Arriving to work this morning, I’m locked out of my domain account again today and with this, I start to ponder the egregious failure of passwords as an authentication technique.   It is time to start thinking of something better.

Hit your favorite search engine with “Passwords suck” and you can be entertained for hours.  Entertained because lots of other people share your same frustration.  In IT spaces though, this is a sincere problem; passwords suck, they aren’t doing what we need and they ARE stopping users from doing what they need.  Here, insert “me” for “users”.  I don’t need to waste 15 minutes in the morning, every morning, unlocking my account, followed by a hour writing this here post…

Find the offending machine and fix it

Yeah, been there, done that.  Offending machine was in my office, identified by name and IP address and then turning it off for a day to prove it.  After purging it’s memory of passwords, I was still getting locked out, so I broke out the big guns and formatted the whole box.  Sure I had to reload everything, but hey, a fresh start is good once in a while.  No more remembered passwords!

Good for 2 weeks, now I’m locked out again and no, I haven’t changed my password.  Maybe they really are out to get me?   Let’s get back on track.

I do not pretend this is my IT org fault, it isn’t.  They are using the best technology that the industry has to offer – I say that this technology is woefully inadequate.  Since I’m part of the “industry”, I have only me to blame.   The first rule of leadership, everything is your fault…

Two factor and three factor

Here inside Citrix, we have 2-factor hardware tokens, with PINs.  We also use text passwords with the standard requirements for complexity rules.  This is kinda like “3 factor”.

Sure, two-factor devices and notably RSA have had some issues, but the idea of using 2 factor authentication actually works.  I have a PIN, which never changes and this makes it easy to remember.  As with all two-factor, I also have a hardware thing that I “have”.  Put them together and … pretty secure.

Inside the company, I mean once you’re in, we use passwords, just passwords.  Today I propose that passwords suck and that instead of using passwords, we should ALWAYS use 2 factor and … never use a password.  More importantly, we should never ask users to remember complex strings of characters at least 8 characters long, with capitals, lower case,  numbers and special digits and then tell them to not use the same password on more than one computer, or write it down!

Of course I wrote it down!  How do you think I remembered how to type it in!!

Biometrics

We can drop the password text and still have 3 factor by adding biometrics to two-factor authentication.  Here, I propose using blood type.  This isn’t guaranteed, but there are a lot of A, B, O, +, – combinations and this is yet another line of defense.  We will know that not only was the right PIN plugged in, but a user of the right blood type was the one that typed in the PIN.  See, we prick the finger at a random point while typing in the PIN and this means that the person who typed the PIN *IS* the right person.  Taking this further to add DNA recognition is only a matter of time.  🙂  Sure, fingers will get sore from all the pricking, but this is a small cost.

What is better

The answer is probably Smart Cards.  In a way, these are same as classic “key FOB” two-factor devices, only better.  Both work.  BUT, if I pass the smart card test, DON’T ask me to remember or enter a password.  It just isn’t worth the trouble! At least this is my feeling at the moment.  Do you agree?  Same true for two factor FOBs?  SMS Message systems?

Conclusion

I hope this can generate some good conversation.  I’m pretty well done with passwords, but in reality, I don’t have a better answer.  Nobody in IT does.  BUT, we need to start thinking in this direction because the current system … sucks.

Why hasn’t the world gone nuts on smart cards?  Has to be cost.  Will this change with Internet global federated identity, with a SINGLE place to authenticate and only ONE smart card to carry?

Not sure I want to be tracked that much, or be subject to a single place for denial of service.  Maybe passwords are the best answer.

Joe Nord