Passwords are outdated and “inevitably” fall into the hands of cybercriminals, according to a new advocacy group, Petition Against Passwords.
The group aims to encourage digital service providers to move towards “password-less” authentication systems . The Petition will launch on July 24, and is backed by LaunchKey, OneID and Nok Nok Labs, as well as identity management startup Clef, which offers a smartphone-based authentication system.
“Because passwords must be stored on a central server, sites are tasked with protecting them from a persistent onslaught of attacks. Even the best protected servers eventually fall. The results can cost the company millions of dollars and drastically impact consumer trust,” says Brennen Byrne, CEO of Clef, according to a report by PC World.
The movement comes in the wake of a number of high-proile breaches where customer data was accessed or compromised, including attacks on Sony, Ubisoft,daily deals site LivingSocial, LinkedIn, Zappos and Evernote. When passwords are published online after such data breaches, insecure choices such as “123456” and “password” remain among the most commonly used.
ESET Senior Research Fellow David Harley says in a blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”
Other pressure groups such as Fast Identity Online (FIDO) Alliance aim to replace passwords with a secure, industry-supported protocol which is also easy to use. FIDO is investigating technologies such as fingerprint scanners, voice and facial recognition, and existing solutions such as Near Field Communication (NFC) and One Time Passwords (OTP) , with a view to creating an integrated solution.
Author Rob Waugh, We Live Security