Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/27/2012
04:23 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Mozilla Persona Aspires To Kill Passwords

Mozilla system promises Web authentication without site-specific passwords. User's browser will generate a cryptographic 'identity assertion' that expires after a few minutes.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
The password is dead, again.

Mozilla on Thursday said that its Persona Web authentication system, which eliminates the need to enter site-specific passwords at participating websites, has entered its beta phase and is ready for general deployment.

Passwords should have died long ago. No less than Microsoft chairman Bill Gates declared them dead in 2004. But as a Microsoft researcher noted last year, passwords still have a pulse.

"Despite countless attempts to dislodge them, passwords are more widely used and firmly entrenched than ever," said Cormac Herley, principal researcher in the machine learning department at Microsoft Research, and Paul C. van Oorschot, professor of computer science at Canada's Carleton University, in a research paper.

Were passwords to die, online security might improve. That's the theory anyway, if you assume that there's nowhere to go but up, that cybercriminals won't adapt, and that technology rather than humanity represents the weakest link in the chain. At the very least, the end of passwords would eliminate the possibility of having your password posted on pastebin.com following a data breach and having to explain to friends and colleagues why choosing "password" as your password seemed like a good idea at the time.

[ Read Google Autonomous Cars Get Green Light In California. ]

Like other single sign-on systems--and there are many--Persona promises to allow third-party websites to authenticate users without requiring them to ask for usernames and passwords.

"Instead of per-site passwords, Persona lets users log into sites with just two clicks after completing a simple, one-time process for each of their identities," Mozilla explains on its website. "This is safe, secure, and built on top of public key cryptography. Instead of a password, the user's browser generates a cryptographic 'identity assertion' that expires after a few minutes and is only valid on a single site."

Persona, says Mozilla, is easier to use than OpenID, another authentication system, because it is based on the user's email address rather than a URL generated by OpenID.

Email addresses have two distinct advantages. First, they're pseudonymous and thus provide more privacy than single sign-on systems used by Facebook and Google+, which require the use of real names. Second, they're subject to greater user control: Individuals can register and operate their own Internet domain, to more or less own their email identity. At services such as Gmail or Yahoo Mail, users cannot take their email address to another service provider if they're dissatisfied.

Persona's architecture also provides a privacy advantage. Whereas systems like OpenID require third-party websites to contact an authentication provider, Persona makes the user's browser the intermediary, passing credentials from the email provider to the third-party website. This exposes less website visit data to potential tracking.

There are benefits for businesses that adopt Persona, too. Mozilla's system provides developers with access to email addresses, enabling websites and app makers to contact their customers and eliminate the friction of soliciting an email address separately. Email addresses also play nicely with most existing login systems.

The problem with authentication systems is business buy-in. Online content and service providers might choose to integrate an authentication system like Persona, but they have tended to avoid doing so. A 2010 study conducted by the University of British Columbia's Laboratory for Education and Research in Secure Systems Engineering on the failure of single sign-on technology, A Billion Keys, but Few Locks: The Crisis of Web Single Sign-On, found that the among websites that could implement OpenID, the adoption rate was less than 0.02%.

The paper cites a number of reasons for disinterest in the technology: lack of business incentives, competitive concerns, usability, security, privacy, trust, and legal issues. The lack of business incentives for becoming a "relaying party"--that is, integrating an external authentication system--appears to be the biggest impediment to making single sign-on systems more appealing.

Although adopting a technology like Persona might have operational benefits, such as reducing password maintenance and recovery costs, doing so often doesn't have competitive benefits. Indeed, relying on an external authentication system might impose a competitive disadvantage if it deprives a company of potentially valuable user data or makes the company dependent on a potential competitor. The paper characterizes the situation as an "identity war" that "has been ongoing since the beginning of the Web" to build walls to keep customers and competitors apart. Imagine Google allowing users to sign in using a Facebook ID or vice versa and the problem becomes clearer.

However, Persona's association with Mozilla, a non-profit organization, might work to its advantage. Companies that might have balked at becoming reliant on a platform-based authentication system from the likes of hyper-competitive Facebook or Google could be more willing to trust Mozilla and its open Web ethos.

IDC analyst Sally Hudson characterized the issue as a balance among cost, convenience, and risk. "Consumers (or even corporate employees) will try to bypass or avoid using complex authentication mechanisms," she said in an email. "In a world where revenues are often driven by eyeballs and mouse clicks, anything that annoys or slows the consumer down in their quest to purchase a product or apply for a service is quickly discarded."

However, she cautioned, while anything is better than nothing when it comes to authentication, "there is no foolproof authentication method or standard on the market today."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...