DSCI Working with FIDO Alliance to Eliminate PasswordsOrganizations Meeting with CISOs to Understand Local Requirements
In an effort to boost the use of stronger authentication, the Data Security Council of India has entered a partnership with the FIDO Alliance, a global not-for-profit industry consortium that promotes authentication without passwords.
Verizon's 2017 Data Breach Report found that about 81 percent of data breaches worldwide in 2016 involved weak, default or stolen passwords.
"Over a period of time, passwords should be completely eradicated," contends Ramesh Kesanupalli, FIDO Alliance's co-founder. "We are showing the world how it's possible to secure your data without the use of passwords."
FIDO has also launched FIDO India Working Group, which will work with local partners to understand the ecosystem in India and devise authentication methods that meet local needs (see: Aadhaar Authentication for Banking: Is It Premature).
But some security practitioners in India question whether it's wise to eliminate the use of passwords, suggesting pairing them with other forms of authentication might be the most pragmatic approach.
The Password Problem
FIDO, or Fast IDentity Online, has created specifications for a variety of interoperable authentication methods, ranging from biometrics to tokens or mobile devices. It specs are based on public key cryptography.
To register with a FIDO-compliant website, both public and private keys are generated; the public key stays with the website and the private key is with the user. Every time a user wants to log in, the website throws up a challenge, which gets encoded with the public key and decoded with the private key stored in the device.
Given the widespread cyberattacks that have exposed passwords, some security practitioners are urging the use of other authentication methods, arguing that passwords have outlived their usefulness. "The password was the solution when IT was in its nascent stage," says Sethu S. Raman, senior vice president and chief risk officer at MPhasis, a Bangalore-based IT services company. "But the same security formula has been built to protect a technology which has evolved exponentially."
Sriram Natarajan, COO at the business processing services firm Quatrro Processing Services, notes: "Passwords and PINs are merrily shared by almost everyone with friends and colleagues and family. Anything that can be easily shared cannot be a reliable authentication."
The FIDO working group plans to speak with CISOs to understand the feasibility of biometric authentication in India.
Ashok Chandak, a member of the new working group who is senior director, global sales and marketing at NXP Semiconductors, says there's a need for a standards-based, interoperable approach to advanced authentication in India.
"With the FIDO framework, passwords are history. Only public and private keys are exchanged," he says. "Even if someone hacks the server, it doesn't have the database of the user ID and passwords."
A standardized approach to authentication is important in light of India's push toward digitization, says Vinayak Godse, senior director at DSCI. "There will be people who might not be literate enough to understand the nuances of passwords or one-time passwords," he says.
But Do We Still Need Passwords?
But some security professionals in India argue that using a combination of passwords and biometrics as a second factor is the best approach because biometrics are not yet reliable enough on their own.
Characteristics of biometrics make it difficult to completely rely on them, especially when it comes to using them at every point of sale, contends Sanjay Deshpande, managing partner and chief scientist at FortyTwo Labs, an innovation center that focuses on developing next-generation cybersecurity technologies.
"Unlike passwords, biometrics, once lost, cannot be replaced. The information is sensitive, and hence shouldn't be used every time a transaction is made," Deshpande says. "In case biometric is used, one has to make every point of sale, data centre secure."
Another concern with relying on biometrics is the issue of "false positives" and "false negatives." Unlike passwords, biometrics technologies have a probabilistic element making things complicated if the database is huge. "If the device has low resolution, cases of false positives increase," Deshpande says. That's why he argues that biometrics would need to be paired with passwords to reduce the probability element.
Felix Mohan, CEO at CISO cybersecurity, a cybersecurity consulting and advisory firm, contends the best approach is three-factor authentication. "I believe that biometrics along with passwords and device verification should be used as a three-step authentication," he says. "Solely depending on biometrics will only aggravate problems."