Imagine a world where the password is a historical footnote. That’s the goal animating a broad coalition of government agencies, tech companies, and security experts who are building better ways for us to access our accounts.
Members of that coalition came together today in Washington to mark the first Two-Factor Tuesday, where they discussed how to push the world beyond an era in which “security” means a memorable but vulnerable string of letters and numbers.
Passwords are “irrevocably broken,” said Stephan Somogyi, a product manager for security and privacy at Google, whose D.C. office hosted the event.
Google is one of several companies with an app that supports the login process known as “two-factor authentication,” in which users enter their password plus a short temporary code that is only displayed on their mobile device. The concept behind two-factor is “something you know (your password) plus something you have (your phone, which displays the temporary code).” But even this process, the namesake of Two-Factor Tuesdays, isn’t completely intuitive or easy. Having to take out one’s phone and open an app every time one wants to access an account is tiresome. And so people have not migrated to adopt two-factor authentication. This need to balance security with usability was one of the key themes of the event.
One of the groups at the forefront of improved authentication is the FIDO Alliance, a group of banks, operating system developers, computer manufacturers, chip makers, and other tech companies working on better ways to enhance the login process. FIDO develops standards for key fobs—the small devices that display a rotating code in much the same way as Google’s Authenticator app. Brett McDowell, executive director of the FIDO Alliance, said that the world needed a “fundamentally new model” to replace passwords.
The more companies that offered two-factor authentication, the more likely it was to become a consumer expectation.
Panelists at the event acknowledged that most consumers were not keen to change their login routines by adopting key fobs or two-factor apps, even as they expressed optimism that they could change that by tweaking how they built and deployed stronger authentication.
Marc Boroditsky, vice president and general manager at the authentication firm Authy, said that the two keys to wider adoption of two-factor were accommodating users with an easy login process and winning “the hearts and minds” of the developers who usually make security recommendations to their bosses.
The lead government agency trying to build better authentication options is the National Institute of Standards and Technology. Through the National Strategy for Trusted Identities in Cyberspace (NSTIC), the agency funds pilot programs for new login methods that it hopes will achieve widespread adoption.
Sean Brooks, a privacy engineer at NIST, said during a panel that it was incumbent on companies to jump into this space and lead by example. The more companies that offered two-factor authentication, the more likely it was to become a consumer expectation. “You’re building momentum for an expectation that this exists in the marketplace,” he said.
Brooks also argued that sluggish two-factor adoption could be chalked up to security organizations doing a poor job of communicating their benefits. “People understand and they care about risks,” he said. “These are risks like, ‘This is what’s going to happen to you. You’re going to lose money. You’re going to be embarrassed.'”
Whereas the United States dominated cyberspace in the early years, it now represents a unique liability for the U.S. government that does not exist with land, sea, air, or space.
The conversation around cybersecurity has never been as urgent or omnipresent as it is now, in the wake of high-profile corporate and government data breaches exposing tens of millions of Americans’ personal information. The 2014 Sony hack looms large in the minds of corporate managers looking to prevent rogue employees from spilling sensitive internal email chains, and the June data breach at the Office of Personnel Management serves as a reminder that the federal IT efforts are paltry compared to the scope of the threat.
Michael Daniel, President Barack Obama‘s cybersecurity coordinator, said in opening remarks before a pair of three-person panels that the world was reaching a “strategic inflection point” in cyberspace. Whereas the United States dominated cyberspace in the early years, it now represents a unique liability for the U.S. government that does not exist with land, sea, air, or space.
Daniel, who has previously expressed a desire to kill the password, said that shifting to stronger login methods would be a way to shift the burden from the defenders to the attackers. By overhauling authentication, he said, “we can make life a lot harder for” our adversaries. We can, he said, “disrupt their weekends instead of mine.”
In brief remarks before he returned to the White House, Daniel touted the progress the government had made since the OPM hack in improving federal employees’ security procedures. He said that his office had used the hack as an opportunity to push solutions like personal identity verification (PIV) cards, and he noted that nearly every federal employee with administrator privileges now used two-factor authentication. (Nearly 70 percent of non-administrators now use the method, he added.)
Derek Hanson, a software architect at key-fob manufacturer Yubico, noted during a panel discussion that most companies understood the value of post-password security practices, even if they were reticent to make the jump. Businesses, he said, understand the risks to their customers and to their bottom line of allowing a security breach to occur by overlooking ways to prevent it.
Consumers, too, understand the need for security, and some of them are eager for companies to switch to more-secure logins. Eric Doerr, Microsoft‘s general manager of identity, said that the Uber driver who took him to the airport for his flight to Washington surprised him by getting excited when he explained what he did at Microsoft.
Yet Doerr also said that educating consumers about authentication wasn’t a prerequisite to implementing it. Banks, he said, already require forms of two-factor authentication when they ask for personal information to verify account activity, and no one bats an eye at that step. He proposed that more industries follow those banks’ example and simply start requiring new forms of authentication in ways that fit naturally into the login process.
“You can just kind of start,” Doerr said, “and start to make some real progress.”
There is cause for optimism about corporate cybersecurity. As more companies switch to two-factor and other forms of strong authentication, it becomes harder for the stragglers to resist. Boroditsky described the situation in terms of inertia. Companies, he said, had lists of objections to moving away from simple passwords. In the past, problems with two-factor made it easier for them to resist. But as those problems have fallen away, the objection lists have gotten shorter. Adoption was fueling adoption; it was a vicarious cycle.
Somogyi said that he would support a government mandate for certain types of companies and organizations to use multi-factor authentication, but he stressed that the mandate needed to set goals for the average user’s experience rather than for the technology involved. Authentication technology changed too fast, he said, for the mandate to specify steps. Instead, it should specify outcomes.
Congress is unlikely to pass legislation requiring two-factor authentication. But the overriding lesson from the first Two-Factor Tuesday is that it is imperative that our increasingly networked world move beyond passwords as soon as possible.
Boroditsky warned that continued data breaches could even push people away from using the Internet to transmit their sensitive data. “If we don’t get this right,” he said, “we may get to some sort of logical plateau where consumers pull back” from filing things like medical records online.
“Trust,” he added, “is in jeopardy.”
Photo by Eric Geller