At this point, the consensus is clear. Passwords are a vulnerable and outdated security measure, and data will be safer once organizations and individuals progress to stronger forms of authentication. The problem is that it’s difficult to move people away from what they know. Tech insiders may be familiar with more effective technologies like biometrics and security keys, but many members of the general public cannot even conceive of a security framework predicated on something other than a secret string of letters and numbers.
That’s why the a recent study from the NIST was so concerning. The study looked at the password habits of young children, and revealed that children exhibit many of the same bad behaviors as their parents. People of any generation tend to reuse passwords, and share those passwords with their friends. In that regard, the study suggests that passwords are inherently flawed, at least to the extent that they incline people towards poor security practices.
The real issue is that the study shows that those practices are being perpetuated. Despite all of the attempts to raise awareness about other security technologies, passwords are still the primary security measure for another generation. The longer that goes on, the more that behavior becomes entrenched, which further delays the rise of passwordless authentication.
So how do you combat that problem? And what implications does the NIST study have for those working to get rid of passwords?
According to FIDO Alliance Executive Director and CMO Andrew Shikiar, the NIST’s findings do not necessarily change the task currently facing privacy and security advocates. He thinks the next generation will be fine because it’s easy to teach kids new tricks.
“People can have behavioral change. I’m less worried about kids than I am about adults because kids are very malleable, for better or for worse,” Shikiar said.
“Kids do what they’re taught. They don’t always do what they’re told, but they do what they’re taught, and they’re being taught by teachers who have been using passwords for all their lives.”
The problem, then, isn’t that kids are learning bad habits (though that’s obviously less than ideal), but that teachers are still passing on the same assumptions that they learned when they were younger. After all, most of us were raised with passwords, and recognize them as the thing that stands between our secrets and potential cybercriminals.
The upshot is that if you want to reach kids, you first need change the minds of the parents and teachers that have been entrusted with their care. Fix that problem, and the next generation will sort itself out in time.
“The education market isn’t always the most nimble, but there’s a good opportunity to not only practice better authentication habits today, but in doing so, to educate tomorrow’s users, the next generation, on practicing better login hygiene,” Shikiar said.
Of course, getting older people to unlearn their habits is easier said than done. Thankfully, Shikiar believes that it is possible to achieve that cultural shift with the proper messaging.
“At the end of the day, not entering a password is easier than entering a password, but people aren’t accustomed to that,” he said. You just need to find a way to convince people that the technology is safe in order to get them on board.
“How do you get people to choose to enroll a biometric?” Shikiar asked. “What’s the right terminology? What’s the right iconography? What does the user journey have to look like to get someone to enroll, and then utilize, a biometric authenticator versus a password?”
The fact that passwordless authenticators are so easy to use is ultimately what makes them easy to teach. In FIDO’s own research, people are initially reluctant to use biometrics. However, Shikiar indicated that the vast majority (97 percent) are eager to use the technology once they understand what is happening, and how it works. The market has also borne that out, most notably with the debut of Touch ID.
“Apple has proven that it’s possible to consumerize better security and better logins,” Shikiar explained. “When Touch ID first came out, people are like, why would I need to do that? I can just use my PIN code to unlock my phone. But all of a sudden people liked Touch ID. The mass consumerization of biometric technology on handsets, and the widespread acceptance of that as a preferred means to unlock, tells me that it’s not a huge leap to get people to go understand what I do to unlock is now what I do to log in. That’s a small leap.”
The challenge now is to build on that success. Passwordless technologies like security keys and biometric authentication are already sophisticated enough to deploy at scale. That means that public perception is the only thing slowing adoption rates. Companies like Samsung and Google followed in Apple’s footsteps with fingerprint sensors and facial authentication in modern smartphones, and a similar push could create a similar shift with other sectors and devices.
Ask for Permission
While changing adult minds can lay the groundwork for cultural change, it is not necessarily sufficient when it comes to protecting children. There are unique legal considerations when dealing with minors that aren’t there when dealing with consenting adults, especially when it comes to the collection of biometric data. After all, how can you use biometrics to verify a kid’s identity if that kid cannot give you permission to use that data in the first place?
To an extent, educators can sidestep the problem with technologies like security keys. Those kinds of device-based solutions may not be good for young children who are apt to lose them, but they can be effective for older students. For example, teachers could hand out security keys at the high school and university level, and the students could use those keys (instead of passwords) to log into shared computers, or to log into remote learning tools.
However, Shikiar believes that there is still a role for biometrics at any age. He drew a distinction between remote and local authentication systems, and argued that the latter can enable the safe use of biometric data for kids since it does not involve any data collection.
“I’d be fine with my kids using biometrics on a Chromebook as long as it was stored locally on that device,” said Shikiar, who has a 9-year-old and a 10-year-old of his own. “If they want to use biometrics, they should use the technology that’s built into devices that kids are using [to access educational materials]. Use local authenticators to let kids log in.”
As it relates to kids, local technologies minimize the legal exposure for tech developers because there is no database for hackers to break into, and the company cannot access or exploit the data for commercial purposes. The actual biometric data (whether it be a fingerprint, a faceprint, or some other modality) stays on the device, and remains in the possession of the individual who registered it. That also means that businesses do not need to ask for consent (even for minors), since they are not asking to see, store, or use any sensitive information.
For Shikiar, that makes it the only viable biometric authentication option for minor citizens. One of the main drawbacks of passwords is that they are stored in a centralized location, and server-side biometrics only recreates that problem.
“Even a strong password can be manipulated out of your hands. It can be stolen off a server,” Shikiar concluded. “Until we get rid of these server-side credentials, we won’t be able to break the cycle of credential theft, credential stuffing, and data breaches.”
Whatever the case, the simple fact of the matter is that the current generation of children is being raised online. They are gaining access to online services from a young age both at school and at home, and that means that their caretakers need to make sure that those outlets are as secure as they would be for an adult. The NIST survey demonstrates that parents and educators have not yet accepted that responsibility, and that needs to change if the tech industry wants to cultivate a truly passwordless society.
(Originally posted on Mobile ID World)