Security Platforms/Tools

Hate Passwords? You'll LOVE This!

We all want security in our Internet dealings, and yet there is nothing so universally annoying as keeping track of all our user names and passwords -- unless, of course, it's going through airport security. But as someone who carries a corporate smartphone and laptop, I have to enter a password on an hourly basis just to use these basic tools and yes, I'm constantly irritated by that.

That's the environment into which Verizon Enterprise Solutions is actually hoping to bring even more security through a second layer, also called second factor of security. Say what? In addition to announcing availability of its cloud-based Identity Management System in Europe and updated mobile apps for iOS, Android, Windows, and Blackberry devices, Verizon is also adding another layer of security through biometrics or QR codes that goes beyond user names and passwords. (See Verizon Simplifies, Expands ID Management.)

Tracy Hulver, chief identity strategist at Verizon, admits additional layers of security can be a tough sell to folks who are already bad about tracking the user name/password requirements of multiple web sites. That's why the focus has been on how to boost authentication without adding complexity.

The reality is that most security breaches -- 76 percent, to be exact -- occur when user name/password credentials are either too weak or are stolen, enabling the bad guys to gain access to critical information. In the era of expanding online commerce and collaboration, not to mention mobile BYOD and cloud-based services, more of that critical information is networked and thus potentially exposed.

What Verizon is hoping to do through a cloud-based ID management service is replace costly and clunky hardware security tokens with a flexible approach to a second factor that uses either QR codes that can be sent to a mobile phone or a secondary security code that can be sent via text message or a phone call.

The idea is that a consumer or an employee would need to use this secondary layer of security before accessing online information that could include government websites, health care records, corporate information and databases, or even online transactions.

The QR codes could be scanned by the individual's smartphone, but if that option wasn't available, the temporary code could be sent via any of a number of delivery methods -- text, email, or phone -- in sequence until it is received. As a cloud-based service, Verizon's ID management would handle the complexity of which solution is to be used and insure that the second layer of security is implemented.

Smartphones with biometrics, such as the newest Apple iPhones, offer another alternative for second-factor authentication, says Hulver. But those are still limited in deployment and have yet to be proven reliable. There may be false negatives over time after the phone has been in use, for example.

As more of the critical things we do, including managing personal or government loans, banking, education, healthcare, and e-commerce, happen online, adding security to that process seems inevitable. Ultimately, Hulver says, true security and ease-of-use will lead us to universal IDs, which can be used across a number of platforms but will be managed by one entity. Verizon would love to be that entity and is currently working to have such a system in place that is device and service independent. (See Feds Approve Verizon Credential Service and Verizon Earns Fed's OK for Digital Credentials.)

That might smack of Big Brother to some, but it also means a level of convenience that we don't enjoy today, when every new site seems to have different requirements for user names and passwords and just keeping track is a daily challenge. It also doesn't mean we all won't continue to whine about the hassle of meeting security requirements, even as we insist our institutions keep us secure.

— Carol Wilson, Editor-at-Large, Light Reading

Page 1 / 2   >   >>
Phil_Britt 10/18/2013 | 10:44:08 AM
Dual Layer Security Passwords typically aren't secure because the user uses something like "password," "1234" or something else that can be easily guessed. So such a password doesn't stand a chance standing up to a hacker.

Financial institutions have used dual layer security for years. Any additional security might be a hassle for users, but the harder security is to crack, the more likely the hacker will opt for other potential victims.
Kruz 10/17/2013 | 5:39:52 PM
Re: Just ask the NSA Online passwords are also matched against a password stored over the cloud. If we trust the website for keeping the password, we might as well trust a cloud based security offering.
Kruz 10/17/2013 | 5:37:56 PM
Re: And now the consumer view I presume the Qr codes are temporary as well?

Working at a multi-national and having more than 30 internal intranet sites with different usernames and passwords, I had to use a password manager (as per NSN policy). The software was accessible through a finger print scan and the software was able fill in the credentials for the needed site - that proved to be very handy and extremely user friendly and I would recommend that.
tiger_lily 10/17/2013 | 2:42:03 PM
Password Manager instead I really like the idea of having a 2nd factor authentication, but what happens if you are traveling and don't have access to your phone to receive the QR? I've been using Passwordbox (there's an app and a version for your desktop) to manage my passwords, and I'm really happy with it. It logs me in to my accounts without having to type in my username and passwords and instantly syncs so I have all of my info wherever I am. 
mendyk 10/16/2013 | 4:23:59 PM
Re: And now the consumer view A piece of scrap paper on the desk works. It's more secure than anything stored on a device or (shudder) in the cloud, and it costs less than a password book.
DanJones 10/16/2013 | 2:55:44 PM
Re: What security? What *is* exactly though?
Sarah Thomas 10/16/2013 | 2:30:35 PM
Re: And now the consumer view I agree that remembering all these passwords can be annoying and hard to do. I end up resetting my password on some sites daily when I realize it's not one of the 6 I rotate through. I like the idea of a centralized place to manage them all, so long as it's incredibly secure. My dad keeps a list on his iPhone. Not the best plan, nor is a password book, I imagine.
sam masud 10/16/2013 | 2:06:56 PM
What security? Aren't Verizon and fellow telecoms like AT&T and Google the same folks who are letting NSA sniff around all of our data?

Yup, my data might be secure from my co-worker and others, but it's not secure from my Internet provider and it sure as heck is not secure from the NSA.
derac7020 10/16/2013 | 10:30:55 AM
Just ask the NSA Nothing says security like 'cloud based security'.   Nothing in the cloud is 'secure'.   We should know that by now.  
Carol Wilson 10/16/2013 | 9:31:58 AM
And now the consumer view I doubt any of the guys have noticed but as I peruse the goofy gift catalogs that arrive this time of year, looking for some annoying thing to send my in-laws, "password books" are now routinely included, replacing address books, it seems.

They come in various forms and flavors but most appear to be designed for page after page of specific user name/password combos for specific sites, most of them retail. 

As someone who uses the same customizable gibberish as a password for every site I shop, I found this surprising.

But then I suspect most consumers would be surprised by information such as Verizon's Data Breach report. Those stats could keep an online shopper up at night.
Page 1 / 2   >   >>
Sign In