Wave Systems Corp. (fka WAVXQ)

[Genz2]

We're killing off passwords. But are we ready for what will replace them?

https://www.zdnet.com/article/were-killing-off-passwords-but-are-we-ready-for-what-will-replace-them/

Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.

Tech security people hate passwords because resetting forgotten passwords is the most tedious job in the world, and also they know everybody else is terrible at password security anyway.

The rest of us don't like passwords much either, mainly because the security people won't let us use our old favourites like 1234 or pa55w0rd. And we don't like having to remember complicated passwords, so we write them down on a piece of paper, and then lose it. And then we have to go and ask nicely for tech to reset the password. Again.

Nobody likes passwords. Apart from the hackers who find them, steal them or crack them with ease, that is. That's because passwords are still the keys to the kingdom in many cases; once a crook has them, there is often little else to stop them doing what they want.

Insecure, annoying, expensive -- passwords would have been got rid of long ago except that the fundamental concept is easy to implement and easy to understand. But the end of the password is finally coming into view.

Most applications now offer some kind of two-factor authentication. The idea is to use something you know, like a password, plus something you have, like a code generated by an authentication app on your smartphone (or, less securely, from a text message sent by an app) is better than a password alone. That's a positive step which should help reduce the most basic (though highly effective) security breaches which often start with people being tricked out of their passwords by phishing emails.

So what about the next step? Here smartphones are well ahead of the PC world, by using biometrics -- fingerprints and facial recognition -- as the standard way to log on. Something you have is replaced with something you are.

Tapping a digit on a fingerprint reader is much quicker than typing in a passcode, and raising a phone to your face to look at the screen, which also unlocks the device, is a totally natural motion. Expect this to be the way you access you PC and other devices in future, too.

Microsoft has already outlined how it plans to kill off passwords in Windows 10 using a combination of multi-factor authentication and biometrics via Windows Hello, a service it says is being used by more than 47 million people.

Earlier this year one UK bank said it was planning to trial allowing customers to access their accounts using their face or fingerprints using Windows Hello, and just this month the National Cyber Security Center, the UK's cyber security agency, updated its guidance to say that government organisations should use Windows Hello for Business as part of their Windows 10 deployments.

All of this is good from a security point of view no doubt, and the use of the technology has been sensible, with biometrics being stored securely and locally. Fears about biometrics being stolen are probably a bit overhyped but there is a genuine risk that large databases of biometrics could pose a serious security risk.

But I'm also wondering whether there will a backlash at some point from users who are uncomfortable with making their physical bodies part of the authentication process.

I already feel a little nervous staring at my smartphone and hoping that it will recognise my face. Perhaps that's because I'm not sure what it means if my phone decides I am not me, and the slightly queasy doubt it surfaces: who gets to choose who I am?

There is also a danger that we risk making biometrics like our face or our fingerprints a standard form of identity without thinking about the consequences. Currently, few would be willing to see face or fingerprint become the standard way of accessing government services, for example. And those aren't the only biometrics we could use; what about your iris or your heart beat or your voice or your DNA? What does it mean to swap something private like a passport for something public, like your face? Where do we draw these lines? Who gets to choose what is used and when? Before we make the move to biometrics and wave passwords goodbye we need to have some good answers to these tough questions.

Increasing security is good, but understanding the consequences is important, too.

=================================================================
PIN numbers are easier than passwords, help prevent the effects of phishing attacks when combined with a second factor like the TPM (Wave VSC 2.0), are stronger than passwords when combined with the TPM as a second factor and are not lost like tokens or forgotten like passwords. If Windows Hello is being used by 47 million people then Wave VSC 2.0 as a very similar product has a very large market to be selling into except that Windows 7 is also a part of the Wave VSC 2.0 market!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card