Passwords Are Not the Problem, Centralization Is

Enterprises determine their pace of innovation, and this carries over into security. Information chiefs generally adhere to the username/password protocol, keeping passwords as the number one means for consumer and employee authentication. Passwords are not perfect, but they’ve been an effective method of authenticating users for decades. In theory, passwords should be more than enough. Password systems are familiar to both enterprises and users. It’s no surprise that there’s an appetite for their continued use until their drawbacks in mobile and IoT become too obvious.

When there’s a major security incident, however, it’s passwords that are conveniently around, with a fanciful alibi of being used against their will. This is misleading since the true culprit in mass data breaches is the centralization of credentials used for authentication, passwords included almost incidentally.

It’s not the credential type, it’s where credentials are stored

The flurry of mass data breaches traced to passwords is now a blizzard, with memorable nor’easters like Equifax and now MyFitnessPal. Verizon reports that more than 80% of mass data breaches are based on credentials. This makes it easy to blame passwords and creates an urgency to secure them in a better way. As we’ve seen, protecting current password implementations doesn’t slow the pace of these incidents.

The common theme tying together the biggest security incidents involving passwords and other credentials: where passwords are stored.

This includes those affecting Anthem, Equifax, Home Depot, LinkedIn, the US Office of Personnel Management, Yahoo!, and others. Enterprises hold all users’ credentials in a central repository, so when hackers breach the system, it’s a total loss.

The allure of a data library available for sale and reuse creates a target that appeals to hackers’ wholesale theft model. No matter how vigilant we are or what prevention is applied to this large attack surface, when we look at current password implementations, we are still looking at a system with a single point of failure as a key trait.

Again, this is not a commentary on passwords even though they are becoming an afterthought due to password-less features that are often tied rather insecurely to a central repository of passwords.

The OPM data breach saw 5.6 million sets of fingerprints being stolen out of 21.5 million total records. When biometrics are ubiquitous, the breach upon breach of templates due to centralization will be ruinous. In such a scenario, many users’ biometrics will be retired from future use. This will make authentication and payment authorization a nightmare for those affected since large service providers are quickly adopting multimodal and multifactor biometric experiences.

Decentralizing sensitive data removes the target, disrupting the fraud model

We need to think differently if we want to disrupt fraud so destructive, and that too on this scale. That means evolved thinking – like removing the target, reducing the attack surface, and eliminating the single point of failure.

Here, we can take inspiration from blockchain technology by distributing items of value among millions of endpoints. While identity is poised to be distributed on blockchain ledgers, the data used for authentication – biometrics, PINs, passwords, and bank cards – doesn’t require the use of blockchain.

How novel is distributing authentication data onto consumer and employee endpoints? The thinking isn’t all that avant-garde when you consider Mastercard, which already deploys such a system. In addition, some of the finest implementations of a decentralized regime are based on open standards put forth by the FIDO Alliance, a consortium of the technology industry’s best and brightest.

Simply put, if an enterprise is not in possession of data, then by definition, this data cannot be stolen or lost. This is true whether the data is passwords, biometrics, PINs, bank card numbers, or any other identifiers. This information should be encrypted and isolated on end-user devices, verified against itself, with public-key cryptography the communication channel to the service provider. Fraudsters will balk at moving from their wholesale model to a retail one of having to go from device to device in order to possibly extract one credential.

Too often, privileged data used to authentication finds its way out the door and onto the dark web. It’s time we considered where this data was before the misuse of one credential led to an enterprise-wide or even a national security incident. Only with that basic question asked – and answered – will we reduce the frequency of mass data breaches that carry a high cost for the enterprise and erode trust.