[Log In] []

Exploring the science and magic of Identity and Access Management
Friday, March 29, 2024

Passwords and Buggy Whips, Revisited

Identity, Information Security
Author: Mark Dixon
Tuesday, May 9, 2017
10:02 am

Whip

StrongPassword large

Eight years ago this month, I posted a short article on this blog entitled, Passwords and Buggy Whips.

Quoting Dave Kearns, the self proclaimed Grandfather of Identity Management:

Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.

I commented:

Perhaps this won’t get solved until I can hold my finger on a sensor that reads my DNA signature with 100% accuracy and requires that my finger still be alive and attached to my body.  We’ll see …

So here we are.  Eight years have come and gone, and we still use buggy whips (aka passwords) as the primary method of online authentication.

Interesting standards like FIDO have been proposed, but are still not widely used.

I was a beta tester for UnifyID‘s solution, which used my phone and my online behavior as multiple factors.  I really liked their solution until my employer stopped supporting the Google Chrome browser in favor of Firefox. Alas, UnifyID doesn’t support Firefox!

We continue to live in a world that urgently needs to be as rid of passwords as we are of buggy whips, but I don’t see a good solution coming any time soon.  Maybe in another eight years?

 

 

Comments Off on Passwords and Buggy Whips, Revisited . Permalink . Trackback URL
WordPress Tags:
 

Seat Belts and Passwords … and Buggy Whips

Identity
Author: Mark Dixon
Wednesday, May 13, 2009
8:40 pm

I am honored that Dave Kearns mentioned my post about buggy whips in his second newsletter addressing why we need to replace the venerable password.  It’s nice to be recognized for knowing some arcane information about buggy whips.  And it is true that buggy whips are still around, even if relegated to a small market niche. 

However, the point we should emphasize is that buggy whips didn’t fall from grace because people didn’t like buggy whips.  They faded away because they became irrelevant.  It was far easier to use the accelerator in a car than to use a buggy whip to coax your horse to go faster.

Interestingly enough, one of the articles Dave referenced made essentially the same point.  Speaking of the three-point seat belt developed by Nils Bholin of Volvo,  William Escenbarger remarked,

“It was so simple that a driver or passenger could buckle up with one hand.”

It was ease of use, not a technology-driven obsession with safety,  that led to wide adoption of the seat belt.

I think we face the same thing with passwords.   Intellectually, it is simple to understand why we should get rid of passwords.   However, in practice, widespread adoption will be triggered more by ease of use than perception of safety.  When an easier method for authentication emerges, people will adopt it – not because it is safer, but because it is easier.  If that easier method is also more secure, voila!  We will have achieved our desired result.

But until ease of use makes passwords irrelevant, people will continue to use buggy whips or drive without seat belts.  How’s that for mixing metaphors?

By the way, I’m the kind of guy who always buckles up but resents the government telling me I have to.  Will it be the same with passwords?

Technorati Tags: , , , ,

 

Passwords and Buggy Whips

Identity
Author: Mark Dixon
Tuesday, May 5, 2009
4:24 pm

In his Network World column yesterday, Dave Kearns equated passwords to buggy whips.  Speaking of the draft release of a new paper from the National Institute of Standards and Technology (NIST) called the "Guide to enterprise password management, " Dave proposed,

"Maybe next they’ll draft guidelines for the proper use of buggy whips."

Dave later used even more forceful wording:

“Managing” a technology doesn’t make it a less unsafe technology.

Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better. 

I agree that a better, easier to use and use more secure method is needed.  I hate to manage all the passwords I use, and fear for the day that my password system is compromised.

The big question is, "Replace username/password with what?"

I personally like the use of secure certificates, as illustrated in Henry Story’s use of certificates in his demonstration iPhone app I blogged about recently.  However, the mechanism for distributing, installing and managing such credentials for ordinary computer users seems like a daunting task.  I also personally like the Information Card concept, at least for the conceptual metaphor it uses.  But that isn’t a raging success and this technique is certainly burdened by its own challenges.

Perhaps this won’t get solved until I can hold my finger on a sensor that reads my DNA signature with 100% accuracy and requires that my finger still be alive and attached to my body.  We’ll see …

By the way, the term "buggy whip," widely used to reference a technology or process displaced by a new trend or era, has morphed into a more sophisticated term, "carriage driving whip," used by the gentile "carriage enthusiast" set.  In fact, you can buy the nice little number pictured in this post for a mere $135.00 from Driving Essentials.  Just a fraction of the $495.00 you’d need to shell out for a genuine, German-made "Four-in-Hand Holly Whip with Leather Grip & 320cm Leather Lash".  It seems that buggy whips have not disappeared; they have their own niche market! 

Technorati Tags: , , , ,

Comments Off on Passwords and Buggy Whips . Permalink . Trackback URL
 

Why face recognition isn’t scary — yet

Identity
Author: Mark Dixon
Tuesday, July 13, 2010
9:52 pm

Thanks to Malisa Vincenti, leader of the LinkedIn Group Security & Technology – Critical Infrastructure Network & Forum, for highlighting the CNN article entitled “Why face recognition isn’t scary – yet.”

image

Much of the article was dedicated to describing the benefits and deficiencies of facial recognition software used by online services like Facebook, Picasa and iPhoto to make it easier for users to keep track of photographs.  Speaking of such functionality,  Michael Sipe, vice president of product development at Pittsburgh Pattern Recognition, a Carnegie Mellon University split-off company that makes face-recognizing software said these types of photo programs are a response to the hassles of keeping track of growing digital photo collections.

"In general, there’s this tsunami of visual information — images and video — and the tools that people have to make sense of all that information haven’t kept pace with the growth of the production of that information," he said. "What we have is a tool to help extract meaning from that information by using the most important part of that media, which is people."

It is interesting that one of the most distinguishing attribute of a person’s identity – his or her face – is so difficult for computers to recognize.  We humans often say, “I can remember faces much better than names,” yet computers are just the opposite.  It turns out that a person’s smile, which may be one of the most easily-remembered feature of the human face (for us humans, at least), is the most difficult for computers to comprehend:

Anil Jain, a distinguished professor of computer science at Michigan State University, said it’s still not easy, however, for computers to identify faces from photos — mostly because the photos people post to the internet are so diverse.

Computers get confused when a photo is too dark, if it’s taken from a weird angle, if the person is wearing a scarf, beard or glasses or if the person in the photo has aged significantly, he said.

Smiling can even be a problem.

"The face is like a deformable surface," he said. "When you smile, different parts of the face get affected differently. It’s not just like moving some object from one position to another," which would be easier for a computer to read.

So … what will happen when this technology matures and makes the leap from family-friendly Facebook to applications in real live security or survellance applications?

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the motives behind the technology are what worry him.

Governments and corporations intend to use facial recognition software to track the public and to eliminate privacy, he said, noting that automatically identifying people in public in the U.S., when they are not suspected of a crime, could be a violation of constitutional rights.

When facial recognition comes to surveillance cameras, which are already in place, "you’re no longer racing through iPhoto to figure out how many pictures of Barbara you have," Rotenberg said. "You’re walking around in public and facing cameras that know who you are. And I think that’s a little creepy."

I suppose this is like many other technologies – there are an abundance of positive applications, and the potential for terribly nefarious uses.

For example, if facial recognition can be used to identify  terrorists so they could be detained prior to boarding airplanes, we would generally think that was a good application. 

Similarly, if I could be granted entrance to my corporate office building or be logged onto necessary computer systems just by smiling (or frowning) into a camera, the building and computer systems might be more secure and the present-day use of passwords or ID cards might go the way of the buggy whip.

However, if an abusive husband used facial recognition software to stalk his estranged wife, or if the government successfully tracked every movement its citizens made in the normal course of events, we would generally think of those applications as negative.

I have a crazy habit of smiling and waving at security cameras I see in airports or banks or convenience stores. Who knows what is happening on the other side?  At the present level of today’s technology, I’m probably being recorded and not much more.  In a few years, however, the sophisticated software behind the camera will probably recognize Mark Dixon and report my antics to the NSA.  That will surely make me frown, not smile, when I wave to the ubiquitous cameras.

Comments Off on Why face recognition isn’t scary — yet . Permalink . Trackback URL
 

Identity Trend 2: Authentication

Identity
Author: Mark Dixon
Friday, October 2, 2009
10:57 am

This post is the second in a series of eleven articles I am writing about trends in the Identity Management industry. 

After all is said and done, Authentication continues to be right at the heart of Identity Management.  Determining whether the correct set of Identity credentials is presented, so a person or process can be granted access to the correct system, application or data, is critical to the integrity of the online experience.   Authentication is like the gatekeeper or enforcer who determines who gets in the door. 

  1. Demand for strong authentication is accelerating as the sophistication and sheer numbers of people who would defraud or damage online systems continue to grow.  More effort is being focused on just how to economically, but securely, implement strong authentication methods to protect confidential information.
  2. As the need for strong authentication grows, there has been considerable conversation about whether the pervasive use of passwords is headed for extinction.  Is the password really on its deathbed? In a Network World column posted earlier this year, Dave Kearns equated passwords to buggy whips.  In my response entitled Passwords and Buggy Whips, I challenged “Replace username/password with what?"  Until we get wide acceptance of alternate methods, it is unlikely that passwords will join buggy whips in the dustbin of history.
  3. In a subsequent post entitled, Seat Belts and Passwords … and Buggy Whips, I proposed that “until ease of use makes passwords irrelevant, people will continue to use buggy whips or drive without seat belts.”  The key issue dogging the industry is how to provide identity credentials that are so easy to use that the technical unsavvy majority can easily use them while providing a level of security commensurate with the rising tide of online threats.

Recommendations:

  1. Assess what level of security is needed for different areas of your enterprise.  In some cases, authentication must protect high value information.  In other cases, less strong authentication may be appropriate.
  2. Seek to understand what your users need.  What methods are both secure and easy to use for them?
  3. Is the cost of strong authentication commensurate with the risk of data loss or compromised system access?
  4. What is the best combination of authentication methods to serve my user community and protect my business interests?

Many years ago, while involved in a large physical security project, we joked that you need to invest enough in your security system so it is cheaper to bribe the guard than to breach the electronic system.  The same principle may be true with Identity Authentication.

Comments Off on Identity Trend 2: Authentication . Permalink . Trackback URL
 

Digital ID World – Final Thoughts

Identity
Author: Mark Dixon
Thursday, September 17, 2009
11:14 am

I missed the final sessions of Digital ID World on Wednesday because of commitments in California.  Judging from the Twitter traffic, it sounded like some great stuff was discussed.

As a follow-up to my posts for Day 1 and Day 2, here my top ten final thoughts about the conference (without the benefit of Day 3):

  1. Most Stimulating Information. Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.
  2. Newest Identity Concept. Phil Windley’s proposal to enable contextualized, purpose-based user experiences using the web browser as a point of integration triggers lots of new thoughts about extracting value from the Internet.
  3. Most Reinforced Notion. The Identity Management market is maturing.  Companies are seeking to learn best practices for getting the most out of their investments.
  4. Biggest Question in my Mind. How much validity should we place in Symplified’s claim that “Federation is Dead.  Long Live the Federation Fabric?”
  5. Most Enjoyable Networking Moments.  Meeting folks in person I have only met virtually beforehand.  In person wins every time.
  6. Most-asked Question.  Nearly everyone whom I spoke with asked me something about the Oracle acquisition of Sun.  That happened to be the easiest question for me to answer: “Until the deal closes, we are independent companies.  We must wait until then for details.”
  7. Best Trade Show Giveaway. An LED flashlight from Novell.  Incandescent bulb flashlights seem to be quickly joining buggy whips in the dustbins of history (except for special cases).
  8. Biggest Pet Peeve.  No power strips or WIFI were provided for attendees.  This severely limited note taking and real-time blogging.
  9. Most Entertaining Event.  No, not the parties.  It was the Chinese guy who drove my taxi to the airport.  He chattered non-stop for the whole trip about technology, Maryland, California, Utah, Idaho, Micron, Sun Microsystems, Oracle, potato chips, microchips, stock trading, traffic and dishonest taxi drivers.  What a hoot!
  10. Biggest Disappointment. The show seems to get smaller each year – both in the number of attendees and participating vendors.  Will it survive?

That’s my list.  What do you think?

Comments Off on Digital ID World – Final Thoughts . Permalink . Trackback URL
 

links for 2009-05-14

General
Author: Mark Dixon
Thursday, May 14, 2009
2:00 am
Comments Off on links for 2009-05-14 . Permalink . Trackback URL
 
 

Intel and McAfee: What Do You Think?

Information Security
Author: Mark Dixon
Friday, August 20, 2010
5:48 pm

Yesterday’s announcement that Intel would pay $7.68 billion for McAfee, Inc. triggered a couple of instant thoughts:

  1. McAfee has come a long way from when I first met founder John McAfee in the early 1990’s in a small, cluttered office in Santa Clara.
  2. Intel/McAfee: What strange bedfellows!

imageimage

According the Wall Street Journal article where I first read the news, Intel executives were bullish (as they should have been, after laying nearly $8 billion on the table in a surprise deal.)

“Intel executives argued growing security dangers require new measures, describing the acquisition as an essential step to design chips and other hardware that can protect systems better than software alone. …

"’We believe security will be most effective when enabled in hardware,’ Intel Chief Executive Paul Otellini said in a conference call.

In Yahoo press coverage, Mr. Otellini is quoted:

"Everywhere we sell a microprocessor, there’s an opportunity for a security software sale to go with it … It’s not just the opportunity to co-sell, it’s the opportunity to deeply integrate these into the architecture of our products."

Business week’s analysis was a bit less upbeat:

“Intel will have to persuade customers they need security in non-PC electronics in much the same way it has convinced businesses and consumers that they required chips that speed computing tasks or ensure seamless wireless connections.

“’Right now nobody is screaming for security in their cars and in their cell phones,’ said Gartner’s Peter Firstbrook.”

Forrester Research’s Andrew Jaquith was downright negative:

“What on earth does Intel expect to get for all of the money it is spending on McAfee? I’ve been scratching my head over this, and despite McAfee CTO George Kurtz’ helpful blog post, I am still struggling to figure this one out. …

“I see four problems with Intel’s strategy (at least as much as I can glean, so far):

  • Neither Intel nor McAfee are serious players in the mobility market …
  • Intel’s hardware platform strategy will not work. …
  • Intel doesn’t understand software. …
  • The security aftermarket will be very different on Post-PC devices. …”

What do I think?

  1. I agree that security at the chip level is part of an integrated end-to-end security chain that will be essential in the mobile market, especially as mobile devices are enabled for mobile payments and other high-value functions.
  2. I wonder why Intel had to buy a whole company to get the security expertise necessary to build in security at the silicon level.  Maybe McAfee has some diamonds in the rough hidden away in the R&D lab that will justify Intel’s big acquisition.
  3. This very visible acquisition highlights the critical need for Information Security, a topic that is near to my heart.

What do you think?

Comments Off on Intel and McAfee: What Do You Think? . Permalink . Trackback URL
 
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.