It Begs The Question
Hey…I'm just saying… And while we're at it, why are you defending them?

The White House Gets Bad Advice On Security February 19, 2015

NO PASSWORD FOR YOU!

 NO PASSWORD FOR YOU!

 

You may be familiar with the recent “news” that “White House moves to ‘kill off the password'” Here is just one link to the story:

http://thehill.com/policy/cybersecurity/222057-white-house-official-we-simply-have-to-kill-off-the-password

Others have proposed the same thing (not just the “White House” – whatever that means – but I’m reasonably sure it does NOT mean that the President has studied the issue personally and in depth and come to that conclusion. But is it really a good thing? I think not. It’s folly. The main reason is that it is antithetical to good and time-proven authentication principles and measures;  in particular, it conflicts with maximizing your security by eliminating one of the 3 pillars of Multi-factor authentication.

 

Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories:

  1. knowledge factors (“things only the user knows“), such as passwords
  2. possession factors (“things only the user has“), such as ATM cards
  3. inherence factors (“things only the user is (something you are)“), such as biometrics

 

Requiring more than one independent factor increases the difficulty of providing false credentials. Requiring, or at least allowing the user to take advantage of all 3 factors increases their security still further (much further!). This is a consideration that “Anti-Passworders” seem to be ignorant of! Even if the possession and inherence factors are in place I would want the very significant extra security of also using the knowledge factor (password). Yes, it’s a little more effort but isn’t it worth it to know that only you are in control of the doggy or kitty pictures on your Facebook account? I’m sorry… I meant to say Bank Account or Email Account.

Braveheart

They may give us posessions and they may use inherences but they’ll never take OUR KNOWLEDGE!

 

Wikipedia gives a good treatment of Multi-factor authentication

http://en.wikipedia.org/wiki/Multi-factor_authentication

Related Wired Magazine article that may interest you:

Court Allows Woman to Sue Bank for Lax Security After $26,000 Stolen by Hacker

http://www.wired.com/2009/09/citizens-financial-sued/

Categories Uncategorized
  • Glenn B. says:

    A little reasoning would go a long way here. How much did this “advice” cost?.

    • Glenn Too says:

      Article says “Working with a $16.5 million budget…” Worthless at twice the price. Eliminating passwords is so simple. Just issue an edict that all passwords must be “secret-90210” Some sort of effective security method would surely bubble to the surface. And we would never forget it because all we would have to do is google “what is my password.”

      btw this advice only costs $.02 (cheap at twice the price).

Leave a Reply

Your email address will not be published. Required fields are marked *