In an effort to find viable alternatives to the false security offered by passwords, a new U.S. government program is trying to find consensus on standards with leaders of private industry. The new National Strategy for Trusted Identities in Cyberspace (NSTIC) program, which is part of the National Institute of Standards and Technology (NIST) agency, was formed early in 2011 with limited funding but ambitious objectives.
What’s the problem with passwords? An IT Business article describes the challenge:
Many people use a single password for all accounts. Once a hacker gains access to the password, he can wreak havoc, steal your identity, destroy your credit, ruin your relationships and expose your secrets.
Password protection -- or lack thereof -- is the IT industry's dirty little secret. Passwords are a broken and obsolete model, yet everyone relies on them and pretends they do what they're supposed to do.
The New York Times points out that an over-reliance on strong passwords takes the focus away from other concerns like keyloggers.
Some computer security experts are advancing the heretical thought that passwords might not need to be “strong,” or changed constantly. They say onerous requirements for passwords have given us a false sense of protection against potential attacks. In fact, they say, we aren’t paying enough attention to more potent threats.
Here’s one threat to keep you awake at night: Keylogging software, which is deposited on a PC by a virus, records all keystrokes — including the strongest passwords you can concoct — and then sends it surreptitiously to a remote location.
The Times later highlights the findings of usability expert Donald Norman who pointed out that overly complex password policies actually negate the benefits they were designed to produce.
[Norman] said unreasonable rules can end up rendering a system less secure: users end up writing down passwords and storing them in places that can be readily discovered.
When chartering the NSTIC program, U.S. President Obama described their objective.
The goal of the NSTIC strategy, [Obama] said, is to find something a lot better than "insecure passwords" in order to make "online transactions more trustworthy."
To achieve this, the program is working with companies to identify internet-scale solutions that could rely on password alternatives like trusted identity providers and biometric solutions. While solutions like single use passwords, or single sign on through providers like Verizon or Google can reduce risk or provider greater identity guarantees, some feel that biometric security is one of the best ways to provide a core identity. Paul Simmonds of the Jericho Forum, which operates under the Open Group, champions this viewpoint.
"The core identity is you," Simmonds says. "Your human core identifier is your face. The key trick is the only one who can use it is you."
Simmonds believes that once a strong identifier such as a face biometric is established, "It allows you to create a persona and link to it. The important thing is you can't go back up the tree to the root."
He says the kind of identity ecosystem that would be preferred is one that doesn't depend on giant databases of information but relies simply on trusted and secure registration of a core identity, and perhaps use of technologies like chip-based cards. "They don't need to know who I am or anything about it. I can prove immutably I'm me."
Numerous parties are looking at how to avoid re-usable passwords when authenticating users to services. Both Google and Apple are invested in Near Field Communication (NFC) which enables secure communication between devices over very short distances. A University of Cambridge professor has envisioned and presented on the idea of a small device that uses optics and cryptography to replace all passwords. Innovators in this space will now have access to NSTIC’s $25 million budget next year of which 70% of the funding goes towards pilot programs intended to prove whether these emerging ideas can operate at a large scale. Observers should expect to see these pilot programs occur in 2012, possibly funding individual organizations through a grant program.