Monday, December 15, 2014

Being realistic about passwords

Ping Identity engineer: On second thought, passwords may be okay (FierceEnterpriseCommunications)
In the first part of a new discussion with Paul Madsen, a senior technical architect in Ping's office of the CTO, I first asked whether Ping truly did intend to resurrect the password as a viable mechanism by way of supporting FIDO 1.0.

Paul Madsen, Senior Technical Architect, Ping Identity: It's less a resurrection than just trying to be a little bit realistic about what FIDO does, and what it can do. Half of the FIDO specification set--U2F, specifically--pretty much assumes that there are still passwords in the mix. FIDO, arguably more so than killing off passwords, just mitigates some of their worst problems, particularly the risk of bulk compromise of the password database, as we see more and more.
Two things jump right out of this article. The first is the realistic treatment of the fact that passwords aren't going the way of the dodo any time soon. The second is that passwords that control access to databases of passwords are very different than passwords that control access to an individual account.

The big scores are database hacks.

See also:
FIDO is not the end of passwords (and that's OK) at the Ping Identity blog. It's well worth it.