The post Cybersecurity Startup Verodin Wins Security Current’s Security Shark Tank® Palo Alto appeared first on Security Current.

Passwords are not a means of securing information.  Bill Gates told us this in 2004, but it’s 2016 now and this time, we really mean it.

Gates’ reasoning was that passwords were just insufficient to protect the growing information field and the privacy of sensitive information.  The problem now is not that passwords are insecure – they are indeed insecure – but no one cares.  The problem is password complexity.

Password complexity eliminated dictionary attacks, minimized the efficiency of brute force attacks, and made it difficult for someone to look over your shoulder and realize that typing “iloveyou” grants access to all the company secrets.

Password complexity — the all-powerful resolution to the enigma of password insecurity, the information security engineer’s best friend, the answers to Landau’s Problems and that which provides no fewer than 98 resolutions for Jay-Z — also made passwords so confusing that users can’t access their own data and every organization needs a secret question and answer function to actually bypass the password altogether.

Yes, that feature, which asks you to identify your mother’s maiden name instead of your complex password.  Your super complex password, which must be secure, that hard thought-out and impossible to remember version of “e.:g8=7s/hZ:8$W,” can be bypassed by typing “Smith.”

Oh, and everyone knows you wrote “e.:g8=7s/hZ:8$W” on that Post-it note under your keyboard.

As an industry, we love making things seem super-duper secure.  Every time I want to order a new pair of shoes or a fresh case for my iPhone (and I go shopping online at a WIDE variety of stores), I have to walk through a registration process with the vendor, set a complex password, provide my personal contact information, all before handing over my credit card number.

Another complex password to remember.  Another vendor storing my credit card data and protecting access to my information with a complex password.  Another secret-question login-bypass setup.

Why control everything?  Why should a consumer trust every single online retailer (and I repeat, there are a LOT of choices) when one known trustworthy source such as my phone manufacturer or a private security firm could protect everyone’s data and only share the vital pieces?

When I walk through Macy’s, I don’t get stopped along the way and invited to register my address in a guestbook before I try on the next pair of way-too-small-why-did-I-eat-so-much? jeans.  Why does Nordstrom, eBay, or Marshall’s need to know more than what their website analytics tell them about someone being online, browsing for an outfit?

To the dismay of writers for the next Mission: Impossible sequel, the answer isn’t an intrusive DNA scan, complex physical keys or subdermal electronic implants.  We have already attached ourselves to the technology we need for secure authentication, and without intrusive scans or any need for a local anesthetic.

Just like Gates did with the first Microsoft Windows, enabling users to drive an operating system with a magic pointer device named after a cute, squeaky little animal  (okay, maybe not cute), Apple has simplified logins to pressing your finger on a little circle on your phone.  The easiest and most effective biometric authentication application yet is Apple’s Touch ID authentication.  It’s easy.

Authentication and encryption are handled behind the scenes somewhere in Apple-land, and the likelihood of anyone forgetting their finger is, well, low.  A short and easy to remember PIN can be configured as a complement to enable future quick and effective two-factor authentication.

The complexity can hide away from “normal” users – consumers – so they can just use the Internet as a tool.  No more password complexity and no more hundreds of passwords to remember.  The authentication system can do its job, watch for suspicious behavior, and it would know why I tried to buy Arepas at 7am in Caracas when 10 minutes earlier I had ordered the next-size-larger jeans from Macy’s online using a computer, on my desk, in the office, in Denver.

We just need to apply this simple, user-friendly and unforgettable tool to other online and secure environments, offer degrees of security for various use cases, and you’ll never again need to write “e.:g8=7s/hZ:8$W” on a Post-it note or worry about someone guessing “Smith.”

The post And the Password Is…Password! appeared first on Security Current.

In this two-part Q&A, Morey Haber and John Masserini discuss the current and future state of biometrics. Industry thought leaders, Haber and Masserini address leading questions surrounding biometrics from the vendor and enterprise perspective.

In part one, Morey and John examined the possibility of biometrics as a replacement for existing authentication technology and discussed methods for using biometrics to augment existing solutions.

In this installment, Haber and Masserini continue their assessment of biometrics and other forms of adaptive authentication. They also examine the process for retaining and purging biometric data, and draw conclusions.

Q: What forms of biometrics are you considering? Fingerprints, facial recognition, infrared, retina, voice, behavioral, etc.?

Haber: While I have been focusing on fingerprints for this discussion, many other techniques exist for biometrics that can be successfully integrated into your security model. With any of them, all the considerations above must be considered and altered accordingly.

For example, if you plan to use a retina scanning device, rotation of the biometric data makes absolutely no sense. If you plan to use the facial recognition in Windows 10, the security of the hardware needs to be considered as well since you are potentially using a very pricey piece of camera equipment to perform infrared and visual identification.

Personally, I think fingerprints will be the primary deployment vehicle for most organizations, followed by esoteric techniques based on behavior (like keystroke monitoring of a password based on time and pressure) to augment current security mechanisms.

Masserini: Most biometric alternatives are too costly to implement on a wide scale, so fingerprints remain the choice de jure for general adoption. Facial or retina will likely only be used in selective, highly secure areas. I think 2016 will see a huge jump in the adoption of behavioral analytics to augment the existing enterprise controls.

Over the past eighteen months, we’ve seen a significant uptick in solutions which perform User Behavior Analytics (UBA) monitoring which can enhance the monitoring and alerting aspects of the existing security infrastructure. As these products mature and the models hit a consistently reasonable level of accuracy, we will likely be able to leverage their decision capabilities by incorporating them into the authentication process.

Imagine how seamless an authentication process would be if we were able to model a user’s behavior and immediately determine if we need additional credentials before allowing them to perform a specific function.

Q: What other adaptive authentication technologies could benefit from biometrics? Two Factor?

Haber: Biometrics can successfully augment almost any existing security mechanism if it is implemented with solid ergonomics, and physical security and encryption in mind. For example, having a fingerprint reader on a two-factor key fob sounds like an effective way to retrieve a key, if battery life and local biometric data is properly secured on the fob.

While mobile applications can replace this hardware (in lieu of a fob), the concept of tying multiple identification techniques together with dissimilar data types just makes the process of authentication more secure.

So consider how you add biometrics. An external USB biometric reader may sound attractive to add for access, but its simple theft can easily be used to retrieve a user’s fingerprint. Ergonomics and physical (above battery life) need to be considered when merging with existing solutions.

Masserini: Many of the newer biometric solutions allow for multiple templates to be created for each user, providing certain ‘randomness’ to the authentication process. Although admittedly a bit scary, imagine if we had ten legitimate passwords for each user ID.

We could use any of the passwords to login, but could never use the same one back-to-back, or perhaps the same one on any given day. While unwieldy with a username/password combination, it’s a perfectly feasible solution with fingerprint biometrics.

Another option is the use of multiple fingerprints (or biometrics) for basic authentication, providing an arguably strong form of identification. Models such as these not only make the user’s life simpler, but add a control not available in today’s password-centric world.

Q: Any additional thoughts?

Haber: For biometrics to succeed there will always be a need to add additional elements to verify a user’s identity. The more you can separate biometrics from a documentable authentication scheme, the more secure the system will be.

For example, take this concept, which I have yet to see implemented, called a Biometric Pin. The method uses a traditional secure fingerprint biometric reader, but has logic to require more than one fingerprint. A user selects 4 fingers to scan from both hands just like applying a pin. They then register them in their mentally defined order. I.e. Left Thumb, Right Middle, Left Middle, and Right Index.

The technique requires all four biometrics in the proper order (analogous to a pin) and only storage of these four fingers. The sequence of fingers, and which finger, is not known to the system and policy requires a new rotation every “n” days. In this scenario, biometrics alone could be used for authentication or authorization since it incorporates more elements than a single fingerprint and requires mental (difficult to document) knowledge of which fingers to apply and in which order.

While this suggestion is just a hypothetical example of how to implement secure biometrics, it illustrates that any single biometric technique alone will never be sufficient.

Masserini: While biometric solutions have a solid place in the enterprise, it’s more augmentative then disruptive. While we are still far from the replacement of passwords with biometrics, advancements in the biometric space will continue to challenge us to re-think how could better utilize such an approach.

I truly believe that Behavior Analytics will be a driving force in the next 24-36 months and will mature to a point where we can integrate their models into Adaptive Authentication solutions to truly make automated, intelligent decisions about needing additional credentials based on activity or action rather than the specific username.

I also believe that a well thought out implementation of biometrics stands to mitigate the weakness we currently face with passwords, albeit not by replacing them, but by giving us alternative means to verify users without overburdening them with additional passwords or tokens.

The post Point/Counterpoint: The Current State and Future of Biometrics – Part Two appeared first on Security Current.

In this two-part Q&A, Morey Haber and John Masserini discuss the current and future state of biometrics. Industry thought leaders, Haber and Masserini address leading questions surrounding biometrics from the vendor and enterprise perspective.

Q: Can biometrics replace any existing authentication technology today?

Haber: Yes, but there is a lot of work, and additional security, that is needed for biometrics to be a secure and viable solution. For example, biometrics should only be used for authentication or authorization but never both at the same time.

In addition, biometrics alone, without a pin or other verification media is insufficient. Furthermore, technologies need to evolve to ensure that a fingerprint alone cannot jeopardize the integrity of the system. Plus, security policies for storage, encryption, and even biometric rotation (like password rotation) need to be clearly defined and successfully implemented and enforced.

Masserini: The biometric industry has certainly matured over the past decade, providing several trustworthy solutions, but I’d rather say it’s a part of the maturation of authentication technology rather than a replacement of it. Most biometric solutions require a pin when used for authentication, and in reality, a pin is no more or less secure than a password.

The biggest challenges of biometric deployment are the delineation between authentication and authorization. Today’s authentication technologies combine both of these factors into a single action, rather than a deterministic view of identification versus action.

While it is feasible to deploy a biometric solution in the same manner, one must question why you would go through the effort and expense to only nominally increase security. By leveraging existing authentication technology along with a biometric solution, you can significantly enhance the control, while simultaneously making it easier for the user.

Q: When should biometrics augment existing solutions?

Haber: Consider any security model that it is easy to document or communicate. The authentication mechanisms for these security models are via paper, verbally, electronically, or even a text message. A username and password is a traditional example of this. Both strings are easy to document.

Biometrics is a great addition to this type of technology, or even using PIN codes, to ensure the proper identity is using this less secure authentication vehicle.

Masserini: I think a key point that needs to be made here is ‘authentication, not authorization.’ There are a number of easily adaptable solutions on the market that can leverage biometric authentication within the enterprise. The challenge comes when organizations who have typically taken an ‘all data is equally important’ position try to delineate between various access rights.

Let’s face it, when most people think about biometrics, they think it is just an ‘easy PC login,’ which is basically only moderately better than where we are now with passwords. To fully appreciate what a biometric solution can offer, organizations should separate the authentication process from the authorization process.

For instance, I may grant a device access to a network based on a biometric authentication, but lock them into a network or limit the devices capability until further authorization credentials are supplied – basically adaptive authentication. Now you need to get on the web? Perhaps the fingerprint is enough. Now you want to send an email? That requires a pin as well so I know you’re authorized to do so.

Biometrics can offer a great deal in enhancing the controls in the infrastructure, but only if deployed thoughtfully – otherwise, it’s fundamentally nothing more than a username/password control.

Q: When should biometrics never be used?

Haber: Biometrics should never be used alone for access regardless of authentication or authorization. Door locks are a perfect example of this problem. A stolen fingerprint can easily be manufactured to bypass the physical security of the device and compromise the contents behind the door. A second example is your mobile device.

A fingerprint is used for authorization and authentication in the case or logging in potentially access a financial mobile app pay. While this is not as risky as a biometric door look, since it assumes you have possession of the device, it represents and unacceptable risk for entities securing more information than just a consumer’s device, personal financials and information.

I would never allow an application on a mobile device that uses its local biometric system alone to ask sensitive data within an organization. There should always a second mechanism on top of that to provide the users identity.

Masserini: That’s basically asking ‘when should a password never be used.’ Biometrics and passwords are becoming fairly ubiquitous so it’s more of a question around what the risk is.

As stated several times already, one should never rely solely on a biometric alone as a method of strong authentication, but as a key part of a multi-faceted, multi-tier authentication architecture. For example, presuming the fingerprint reader on a mobile device is trustworthy, then sending that same device an SMS code for logging into a critical service doesn’t not provide the level of assurance required to say, process a six-figure wire transfer, however, it may be good enough to check email.
Upcoming Part Two:
In the next installment, Haber and Masserini continue their assessment of biometrics and other forms of adaptive authentication. They also examine the process for retaining and purging biometric data, and draw conclusions.

The post Point/Counterpoint: The Current State and Future of Biometrics – Part One appeared first on Security Current.