Password Trends

We are seeing a move towards fewer passwords. So we’ve mentioned derived authentication. Here we can join together biometric identity authentication processes in use already on things like smartphones and local security domains, to our enterprise and business to customer domains. So Google example of some of the dangers around SMS that we’ve given, where the issuing of a sim card could result in a second factor of being compromised via SMS. We are moving far more towards things like soft tokens, So the use of SMS as a second factor, like we said is deprecated. The derived authentication, though, where we see this used by banks or by third parties, you enrol the application on the device using your credentials for that service.

Once the application is enrolled, you can require a passcode to access the app, or you can trust the biometric authentication of the device. We can use derived authentication in the registration of soft tokens, where the mobile phone is then trusted, your smartphone is then trusted, as a soft token for access to particular services. And increasingly, these soft tokens offer flexibility as to the type of deployment, as well. So you can request that a user enters an eight digit identifier that’s presented to the soft token, or you can simply push a notification that requests the user responds to accept or decline notification. So very, very flexible.

The ability to revoke for these also provide some strength. This is a kind of PKI type infrastructure. And we see these rolling out in things like Apple Pay and Google Pay.

Services like Apple Pay and Google Pay typically have lower transaction costs than traditional methods. And this is partly because they have a lower level, they state that they have a lower level of misuse. So with a bank pass, you need the bank card. Maybe in isolation, that’s enough. In some countries, the bank card and a signature is enough. In most countries, we need the bank card and a PIN number. For a mobile device, in order to authorise a transaction, you have biometrics. So the phone is now accessed using biometrics. You place your fingerprint or facial recognition in order to authorise a payment.

So these services have lower transaction costs, because they’re arguing the authentication using biometrics using a smartphone, something you have and something you know, or something you have on your phone and something you are, biometrics, is a stronger model than a card and a PIN number. We also see the wearable authentication, things like RFID for tailored access as part of an identity and access management solution. We mentioned the human implants of RFID. We’ve also seen the third party management of credentials. So things like the browser integration, last pass, one pass, where we have a password vaulting technology.

We need to, if we are using these, if we’re using Android or Apple to store our passwords, we need to make sure that the technology is appropriately secured, and that our credentials are appropriately secured. Some of these, we’ve said, will store credentials in a hardware security module. Browses typically will not do that, browsers will just store your credentials. They will cash them on the current machine that you’re using. So you could have all of your credentials cached on every single machine you’ve logged into, unless you actively log out. So key length and password length is important. The length dictates most directly the strength of the protection, each extra character grows the strength exponentially.

As with derived authentication, we’re starting to see– we’ve seen some integration of checks against weak passwords, not just password complexity requirements. Examples of this include password vaulting technologies that integrate Have I Been Pwned and other password checking that look for the reuse of credentials and also for compromised credentials. So if you use a password vaulting solution and your credentials are stored in it, some of these will actually look to see whether your password has been found or your account linked to that service has been compromised. They can also tell you whether or not your password is weak.

Not just based on complexity, and we’ve discussed some of the problems with that, but also based on whether or not it has been involved in recent compromises.

So third party credential management and pseudo single sign on continues to grow where we embed, we trust to Apple or Android or to our browser, our credentials, and they auto populate the fields for us. RFID continues to become more popular. We are seeing a move to pass phrases rather than passwords because of the need for length. So the desire to encourage complex passwords was very, very strongly driven by best practise, by guidance. Now what we’re seeing is that the focus is much more on the password length. And the recommendation is that we use a passphrase rather than a password. So we use a sentence rather than an individual word. And again, the wider integration.

Much of what we’ve looked at with cloud hints at that need for wider integration.