Are Tricerion revolutionising passwords?
Most computer users would agree that passwords can be a real
pain in the neck.
In an effort to reduce the hassle of passwords some people
will try and standardise on one or two but inevitably end up with a handful
depending on what systems or services they are trying to access. Of course we,
the IT professionals, make it harder for users as we insist they create the most
horribly complex passwords imaginable, on the basis that no hacker could
possibly guess the secret combination of numbers, letters and cases being used.
The flaw to this allegedly secure password strategy is that
the more complex you make a user’s password the more likely they will be to
write it down. Many have tried password recall strategies that use pass phrases
or a similar approach but these are seen as an inconvenience by the users who
just want to log into the system and get working.
After all, the password “GkwI4%hs283$)” may excite a security
professional but it becomes a barrier to business for others.
When security becomes too visible it becomes obstructive and
is therefore inclined to be switched off or ignored. Think of the numerous
fingers that have been chopped off in factories by machines with their safety
guards removed—these got in the way of a user’s productivity and were
discarded with horrible consequences.
The IT equivalent of a discarded safety guard is the written
down password.
Secreted around the desk it can be found easily by those
with intent. Underneath a mouse mat is a common hiding place, just like a door
mat is used to hide a front door key. In fact the more secure a password
appears to be to an IT security professional the more likely that users will be
tempted to write it down. Research has shown around 40% of workstations
apparently have passwords written down somewhere. My experience would suggest
this is a conservative estimate.
Clearly something needs to be done, but what is this
something?
Based in the UK, Tricerion have come up with a rather intriguing solution to the password problem using
three products;
- SafeLogin for Web
- SafeLogin for Windows Enterprise
- SafeLogin for Windows Standalone
SafeLogin is designed to prevent account hijacking using
techniques such as phishing, shoulder surfing and keystroke logging.
Normally a user would authenticate themselves to a service
provider in a one way process. In a
mutual authentication architecture the service provider needs to authenticate
themselves back to the user to prove that the user is logging into the correct,
unadulterated site.
Mutual authentication relies on the user working out if the
service provider is all in order or has been hijacked by a third party. Clearly
this is not always reliable due to the sophisticated nature of these attacks—in many cases even an IT security professional would find it hard to determine
if the site was the original or not on first glance.
With the Tricerion SafeLogin approach login credentials
can’t be entered into a fake site as user authentication is managed by an
external resource that acts as an independent credential checker for both
parties in the equation. Tricerion call this triangulation as this service
forms the third part of the user and website triangle.
So far so good.
The really interesting part of the Tricerion story is the
use of picture passwords.
The core premise of picture passwords is that people are
more inclined to remember pictures than text. This is called the “picture
superiority effect” and has apparently stood up to 50 years of investigation by
psychologists. In making the transition from conventional passwords to pictures
users were found to be making fewer errors after a bit of practice.
The use of pictures also makes the sharing of passwords very
difficult. Let’s see why.
The user is issued with a password that comprises a set of
images. The number and type of images can be set by the service provider. For
example;
This could be remembered by a user as
chapel/chair/coffee/world.
When presented with a login screen the user selects their
pictures on the screen the same way in which they would select numbers or
letters in a conventional password login screen.
Sharing of passwords is made more difficult as
chapel/chair/coffee/world can describe any number of types of
chapels/chairs/coffees or world each of which appear different. In fact the
Tricerion picture bank has 160,000 images that provides a library of password
icons. Organisations can decide to use these pictures or provide their own “house
style” of images.
By being released from the conventional alphanumeric password
characters the combinations of different picture types is, for all intents and
purposes, limitless.
Shoulder surfing is made more difficult as trying to
remember what type of chair or world was selected by the user is tough. The
next time the user is requested to login they will receive another random
selection of images with other types of chair or worlds causing the shoulder
surfer real difficulties.
Interestingly another aspect of this security system is the
appeal it has with marketeers that see the customisation of images and login
screens to be a way of starting a brand dialogue right from the very start of a
user’s experience, rather than present them with a utilitarian login process
before accessing the more compelling web service.
Have Tricerion hit on the Holy Grail of password protection
and management? Certainly their approach has been patented as best they can as
they believe they have hit on a really good idea. The reception to radically
different approaches to something such as password management is always very
cool and cynical as security professionals do their utmost to find a flaw in
the offering. With the Tricerion offering arms quickly become unfolded as
reviewers start to understand how picture passwords could be used in their organisation.
I am certainly intrigued and look forward to seeing how
Tricerion advance their novel approach to password protection.