Passwordless Authentication: Weighing the Options

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hold on I'm entering my password you won't tell anybody right this is what a password looks like for a security guy and we'll just let it autocomplete if only it could do that in the real world well a really good password looks like this you can remember that right piece of cake well maybe not um what would be better than a really good complex secure password I'll tell you this no password would you like that yeah let's get rid of the password entirely but let's not compromise on security is there a way to do that where you can have security and convenience at the same time sounds kind of crazy but let's take a look okay so what's the problem with passwords well it turns out this is the face of the enemy when it comes to passwords it's people because if to their own devices this is what people are going to choose as their passwords we know this because we can look and see at when there have been password breaches and look at what those passwords were that were most frequently chosen here's a favorite of mine yeah people really choose that as their password so people pick bad passwords then they can't even remember their bad passwords that they selected especially if they were good enough to pick a good password that's even harder to remember and then what do they do they put that same password on every single system that they use so that if one of these systems Falls then they all fall and all an attacker has to do is figure out how to get into one and then they can get into everything into that person's life so one of the options then that people have looked at and it's a solid option if you have to use a password is a password manager let's take a look at how that works so here we've got a user and they're going to log into a piece of software we'll call a password manager and it's going to store strong unique passwords for every single system that they need to log into so there's a whole bunch of these back here it keeps a unique password for each one the user does not have to remember that they just have to know how to log into the password manager and then the rest of it's handled for them beautiful until you consider the fact that we still have these guys out here the bad guys and what if this guy sends an email to this person a fishing email that convinces them to then click on the fishing website which is a bad website and it looks like a legitimate website they try to log in they enter their password and even if the password came from the password manager even if it was really secure this guy has now got your credentials that's one problem another problem what if this guy figures out how to break into one of these systems any of them the the password that you have is stored in probably a hashed form at least we hope it's been encrypted with a one-way hash if not it's even worse if they have that and they're able to then later brute force and break that password well then this guy still wins so the fact that a password exists is already a problem in the first place because that password has to exist in lots of different places potentially here as well so that's the problem space again passwordless if we can get rid of the things entirely without compromising security would be a better option let's take a look at how we could do that so authentication that is answering the question who are you is based upon three different things it's based upon something you know something you have or something you are something you know would be a password or pen something you have a particular device for instance that you carry around with you something you are would be a biometric a measurement of your physical characteristics and multiactor authentication or MFA is where we basically combine multiples of these sometimes all three sometimes just two and combine these into a soup that then gives us higher confidence that you are who you claim to be okay let's take a look at what some of the alternatives are and what we could use these for and where their strengths and weaknesses are now I'm going to tell you this is going to be a little controversal iial some of you are going to disagree with the way I characterize these there are a lot of variables so I'm having to generalize so give me a little space on this but this is in general what I think about this one possibility is to use get rid of passwords and use a hardware token a device a separate device that you carry around with you some of the early versions of these had an LCD display with a six-digit number that changed every 60 seconds or so and and you had to keep that with you well from a cost perspective not so good because you're adding an additional device and that div additional device gets lost or stolen breaks uh has to be replaced and so people were famous for losing these things all the time from a convenience standpoint definitely not convenient because now that's another thing I got to keep up with how about from a security standpoint well security-wise it was actually pretty good and you could use this in combination as I mention with multifactors but a lot of times you might just use this by itself and if you used it just by itself it still might be more secure You could argue than just a basic user chosen password because people choose bad passwords now how about another option uh a one-time password a one-time thing that is only used for a specific period of time and then it times out a classic example this you see these all the time you go to login and then it sends you a text message with a six-digit code and so that um you know the cost of that is not bad you know we can generate SMS messages pretty easily sometimes we do them in emails sometimes even an app will pop up and do it but we'll take a look at this example however from a just general convenience standpoint well it may or may not be very convenient that's going to kind of depend on how the particular implementation is done some of the devices now are smart enough to be able to read that automatically for you and stuff it in on the field for you in that case the convenience is not bad you just have to wait a little while but otherwise if you're having to type that in it's not so convenient to do something like that how about from a security standpoint I'd say this is pretty good it's definitely Improvement because it's having to in fact prove that you have something in fact we could take a look back at these different Alternatives and say this is based upon something you have this is also based upon something that you have um and and so we're using these in addition maybe to a password or in place of a password uh then using a push notification to an app is another application another possibility you have an app already installed on your phone you pre-registered the phone and when you go to log in it pops up a message on your phone and you look at that and then you basically unlock your phone with a pin that you have chosen well okay how do we think about this well the cost is not bad most people have a a phone with them already a mobile phone so we're not having to deploy new devices that have to be dealt with in that way um that from a convenience standpoint again pretty convenient because if if you're like me your phone is rarely more than uh arms length away from you most of the time anyway so it's already there it's not an additional device that you're having to carry and then from a security standpoint yeah I think it's better than just a a a self-chosen password because again people are really pretty bad at choosing passwords and in this case now we're combining so something you have the pre-registered phone combined with something that you know a particular pen so you you use that then to uh to do multiactor form and again no real password although you could argue this is a little bit like a password how about a different form of this about a push notification with a biometric so the push notification pops up on your phone then you either look at the phone and use a facial recognition or fingerprint re recognition or some form of biometric so now we're combining something you have along with something you are and this how does this stack up well again the cost is pretty low because we can usually do this from your mobile phone and most people have one of those convenience you've already got this sitting around with you I would argue this gets actually more secure than some of the other things because it's going to be harder to replicate assuming that the biometric reader is good it's going to be harder to replicate your face or your fingerprint than it would be a six-digit pen so that information could exist in multiple places for instance and then finally the one that I think is the best of these alternatives uh would be Pho which is the fast identity online standard I did a video on this earlier so actually two videos so go take a look at those if you want to know more about how this works but it's a cryptographic uses pki uh along with a biometric for you to unlock the cryptographic keys and then those are exchanged and the beautiful thing about this is there's no password stored on the server there's no password to steal therefore no password to fish so it has it deals with a lot of the issues that we saw with some of the previous options that deal with passwords and you don't have to remember anything in most cases you just look at your phone and unlock it and you're done so that's something you have a pre-registered device plus something you are multiactor cryptographically strong how does this show up on the score sheet well I'm going to say it's cost pretty similar to all these others in fact passwords by the way are not free because the number one call to most help desk is reset my password and those calls are anywhere from $ 20 to $50 a call so most organizations are spending a lot on passwords and just don't really realize it then from a convenience standpoint again doesn't get much easier than a a push notification pops up I look at my phone I unlock the phone that's it from a security standpoint I'll argue this is the one that is the most secure because we're leveraging a lot of different things here it's multiactor authentication it's using a biometric it's getting rid of a password there therefore a password can't be stolen because it never existed in the first place so lots of possibilities here and by the way if you want to you can sync those keys across multiple devices to make it simpler as well okay now we've taken a look at some of the more popular options to replacing passwords in some cases they're used along with passwords to strengthen but they could be viable alternatives to get rid of passwords and take those nasty things out of your life all together basically we in security are always trying to balance the tradeoffs between high security and high convenience users love this uh and security people love this anytime we get a chance to optimize on both of those that's a win for both sides then it's like we can have our cake and eat it too and I do love cake if you like this video and want to see more like it please like And subscribe if you have any questions or want to share your thoughts about this topic please leave a comment below

Info

Channel: IBM Technology

Views: 16,167

Rating: undefined out of 5

Keywords: IBM, IBM Cloud, password security, biometric authentication, FIDO standard, multi-factor authentication, secure passwords, password alternatives, authentication methods, cybersecurity, password manager, biometric security, FIDO

Id: f6LD9sDKQq8

Channel Id: undefined

Length: 11min 40sec (700 seconds)

Published: Mon Jul 08 2024