Report makes case for moving beyond passwords

August 14, 2015

WASHINGTON (8/14/15)--The Federal Trade Commission (FTC) should start pushing for authentication measures beyond passwords, two professors claim in a report on improved authentication measures.

Daniel J. Solove of George Washington University and Woodrow Hartzog of Samford and Stanford universities released “Should the FTC Kill The Password? The Case for Better Authentication” this summer.

“We are in a data security crisis, with data security breaches occurring at a staggering rate. A major part of the reason involves problems authenticating the identity of account holders,” the paper begins. “The most common approach to authentication is the use of passwords, but it is increasingly clear that passwords are being used incorrectly in ways that make them a weak security mechanism.”

Short passwords are easy to guess, while long complex passwords are harder to remember, and repeating passwords across different accounts can lead to a number of portals being breached at once. These facts, as well as the ease by which hackers can trick people into revealing those passwords, have led to what the authors call a “widespread consensus” about the problems with passwords.

Alternative authentication techniques, such as two-factor authentication, are considered a major improvement over the use of passwords. Multifactor authentication requires additional authentication factors, the combination of each making unauthorized breaches exponentially more difficult.

“In certain circumstances, the FTC should start requiring better methods of authentication than mere passwords. The FTC has already laid the groundwork for such an approach and need only expand upon its theories requiring companies to be responsive to both online and offline attempts to compromise the integrity of user accounts," the paper said. "If the FTC is going to be a relevant player in the realm of data security, it must address flawed security measures even though they might be commonly used.”

The authors recommend the FTC strongly encourage the adoption of new authentication methods. A number of industry standards, including one by the National Institute of Standards and Technology, recommend levels of security ranging from one to four, with each one used in a higher-risk environment.

For example, the third level would require at least two authentication factors, including use of a token unlocked with a password or biometric input, and then requiring the user to prove through a separate authentication protocol that he or she controls the token used for access.

Credit unions are increasingly looking at enhanced security features, including biometrics like fingerprint identification, and facial and eye-print recognition. For more on this, read News Now's recent story, “CU Effect: Keeping members secure with eyes, fingers, faces.”