Listen to the article (AI powered narration)

Published on November 03, 2020

Poor password habits have led to serious breaches over the years. According to Verizon’s latest data breach investigation report, over 80 percent of data breaches are tied to compromised passwords. That said, by no means are we approaching the end of the password era; in fact, passwords are still superior to emerging blockchain technologies and biometrics.

Biometric solutions are far from a panacea

Passwords are either entirely right or entirely wrong. Conversely, biometrics solutions require a margin of error, which can be problematic. To give a slightly innocuous example, many people can open their relatives’ mobile phones through facial recognition applications. On a more sinister note, hackers from Tencent can access phones via fingerprint scanners in under twenty minutes. Likewise, for years, scholars have shown that it is possible to bypass fingerprint readers with 2.5D fingerprint spoofs. Put simply, biometrics are not immune to breaches, and most importantly, if biometric data is stolen, it cannot be replaced.

This isn’t mere conjecture, as we’ve already seen biometric breaches in the real world. Last year, web privacy company vpnMentor found that Suprema’s security platform, Biostar2, was comprised. According to vpnMentor, the breach exposed facial recognition and fingerprint records for over 1 million people. Suprema had saved exact copies of users’ fingerprints, potentially compromising these individuals’ biometric information forever.

For companies like Suprema that store users’ biometric data, it’s wise to utilize blockchain technology to protect this data. Blockchain technologies have also been viewed as a suitable replacement for passwords in and of themselves; however, we are still years away from this.

We’re years away from a blockchain replacement

For years, whitehat hackers have suggested that blockchain distributed ledger technology (DLT) could replace traditional passwords. Several start-ups, such as Remme, already provide the service. Through the DLT model, devices are issued an SSL certificate, which is stored in a blockchain ledger (in Remme’s case, it’s Hyperledger Sawtooth). When a user attempts to log into an account, the user’s identity is verified by this technology. There is no centralized server or password database, which theoretically means that bad actors are left without a central point to target.

In theory, this emerging technology sounds great; however, it does not come without a cost. As computer scientist Nina Polshakova has shown, storing even 100 passwords on the Bitcoin blockchain ledgers can be extremely expensive. Moreover, according to Gartner, blockchain technologies are entering the “trough of disillusionment” section of the Hype Cycle, and most enterprises are still approximately seven years away from employing such technologies in a way that is operationally scalable. Additionally, some enterprises are wary of blockchain enterprises, as many crypto service providers have been mired in scandal.

As a caveat, several rather promising companies have appeared on the scene. The Syndey-based non-profit Tide Foundation is pilot-testing a technology that involves “splintering,” which is essentially a more complex version of hashing. Through splintering, passwords are broken up into small pieces and stored via a decentralized blockchain; every password is “splintered” to at least 20 nodes on Tide’s public blockchain, making these passwords 14 million times more difficult for hackers to access.

Their splintering technology has proven to be quite resilient. Despite 6.5 million attempts last year, no hackers were able to conduct a successful dictionary attack on a dataset protected by Tide’s technology. The non-profit intends to keep this technology open-source and to release it later this year for commercial use. Although Tide’s new technology sounds promising, it remains to be seen whether it will be adopted by mainstream enterprises.

Conclusion

Although passwordless authentication options are gaining prominence, there’s a reason why we’re still using passwords 60 years after their inception: they’re effective. Unlike biometric data, passwords are either definitively right or definitively wrong. With passwords, there is no ambiguity. Most importantly, passwords can be easily replaced if they are compromised. Biometric data—irises, faces, or fingerprints—can never be replaced in the event of a breach. Lastly, despite the strong work put forth by companies such as Remme and the Tide Organization, it remains to be seen whether such emerging technologies will see mass adoption.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x