How to eliminate passwords? It can't be done

[steven36]

At the enterprise level IAM and SAML mitigate the password problem. Out on the civilian Internet our best attempts, mainly OAuth and OpenID, have fallen short. Passwords are a problem that will be with us for a long time.

Do you follow best practices for passwords on all your accounts? If you say yes, you're either lying, mistaken or using a password manager. It's impossible for human beings to follow best practices. Some of the key practices for passwords are:

• They should be long (maybe 10 characters or more)
• They should be complex, i.e. no dictionary words, even embedded, and a mixture of letters, numerals and, if allowed, punctuation
• Do not reuse one password for a different site
• Change passwords periodically

 

There, I'm sure I've missed some, but that's hard enough. Here are five long, complex passwords. Could you remember them? 4gaETMUpqO74 R4665qAtWnYN 3gMZq99YYOck CeRvsII90CZ7 DIQj5gGpx25r

 

I use a password manager, which I used to generate the list above. Nobody can remember even a few of those passwords, so password managers hide them from the user. But they're still there. They can still be breached and abused at the service end, although not reusing passwords will limit the scope of the damage. Furthermore, password managers are a hack. They scrape web pages and attempt to stuff usernames and passwords in the appropriate fields. It doesn't always work and workarounds are clumsy.

 

How could we actually eliminate passwords? IAM (Identity and Access Management) products, also known as Enterprise Single Sign-On, do the same thing in a different context. Once you authenticate yourself to the IAM, it will authenticate you to services, both in and out of the enterprise, with which a trust relationship has been established. These relationships are usually defined using XML-based standards SAML (Security Assertion Markup Language) and WS-Federation. In SAML, the parties are the Identity Provider and the Service Provider. For instance, your enterprise IAM (the Identity Provider) could use SAML to authenticate you to Google Apps or Office 365 (the Service Providers).

 

But SAML and WS-Federation are not practical options for unmanaged end user systems. The closest we have are third-party authentication from big-name companies like Facebook, Google, Microsoft, Twitter and LinkedIn. These authentication systems are generally based on a protocol called OAuth. For example, a job recruiting site might allow you to authenticate with LinkedIn and, as an added benefit, retrieve your job history and other profile information from your LinkedIn account.

 

OAuth in these cases is just a delegation protocol: it conveys authorization decisions by a service provider using web APIs. OAuth itself is not an authentication protocol. In the example above, LinkedIn is doing the authentication, using OAuth to allow the user to interact from a different site. If the distinction is confusing to you, you're not alone. A lot about OAuth is confusing and it's easy to implement badly and insecure implementations are not uncommon.

 

Another problem with OAuth is that it can be confusing to end users. Much like those permissions lists on Android, OAuth presents lists of what the site you're using will have access to from the authenticator, such as to be able to post on your Facebook wall. I know I think long and hard when I'm presented with one of these. OAuth UIs are also natural targets for phishing for your credentials for the authenticator; is that really Google asking for your credentials?

 

But even if there were no problems with OAuth, it's not a complete solution. Most sites don't want to delegate that trust to a third party, and lots of them won't trust some of the authenticators (e.g. Microsoft, Google) in particular.

 

Finally, there are biometrics. In theory, you should be able to use your fingerprint or face or iris or something else like that to log in to third parties, and some of this has become realistic with Apple's Touch ID and Windows Hello, but there are a lot of different potential biometrics and they're available on different platforms and it will be a very long time before a user could use biometrics to the exclusion of passwords.

 

Personally, I don't see a practical solution. A real solution would have to be easy to use (as enterprise IAM generally is) and secure. OAuth fails in some degree in both respects. If an authentication service were to come around that everyone respected, and which only provided authentication, that would be great. I just can't imagine who that would be. It's sort of been attempted before with OpenID, in that any OpenID service could be an authenticator, but that never caught on for a variety of reasons.

 

So no, I don't have a happy ending for you. I see password proliferation, password confusion and password breaches in our future as far as the eye can see. The best solution for now is a password manager, hack though it may be.

 

The Source

 

 

[RejZoR]

Only way to do it is from what I know using LastPass with two stage master authentication. LastPass, because it's the only password manager I'm aware of that can operate in 100% online mode, meaning nothing is ever stored locally on any computer. If you want to login, you need active connection to LastPass and being logged into the service.

 

While this means it may happen that Lastpass will be temporarily down and you won't be able to login to any webpages, it also means that if someone does get into your account somehow, if you notice it quickly, you can revoke the password and deny access to ALL stored passwords. Same if device gets lost or stolen and you can quickly revoke access before someone might pick it up and abuse its content. Most password managers store passwords locally and just sync them whenever they change, which means even if you revoke password, passwords on given device will still be accessible even without connection. So you'll have to change every single password by hand, because all will be compromised. In case of always-connected revocation of master password of Lastpass, you'll basically only have to revoke the master login to your passwords. Which is not only more secure but also more convenient. And with two way authentication, it's almost impossible to bypass it.

 

If anyone knows any other password manager that can do the same, let me know.