Podcast Episode 133: Quantum Computing’s Security Challenge and Life After Passwords

In this week’s episode of the podcast (#133): the arrival of functional quantum computers may be closer than you think. I’m joined by Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research to talk about coming quantum revolution and what it means for security. Also: what will it really take for consumers and businesses to ditch the user name and password? This week we’re kicking of a series on the future of passwords and authentication with George Avetisov, the CEO of the startup HYPR.


Quantum’s Security Challenge

Quantum computers sound like the stuff of science fiction: with the zeros and ones that are the foundation of modern computing giving way to ethereal qubits that can be either zero or one or both at the same time as well as everything in between. 

Brian LaMacchia is a Microsoft Corporation Distinguished Engineer and heads the Security and Cryptography team within Microsoft Research (MSR) where he works on the development of quantum-resistant public-key cryptographic algorithms and protocols.

But the arrival of functional quantum computers may be closer than you think. Estimates vary from the first such system being available anytime from five years or so from now to 20 or more. Once they’re here, quantum computers will make short work of many of the most commonly used encryption schemes, which protect much of the world’s sensitive data. And, for cryptography experts worried about the security of data protected with powerful encryption algorithms, a decade or two hence is close enough to begin preparing now. 

One small step in that direction happened this week, as Microsoft teamed with the certificate authority DigiCert and the firm Utimaco, announcing a successful test implementation of a Microsoft-developed algorithm known as “Picnic” which can create quantum-safe digital certificates used to encrypt, authenticate and provide integrity for connected devices commonly referred to as the Internet of Things (IoT).  Though still in development, the companies say that Picnic will protect IoT devices from future threats quantum computing could pose to today’s widely used cryptographic algorithms.

To understand more about the problem that the advent of quantum computing poses for the security of the Internet and the Internet of things, we sat down with Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research, and an inventor of the Picnic algorithm to talk about the coming quantum revolution and what it means for security. 

Life after passwords

In just the last month, hundreds of millions of user names and passwords have been exposed by researchers: the contents of online compendiums known as collections 1 through 5. They’re the fruits of data breaches and hacks going back years, and they are a useful tool to cyber criminals who can carry out credential stuffing attacks against a wide range of sites.

George Avetisov is Cofounder and Chief Executive Officer of HYPR

 

The password problem gets even worse when you think about the Internet of Things, where endpoints proliferate and the consequences of attacks and compromises risk life and limb. 

What’s the solution? One easy answer is biometric identifiers like finger prints, face scans – even voice are natural choices. But widespread use of biometrics can pose a risk to privacy and civil liberties, as countries like China are demonstrating. So is there a happy medium between security, privacy and civil liberties? In our second segment, we speak with George Avetisov, of the firm HYPR about how smart phones are creating the possibility for a new, decentralized authentication system in which users control their own online identities.  

2 Comments

  1. Without changing how such credentials are secured, proposing biometric data as a solution to password problems is irresponsible. remember, those dientifiers must be stored in order to compare them, jsut as passwords are now. If your biometric data is “lost” to a criminal, you cannot just change the identifier! You only have one set of fingerprints.

  2. Hmm…that’s definitely true, Jeff. I think what George was talking about was combining the biometric with other factors (like the phone hardware, etc.) not simply a 1:1 replacement (password for fingerprint or password for face scan, for example).