The Quest to Replace Passwords

Summary

Off the bat the paper starts about how there is a lack of standardization about password protocols. Many password protocols are too narrow while other try to go for a generic one size fit all approach. The paper starts with the premise that every proponent of a specific method of authentication has a different grading criteria - shaped by specific environments. In order to standardize the grading criteria the paper suggests 25 different factors, but does not specify a weight to each of these factors. The conclusion toward the end of the paper after digging into some of the most popular security authentication is that there really is no scheme that is truly perfect.

What I liked:

  1. Very specific 25 actionable grading points which sets a standard instead of just saying a uniform standard is needed in the industry

  2. I like the fact they focused on the human computer interface for security as opposed to making this a very broad study on things like machine to machine authentication

  3. The study does note that it would be a bad idea to simply have each point weighted the same - it correctly notes that some features are more to be desired than others

  4. The paper goes really in depth into the different sign in methods that are currently offered and does a good job explaining the general benefits- but shies away from ranking

  5. The chart on page 11 was a good visualization tool to express the different benefits of a specific technology

 What I didn’t like:

  1. The paper starts by pointing out how past grading criteria is too narrowly tailored or too generic - how does the proposal of 25 very actionable grading points not fall into the same issue the authors had with past studies?

  2. The way the paper goes about the study I feel is problematic because of the rating system. Quasi vs Full vs 0. I'm sure there is more in depth ways to evaluate each of the 25 points. Maybe a 10 point scale possibly?

  3. The study does not take any stance on how to rate systems which I feel is like a cop out. "In our experience, “the journey (the rating exercise) is the reward”: the important technical insights we gained about schemes by discussing whether our ratings were fair and consistent were worth much more to us than the actual scores produced."

  4. In the paper's analysis of different authentication systems they come across pretty big factors that are not covered in their 25 point grading scale. "We do note however that it requires identity providers yield some control over trust decisions and possibly weaken their own brand [28], a deployment drawback not currently captured in our criteria."

  5. The paper starts going into depth about the drawbacks of each scheme only at the very end - I think that they should make this more of a focus in their paper because it really shapes the reasons why one scheme would be preferred over another in a specific use case

 Points to talk about:

  1. What is the current industry consensus on the tug of war battle between security and usability?

  2. The paper assumes that the implementers of the protocol use best practices such as salting and hashing "even though we know they often don’t." How much more effective are these 25 data points as compared to  just using salting and hashing correctly

  3. Is it even worthwhile to create a generic uniform approach to security - or is the targeted narrow approach to security which is more customizable to be desired

  4. The study points to traditional passwords as scoring high in maturity because they are so common? What has the adoption trend looked like for alternative adoption methods?

  5. What is the biggest reason that traditional passwords have not been phased out yet?

 New Ideas:

  1. Security vs Usability: How could information tied to a person's life be used in passwords? Would it be possible to have multiple passwords in the forms of questions that are distributed in various authentication servers with some serving as honeypots?

  2. How does new forms of identification compare to traditional passwords - ie the way you type https://www.creditcards.com/credit-card-news/how-type-move-mouse-help-catch-fraudsters.php

  3. Is there a way to merge the best of both worlds from multiple password schemes - kind of addressed toward the end of the paper?

  4. Perhaps there should be a weighting rubric dependent on the desired out come and balance of security vs usability vs other factors a practitioner would like to fit in when it comes to security

  5. Could there be a standard third party ie a government to login in users using single sign on?