Chances are you’ve had to enter at least one password in order to look at this article online. Though they can be convenient methods of resolving the question of who is allowed to access a given resource, some limitations can be as follows:
- Passwords are too easy to guess (e.g.: password123, or a name, date of birth, etc.)
- Passwords can be obtained via a brute force attack (dictionary based)
- They can be compromised centrally
- Strong passwords are invariably written down, etc. to provide a reminder
- Passwords can be forgotten and lose hours of working time (and therefore money) to be reset
- someone connected to your network might try to intercept your password information as you log in using network programs that monitor the local Wi-Fi hot spot.
- Someone physically near you may observe you entering your password while you type
- They can be reused across multiple systems, resulting in a higher chance of being compromised.
It could be argued though that these are not limitations of the password per se, more issues with:
- Password policy allowing passwords that are too simple or requiring those that are too complex
- Inadequate security around the system that holds the password repository, user directory, etc.
- Users not being educated in the way to create memorable passwords without having to write them down (e.g. four memorable words as one password is harder to crack than one non-dictionary word)
- Inadequate network security… and so on.
Password Alternatives
There are a number of different alternatives to password-only systems, including biometrics and the use of multi-factor authentication. Now authentication systems are being constructed on blockchain technology, which is designed on the premise that a decentralized system is better than a centralized one. Multiple, publicly visible, shared copies of data exist across the blockchain and all transactions are stored as blocks and are reconciled among the members at a set frequency. This prevents an attack on an individual server in the blockchain from compromising the data as a whole.
REMME is a company based in Ukraine, which saw first-hand how devastating cyberattacks can be, when the electricity system was disabled by hackers in December 2015.
REMME’s technology leverages a distributed public key infrastructure to authenticate users and devices. Instead of a password, REMME gives each device a specific SSL certificate. The certificate data is managed on the Blockchain, by associating a bitcoin address with a certificate. This makes it extremely difficult for malicious hackers to use fake certificates. There is also the capacity for certificates to be revoked using CRLs (Certificate Revocation List) or via OCSP (Online Certificate Status Protocol). The platform also uses two-factor authentication to further enhance security for its users. It appears to have some traction with energy companies to improve their security and provide a defence from cyberattacks.
This puts REMME into the IDaaS (Identity as a Service) category. The company sees its key advantages over the most common existing solutions:
- eliminating passwords completely: no pins or master keys;
- no central server and account database;
- no central certificate authority (in comparison with the traditional PKI infrastructure)
- REMME can be built on top of a number of different blockchains (e.g. Bitcoin, Ethereum, etc.) and sidechains (e.g. Rootstock, Exonum, etc.), as per the company’s requirements.
What are the breadth of use cases for this type of authentication technology? For those scenarios where passwords can be seen as a weak link when utilised on their own, this infrastructure may have some possibilities. The use of two-factor authentication also provides a more secure method of authentication. After all, if you lose your SSL certificate (or it’s stolen), the system you’re trying to access is just as vulnerable as one with a compromised password.
Where Passwords Will Survive... And Where They Won't
In conclusion, the password has survived many attempts to kill it off, and, in my opinion will continue to do so. Its ease of implementation and management, especially in low risk systems mean that it will be the authentication method of choice for some time to come. However, the advent of blockchain technology has given rise to different uses that allow applications to make use of its security features (e.g. being more difficult to hack than a conventional system). This can make the application of this technology a major player when considering authentication methods that protect highly sensitive assets.
Terence Stamp is a senior applications consultant at Capgemini. Read more Capgemini blogs here.