This week the press is all agog about how Windows 8 is going to “securely” manage passwords. Win 8 will do this with LiveID, syncing passwords across multiple computer platforms, using “TrustedID” to authenticate the computer, and storing all your long complex passwords in the cloud or on your device. But the sense of security is still misplaced.
When it comes to security, multi-authentication is the first topic that comes up, and these are:
- Something you have. (Smart Card, token, etc.)
- Something you know. (Password, PIN or pattern)
- Something you are. (Fingerprint, iris scan, etc.)
So let’s break down Win 8 strategy based upon these factors.
First, storing passwords on the device that you will be using to access applications, sites, servers, etc., is a violation of “something you have.” Something you have has to be a completely separate piece of hardware that had to be brought together with another piece of hardware. That’s why we use smartcards, tokens, dongles, etc. So synchronizing and Trusted ID adds little to no security.
Second, jumping ahead to biometrics is the “something you are“. It does not matter if it is a fingerprint, iris image, facial recognition, voice print, etc. It all is digitally captured and turned into a bunch of 1’s and 0’s called a template. Capturing the template and doing a playback is a security risk, and storing your templates on multiple devices and sites increases the probability of theft. So off computer or on-token matching is the best solution, which ties back into “something you have”. Finally, if you opt out of biometrics then you have also dropped one more authentication factor.
Third, by eliminating the authentication of the first two factors, you are now down to Single Factor Authentication – the weakest security of all. Being left with the one password, “something you know“, to authenticate into LiveID is not secure. I have described in numerous bogs, articles and books how insecure user generated passwords are and how easy it is for hackers to crack. Also, keyloggers, post-it notes and over-the-shoulder surfers make typing in passwords insecure.
Finally, just the whole concept of having all my passwords stored on a single computer or on the web/cloud is very disturbing. It is these centrally located databases that are so attractive to hackers because once they get in they have access to numerous accounts and it makes no difference how long, secure or complex a password is because they will actually have the actual password in their possession. And this is a very valid concern; will the government or corporations also be able to collect my passwords thought court orders without my knowledge?
Power LogOn® by Access Smart® has been delivering multi-factor authentication, smartcard-based password management solutions for years. Users are able to store multiple passwords on a single smart card, no passwords are ever stored with in a computer that others can access our hack, and when the card is removed from the computer no critical logon data is left behind on the computer. If the card is lost or stolen all the passwords are protect because the card authentication includes a limited number of false entries before it is locked and needs IT assistance. From the users perspective a lost card is easily recoverable without having to change all your passwords.
Users passwords need to be de-centralized and always in the possession of the user. Power LogOn is being used by individuals, small businesses, and large enterprises. So don’t wait for Windows 8 to think you can securely manage your passwords, implement today and protect your data. Complex passwords are recognized as the way to secure accounts. Power LogOn allows businesses to securely manage all those passwords and for IT to be put back in control of logon security..