When passwords are not enough: alternatives to consider
Three alternatives to passwords, which can be used to increase the security of critical resources, are examined..
In a number of our earlier posts, particularly those dealing with privacy and security, we do remind everyone set strong passwords – see for example, How secure are your passwords? However, due to considerable processing power and software programmes that is readily available for those that might want to breach our security, industry experts have acknowledged that regardless of our best efforts generate and manage strong passwords, they can still be cracked relatively easily. This post highlights options that could be considered when passwords and passcodes should not be the sole security control mechanism for crucial physical and electronic resources upon which we rely.
Biometric authentication has been around for several years and is based on using human characteristics or traits to confirm a person’s identification. Many of us are familiar with biometrics through movies, which frequently show irises, retinas and fingerprints being are scanned, or even when travelling to countries such as to the United States, where facial recognition and fingerprinting are used at Immigration/Border Control. However, a number of mass market computing devices, such as laptops and smartphones, either have built-in biometric capabilities, or there are hardware or software options through which it can be implemented, as highlighted below:
- Many of the popular laptop brands (e.g. IBM/Lenova, Toshiba, Dell) have had biometric fingerprint scanners capability available and integrated into their design for a number of years.
- There are biometric mobile apps for both the iPhone and Android-based smartphones on the market that use iris, voice, facial, hand geometry and signature recognition.
- Tactivo is case the iPhone that provides fingerprint scanning and smartcard reading capabilities, which can be implemented separately, or together. However, the price point for this accessory (MSRP USD 249.00) might make it more attractive to businesses/enterprises, than to the average consumer.
- Apple has patented a fingerprint scanner to unlock the iPhone. Experts hope will be included in the next device iteration, iPhone 6 (Source: TechRadar).
Unlike passwords that typically are between six and 14 characters, a passphrase consists of a series of words or text that are used for security control purposes. One of the key benefits of passphrases over passwords is that the considerable longer length of the code allows for increased complexity, which at the very least, can make successful breach more difficult. However, in order to be a marked improvement over passwords, at a minimum, passphrases ought to be:
- Long, at least 20 characters, so that they would hard to guess,
- not a popular quotation or saying
- hard for persons who know to guess, and
- include a combination of numbers, upper and case letters, and symbols, as the system might allow.
It also is important to highlight that similar to passwords, passphrases should easy to remember, and should not be reused between websites, applications, etc.
Security or authentication tokens are used to confirm a person’s identity, and can be used to replace passwords or to add an extra level of the security to an existing system. These tokens can take many forms, such as hardware-based, as a smart card or USB dongle, or electronically generated, and transmitted (with wireless encryption) to mobile or portable devices. Additionally, regarding electronic tokens, in particular, there is the potential to generate new security keys as and when necessary, e.g. for each new transaction, which again reduces the likelihood of successful intrusion.
Authentication tokens are widely used by the banking industry to supplement the customer password. A few banks in the Caribbean have already introduced this level of security, but this is still the exception, rather than the norm. The video clip below describes how the security token for Citi works, where customers are provided with a physical device that generates the tokens needed to complete their online transactions.
Putting the pieces together
The above alternatives to the password all have distinct advantages, which can strengthen the security of devices and electronic accounts that need to be protected. However, it ought to be appreciated that none of these alternatives, like passwords, are infallible. They must still be prudently managed and controlled to limit the chances of successful interception or intrusion.
Nevertheless, and for resources we can consider highly valuable, it might be worth considering implementing a two- (or multi-) stage access control protocol, where one or more of the above options could be used to supplement passwords or passcodes. We, as individual users, can implement some of these options straightaway, such as using biometric authentication and passphrases. In some instances, it may require enhanced features of your device or account to be enabled, or an app and/or accessory be purchased.
While some of us may baulk at the thought of having to spend money on device or account security, and world prefer to rely on free products and services, it might indeed to appropriate to remember: “you get what you pay for”. Hence depending on how critical we consider the information or devices we are trying to protect, greater personal effort and commitment might be necessary.
Image credits: digitalart; twobee / FreeDigitalPhotos.net