Following news that researchers at Carleton University in Canada have developed a ‘narrative authentication’ system that could put an end to the need to remember complex passwords, secure identity software provider Intercede is questioning whether the system is really more secure than the passwords it is trying to replace. While the concept of using your social footprint to validate and vet identity is interesting, the system is still reliant on single factor authentication and therefore open to the same risks as passwords such as guessing, dictionary attacks and answers based on public information. Furthermore, the process would be time consuming and cumbersome, making it unsuitable for daily authentication.
“Identity matters. Being able to prove that you are who you say you are is critical in an online and connected world. Usernames and passwords are no longer good enough and it’s great that university research teams are working on alternatives. But for them to work they need to be secure, simple and quick to use; narrative authentication is likely to take some time, and frustratingly for users, they might not even remember the right answer,” said Allen Storey, Product Director at Intercede. “That’s not to say narrative authentication doesn’t have a place – it could work well for vetting identities either in instances of identity fraud or before issuing a credential – but for everyday authentication, this system will be too slow, and not necessarily any more secure than a password.”
Intercede believes that one of the biggest challenges to secure identity is that many people still consider a simple username and password provides adequate protection, but these do not offer proof of a person’s identity and are easily lost, stolen or hacked. The best way to protect your online identity is with two-factor authentication – using something you have and something you know to prove your identity.
“We all already use two factor authentication all the time through our bank cards and the Chip and PIN system – you need both to make a purchase or withdraw money from an ATM. What would be ideal is to bring the same level of ease of use and security offered by Chip and PIN to the world of identity. Imagine being able to enter a single pin on your smartphone or tablet to gain access to all your online accounts, whether that’s your email account, online banking or social networking sites,” continued Storey.
Intercede’s MyID software is a complete identity and credential management system that enables organisations to create and use trusted digital identities for employees, citizens and machines. This allows secure access to services, facilities, information and networks from anywhere, on any device. MyID meets the highest government standards yet is simple enough to be deployed onto consumer devices such as smartphones and tablets. Critically, MyID provides an easy, convenient and secure alternative to passwords.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.