Yahoo recently unveiled a new product strategy for authentication to its suite of products. The scheme allows users to authenticate without a static password, using an “on-demand" password, sent to the users phone via SMS. In effect, Yahoo is parting ways with the standard password model.
Yahoo’s attention to the topic of authentication is commendable. The topic does not get nearly enough attention from the large internet firms. “Moving beyond the password” has been a desire of the security community for some time, and it’s good to keep the discussion going. However, Yahoo’s approach misses the mark.
The scheme does add some additional security over a static password, as the generated passwords are one time use. Thus, if the password is compromised, it will only provide an attacker a limited time window to take action on it. In addition, the scheme nullifies the tendency of users to employ the same password across multiple sites. However, it’s important to note that this scheme is still “single-factor” authentication. In other words, it is only relying on one element to decide whether or not to grant the user access. If the user’s device is stolen, the thief may be given full access to the account in question.
"Moving beyond the password" does not necessitate doing away with it completely. A two-factor approach of a strong static password, something the user “knows”, and a personal device, something the user “has”, will always offer a much greater level of security.
When many people think of two-factor authentication, they think of the preceding concept: a static password and a pin code sent to a phone. That doesn’t have to be the case. A factor is a malleable concept. A factor could be a biometric, something the user “is”, such as a fingerprint or facial structure. It can even be a behavior, such as the way they hold and move a personal device.
This week also brought another major announcement in the authentication space, with Microsoft announcing Windows Hello. Windows Hello will allow users to authenticate using the combination of a device and a biometric, declaring "system support for biometric authentication – using your face, iris, or fingerprint to unlock your devices.” Microsoft is also expressing the desire to move away from the standard password model, but in a way that is more understanding of the need for multiple factors.
Abandoning the use of simple passwords as the primary access control measure is imperative. The fact that Yahoo and Microsoft, two very powerful technology companies, are pushing the envelope is encouraging. However, we must innovate in a responsible way, in a way that is increasing overall security without significantly impacting productivity.
The extremely personal nature of the Apple iCloud breach made the general populace more accepting of the use of multiple factors for authentication. It’s important that we continue along that path and not the converse of simply trading one factor for another.
For more on the topic of innovation in the authentication space, check out the white paper “Preventing Attackers from Getting What They Want”, by SecureAuth CTO Keith Graham.