Killing my passwords (with his tools)

As I prepped for this password killing journey, I couldn’t get the Fugees “Killing Me Softly” out of my head. Lauryn Hill kills it in that song (pun intended.) So I wrote a little intro you can hum along to the tune…I’ll wait.

Feeling my pain with this access,
Attacking my sites with his scripts,
Killing my passwords with his tools,
Killing my passwords with his tools,
Telling the whole world, I’ve been p0wned,
Killing my passwords with his tools.

So we’re not killing anyone, and I am no lyricist, but everyone wants to kill the password, right? Certainly the security folks wish for a day where a physical pass of the office doesn’t reveal a password taped to the keyboard, monitor, and if they are really sneaky, under the mouse pad. For those fortuitous enough to get through a physical exam with no evidence laying around, routine directory scans that reveal passwords long listed in the top 100 worst password lead to abounding face palm moments.

Users don’t like passwords and password maintenance, and security professionals don’t either. So is 2017 the year we can kill the password?

Unfortunately, the safe answer is still a solid no.

The quick reason comes back to the tenants of multi-factor authentication: something(s) you are, something(s) you know, and something(s) you have. The more of each of those tenants you have, the better the system can authenticate that you are who you claim to be. If you eliminate the something you know outright, without a means of strengthening the other areas, well, I’m guessing you’ve seen enough sci-fi, and the very real talks at various security conferences that what you are and what you have are challenges that have been overcome. What you are (identification info) is easily guessed, and what you have with biometric data can be lifted. Articles abound on fingerprint biometric bypass techniques, but even the retina scan technology isn’t without peril, as one researcher bypassed the scanner with only a high resolution photo!

My recommendation is whereas deploying a password-less system is possible, in most cases this will decrease your security access posture, thereby increasing your risk for compromise.

Is there hope?

That doesn’t mean there isn’t hope on the horizon, though the password will “have a long tail." Google has a couple projects with Abacus and Trust API, which combine to use biometric data (voice, face, fingerprint, etc) and device behavioral analysis to build a trust score, which apps can then authenticate or not, at different thresholds. My password manager Dashlane is also in a collaboration with Google on Open YOLO, which is built on a similar (or same? hard to tell at this point from the information available) trust API.

Forget the risk, show me how!

Sorry, I’m not going to bite. It wouldn’t be responsible of me, during security month no less! Yes, of course it’s possible though, you’re talking about the BIG-IP! In fact, if you take any of the 2FA/MFA articles we’ve written on Google Authenticator or Yubikey, you can easily customize those solutions to remove the password requirement. Those resources are:

• 2FA with Google Authenticator and LDAP
• 2FA with Google Authenticator and APM
• 2FA with Yubikey and APM
• 2FA with Yubikey and LTM

For now, though, keep managing those passwords, and maybe next year we'll have a new story to tell!