Contributors: Lisa Gryschuk
Have you ever forgotten a password? Maybe it’s time to finally forget our passwords for good…….
It happened again, for what feels like the 10th time this week, and it’s only Tuesday. I got the ever frequent and super frustrating message: Either the password or the login you provided is incorrect. Thinking that surely I must have made a slight keystroke error in my rush to login, I re-enter my login and password a little more slowly and with more precision. But no, it doesn’t work and the annoying message appears again: Either the password or the login you provided is incorrect. Now my heart starts to race and my palms start to sweat as I realize that I’ve forgotten my login/password!! I have fallen victim to… PASSWORD FATIGUE!!!
According to Wikipedia, the free encyclopedia, password fatigue is defined as follows:
Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine(ATM). The concept is also known as password chaos or more broadly as identity chaos. [1]
Password fatigue may be caused by Memory Interference, a phenomenon that occurs in learning when new material clashes with already learned behaviour or memories. Statistics indicate that on average, a person now has to remember 19 passwords.[2] I currently have 58 logins and passwords registered in my password management software. I can’t even imagine what would happen if I ever forgot the userid or password to my password management software, I’d probably self combust.
Because of ever increasing password fatigue, studies have shown that users are becoming lax in their management of passwords and it is becoming more common for passwords to be reused, written down, to be comprised of family member’s or pet’s names and to be easy instead of complex. While passwords are commonly used as a prime security method, it appears that reducing reliance on passwords is the approach that we should be taking and we should be focusing on improving authentication technology.
In an ideal world, barring any technological blocks, are there any solutions that come to mind for eliminating passwords? Wouldn’t it be nice if the devices we needed access to could somehow identify us just by our mere presence? From the end-user standpoint, this would definitively be the best possible User Experience (UX), wouldn’t it? What could be simpler than standing next to your computer, tablet or even car, and having it unlock (assuming of course that it wouldn’t unlock for anybody else)? One can easily imagine the types of challenges that this idea poses. Nevertheless, while this ideal UX is not quite readily available, it may not be so far-off either.
For some time, research has been conducted to find ways to eliminate passwords and there was a real leap forward in 2012 with the creation of the FIDO Alliance. FIDO stands for Fast IDentity Online and is supported under the alliance by the likes of Google, Paypal and various other biometric and hardware device vendors. The goal of the FIDO Alliance, is to produce protocols that can be used to ensure several factors of authentication to increase security while at the same time improving the user’s experience. In 2014, the Alliance produced the Universal Authentication Framework (UAF)[3] and the Universal Second Factor (U2F)[4] standards. Many brands have since joined the FIDO family, proposing a wide variety of authentication devices and solutions based on the UAF and U2F standards.
The FIDO approach relies on two entities: a device client, which authenticates the user and issues an encrypted certificate, and a FIDO server, which validates the issued key. On the server-side, it is up to the various service providers to implement their own solution that conforms to the standards, but judging from the FIDO certification growth as shown below, the trend towards greater and greater adoption is accelerating:
Source: http://www.slideshare.net/FIDOAlliance/fido-certification
The list of certified providers currently includes Google, RSA, LG, Sony, Fujitsu, Lenovo and many others. While we continue to get closer to the ideal passwordless nirvana, almost all the FIDO devices that currently exist do rely on some kind of user interaction (the scanning of a fingerprint or a retina, taking a selfie, pressing a button, entering a code or pin, etc.). I am, therefore, excited to see the delivery of a cool product by a fellow Canadian company, Nymi™, that does not require user interaction.
Nymi has developed a FIDO-compliant personal device, the ‘Nymi band’, that reads the carrier’s heartbeat and uses it to authenticate the user. Nymi has indicated that a person’s electrocardiogram (ECG) is unique, and the Nymi band, a stylish bracelet, is essentially an ECG reader. HeartID™ is Nymi’s own technology that uses the wearer’s ECG and transforms it into a secure credential that can be used to unlock almost anything.
The Nymi band uses bluetooth and NFC radio to communicate to the device that needs to be unlocked. The interaction between the band and the device can be a FIDO U2F transaction. Although the Nymi band supports FIDO’s U2F, their exposed API can also be leveraged to interact directly with it. This opens up the gate to authentication paradise, as indeed, with a Nymi band, a user’s mere presence is sufficient to unlock enabled devices they try to gain access to. Drum roll, sound the horns!!
Nymi’s initial focus will be on Enterprise solutions, especially in the financial and banking sector with the announcement of interesting proof-of-concepts at some Canadian banks. I hope to see consumer facing solutions emerging in the next year or so. This opens-up a lot of interesting possibilities from an implementation standpoint too, possibilities I am quite excited about!
I am hopeful that with more advances in technology like Nymi, that password fatigue will soon be a thing of the past!