March 03, 2010, 9:30 PM — For years, leaders of the security industry have warned that passwords have outlived their usefulness. Users pick easy-to-crack passwords like the name of a dog or a favorite movie. They're written on post-it notes and left sticking to the monitor for all to see.
Multi-factor authentication -- using more than one form of authentication to verify the legitimacy of a transaction via smart cards, tokens or biometrics, for example -- is often held up as the alternative; an end to insanity.
The reality is far less simple.
At Security B-Sides Tuesday, a panel discussed the best ways to address the problem.
Marisa Fagan, security project manager at Errata Security, mapped out the problem security shops face. Errata, she said, has found that 10 percent of all Twitter traffic is comprised of phishing and malware attacks. Many users are often duped into clicking on a phishing link or their password is so easy to guess that the bad guys crack it. From there, the path to one's sensitive data is shorter and clearer.
"Recycled passwords are a problem," she said. Launch a brute-force attack and access a password and you're in business. Cracked Facebook passwords are being sold for $100 or less, she noted.
"There are different ways to solve the authentication problem, but removing passwords would kill all the birds with one stone," Fagan said. "The question is how best to go about it."
Multi-factor authentication would seem the easy answer. But here's the problem: Attackers can also get around that with little trouble. The reason, as in the password problem, is that users end up being the path of least resistance.
Also see Second Thoughts on Second Factors
"People will write their PINs right on their token. So have we decreased risk? We've created a bigger barrier" but that's not enough, said Michael Santarcangelo, founder of the Security Catalyst Community.
Jennifer Jabbusch, CISO at Carolina Advanced Digital Inc. in North Carolina, noted how companies implement multi-factor authentication but don't always get the implementation right. That's when the company is left with nothing but "feel-good security."
"We need to draw a line and not pursue solutions that simply offer a feeling of security," she said. "Things make you feel better don't really help."
There's also the lingering problem of economics. Federated ID, which lets business partners automatically access each other's networks without requiring piles of passwords, is often cited as one of the more ironclad options. But the cost and complexity has led to far fewer federation implementations than industry experts were predicting five years ago.
So where's the ultimate solution? The panelists said there's no one-size-fits-all approach. User education certainly remains key -- making people aware of why it's bad to write their PIN right on the token, for example. The other thing is to recognize that no method of authentication is 100-percent ironclad and plan for the possibility that the bad guys will still get through.
