This New Year’s resolution? Dropping usernames & passwords.

by Gene Shablygin, on Mon 08 January 2018

People often ask me – what single thing is most important to improve security. After 20 years of working with multiple aspects of IT security, I would say – the single worst thing in today’s security is usernames.

Passwords are insecure, and we need to get rid of them. But usernames, which are “human manageable credentials,” are often overlooked, and dangerous.

Another popular, but faulty assumption is that “something you are,” such as human biometrics, can replace the dreaded passwords.

Let’s take a new look at well known, but often misunderstood process of authentication:

Indeed, the authentication (“login,” “logon” or “sign-in”) process consists of two very different steps. The first step is called “identification” – the moment, when a person (or a device in the internet of things world) claims who he or she is. In a sense, it’s the most important part of the process, because it’s where the system decides how to process all future requests. In other words, based on the claim who is requesting access, the system (website, database, etc.) pulls the information on the party logging in and preparing for the second stage – “verification.”

Here’s the thing: Just asking for the username is insecure. As soon as username is produced, the system effectively is half open – the verification factors for that specific account are ready to be examined (and possibly abused).

The growing popularity of biometric verification (fingerprints and, most recently, facial recognition) used on personal devices created a totally wrong assumption that biometrics alone can be used for the whole authentication process, rather than for a verification step only. Indeed, mobile devices are single user, and the identification stage is simply omitted. However, in the systems with millions and billions of users, the false-negative and false-positive rate of 0.00001 (which is rarely achievable by current biometrics solutions), is an unacceptable solution for identification.

The only feasible way to properly identify a user (before going to one or more verification steps) is to use something that user has. This “thing” should be very secure, and at the same time, in case it is lost or stolen, a process of revoking the lost device and assignment the identification features to a new device should be well defined, secure and convenient.

For top secret government agents this “thing” should be a proprietary token (card, bracelet, dongle) with all possible and impossible security enhancements. The rest of us already carry necessary device with us everywhere – it’s our smartphone.

After proper (and secure) identification of the user, additional factors (like “something you know,” “something you are,” “where you are,” “what time is it?” etc.) may be added to the verification process, if necessary.

The bottom line – if there is a single thing you can do for your IT system, for your corporate security, for your employees, your users and customers in 2018 – eliminate usernames for good.

Learn more on how to do this by contacting us today.