Writing for The Guardian, journalist Andy Meek questions if increasing cyber attacks ultimately mean the end of username and password security.
“The username and password has long been the basic set of authentication credentials that grants access into computer and web-based systems and networks,” he explains.
“But in light of recent data breaches, at least one regulator – New York State’s department of financial services, which supervises banks and insurance companies – is reportedly looking at imposing stricter security guidelines on the companies it supervises.”
Nevertheless, Paul Kocher, president and chief scientist at the Rambus Cryptography Research Division (CRD), says reports of the death of passwords have been greatly exaggerated.
“Passwords are horrible from a security perspective, but they are also really seductive for service operations because they are free, decentralized and supported by all users and their existing devices,” Kocher told The Guardian. “The problem with passwords, as well as many other security technologies, is that they assume human beings are infallible.”
According to Kocher, password alternatives have worked well for high-value relationships, including employee credentials and credit card payments, but haven’t effectively scaled to the web. As such, Kocher says macro trends currently favor attackers, with the overall security “mess” expected to worsen over the next several years.
Bruce Schneier, a leading voice on cybersecurity and board member of the Electronic Frontier Foundation (EFF), expressed similar sentiments to the UK-based publication, opining that too many companies have told themselves “improving our security doesn’t make us money.”
“Too many of them have decided that it’s cheaper just to accept the fraud,” Schneier said. “Security is viewed as a trade-off. Why should a company spend more money than the thing is worth? One of the reasons banks often have such low security is they’ve decided it’s cheaper to pay the losses.”
Meanwhile, security expert Brian Krebs told The Guardian that authentication and authorization are difficult concepts to implement.
“Authorizing the right person is a problem that’s hard to solve and really smart people are out there working on good approaches. In most of these systems, it’s not the technology that breaks down in the way it was implemented. People are definitely the weakest link. Security is about layering on defenses – about not putting all your eggs in one basket,” he concluded.