Intelligent CIO Africa Issue 39 | Page 29

+ EDITOR’S QUESTION JONATHAN KNUDSEN, SENIOR SECURITY STRATEGIST AT SYNOPSYS /////////////////// I t was more than six years ago that the Defence Advanced Research Project Agency (DARPA), a research and development arm of the Department of Defence (DoD), issued a ‘broad agency announcement’ seeking research proposals for developing biometric authentication through analysis of various activities and behaviours – keystroke patterns, mouse use, sentence structure and use of language – that add up to what the agency calls a ‘cognitive fingerprint’. Those mechanisms go beyond ‘something you know’ (the password) and ‘something you have’ (a token or wearable) to enhanced ‘something you are’ (biometric authentication such as fingerprint, voice, face, retina). Implemented correctly, a user’s biometric measures are stored only on the user’s device. Passwords are ‘shared secrets’ that reside on both the device and on a server that, as we all know, can get hacked in various ways. To compromise biometric authentication, an attacker would need physical access to the device. But between now and when passwords really do become as rare as phone booths, be sure to use a password manager, which holds all your passwords in a ‘container’ locked by a master key that only the user knows. That means all you have to do is create one really complex password that you can remember. The manager will also help you create unique passwords for new websites or apps. Passwords are convenient for software creators but hard for humans to use correctly. Being human, we want to use the same password for every service, which is a terrible idea. We want to use passwords that are easy to remember, which is also a terrible idea. We see passwords as a hurdle that must be jumped before we can actually start getting work done. www.intelligentcio.com Authentication, or proving identity, is always based on something you know, something you have, or something you are. “ AUTHENTICATION, OR PROVING IDENTITY, IS ALWAYS BASED ON SOMETHING YOU KNOW, SOMETHING YOU HAVE, OR SOMETHING YOU ARE. Multi-factor authentication combines these. For example, a website might require you to supply a password (something you know) and also send a text message to your phone (something you have). Some apps these days will also rely on a fingerprint (something you are). Passwords are definitely on the decline, as fingerprint sensors become widespread in smartphones, a variety of USB authentication devices (something you have) are available, and smartcards now function as a physical manifestation of a private cryptographic key. These newer authentication methods will be easier for humans to use correctly, as the concept of the security of a USB device, a smartcard, or a fingerprint is much easier to understand than the problem of remembering a password, or knowing how to pick a password that is hard to guess. n INTELLIGENTCIO 29