Finding a Solution to Password Insecurity
Web site registrations are a prime target for thieves. If I can grab control of your domain name, I can perform all sorts of mischief: redirect all the traffic meant for your Web site to my Web site, intercept your email, grab control of your Facebook and Twitter accounts, and, with a little bit of social engineering, grab control of your bank accounts as well.
Passwords simply aren't secure; between them, the passwords 123456 and 12345678 accounted for 10 percent of those in use back in 2011. Bad passwords inevitably lead to the annoying and pointless admonitions to include capital letters, numbers, punctuation, etc., in passwords, which means that unless he uses a password manager, a user has to write those passwords down somewhere. And people tend to use these horrific passwords on multiple sites: Steal it from one and you've probably got access to others as well.
The next bad security idea was the "secret question." Forgive me, but I simply can't remember the name of my third-grade teacher. And if I should accidentally reveal that information on the Internet, or if someone digs it up through an old class photo, how does that question protect me? Even sillier is the new prechosen default PIN that every one of my vendors knows: the super-nonsecret last four digits of my Social Security number.
Better yet would be a password that no one knows, not even me. My bank uses a one-time password: The bank calls me on my designated cell phone when I need to authenticate a log-in from a new computer. This verifies that the person who possesses my cell phone is attempting the log-in; woe to me if I try to log in someplace where my cellphone service is unavailable.
We call this procedure two-factor authentication. Two separate factors (log-in/password pair and separately generated password) must be present in order to log in.
More state of the art is my domain registrar. One-time passwords are based on a shared secret that—once we agree on the secret—is never again transmitted between us.
Here's how it works. The registrar generates a nice-sized random number and sends it to me. I scan that random number into a program that runs on my smartphone. If I fire up the program, it displays a six-digit number, computed from a combination of the shared secret and the current time, only valid for 30 seconds.
Each time I log in, I must enter the current six-digit number. Unless a thief has gotten my log-in, password, and the shared secret, he can't impersonate me. If someone manages to get his hands on the six-digit number, it's only valid for 30 seconds. And since my smartphone computes that six-digit number, I don't even need cellular service.
I've skipped over something here: Even in this more high-tech version, this type of two-factor authentication only proves that the person who possesses the cellphone is attempting to log in. It does not prove that it is I, Moshe, attempting to log in. Regardless, two-factor authentication represents a big step forward in the gradual march toward no passwords at all.
The software to generate the shared-secret 30-second passwords is freely available in open source, meaning that the core technology requires no fees.
At first glance, this set-up constitutes another blow to speech biometrics: yet one more valuable service with no speech component whatsoever. But instead what we have is a terrific opportunity. Consider the shared-secret program running on my cellphone. The cellphone has a microphone—heck, my cellphone has speech recognition running on it. Now imagine that instead of typing my one-time password into the log-in screen of my computer, I speak it to the phone. Recognition of the number combined with biometrics authenticates me. If this can be done, we achieve three-factor authentication: something we know (password); something we have (the cellphone); and something we are (biometrics).
The hurdle is cost. My domain registrar pays nothing for the number generator on my cellphone: It's a free app from Google, and the registrar can use open-source software at its servers. Speech recognition and biometrics still cost a nice chunk of change, but I wonder what a forward-looking bank would be willing to pay. x
Moshe Yudkowsky, Ph.D., is the president of Disaggregate Consulting and author of The Pebble and the Avalanche: How Taking Things Apart Creates Revolution. He can be reached at speech@pobox.com.