system or user might be completely normal for another user or system, or even for the same user at a different time of day.
July 2017: SC Magazine’s Market Focus: Another Paradigm Shifts; Multi-Factor (MFA) might soon forgo the password.
In the 2004 action movie National Treasure, Nicolas Cage needs to guess a not-so-complex password and lift a fingerprint in order to break into the National Archives building and steal the Declaration of Independence. Movies often make stealing two-factor authentication so simple, but is it really that easy? And what if the second factor wasn’t a password at all? Could Cage have broken in?