CTSS MIT

Podcast Episode 140: passwords are dying. What will replace them?

Alpha-numeric passwords have been with us almost since the dawn of the computing age. But our guest this week, Phil Dunkelberger the CEO of Nok Nok Labs, says they’ve overstayed their welcome, and that the next few years may see them disappear altogether. We talk about what will replace them and how. 


The birth of the computer password is generally traced back to the Massachusetts Institute of Technology (MIT) in the mid 1960s, when the university developed the Compatible Time Sharing System (CTSS) for managing access to a shared computer cluster at the university. 

Phil Dunkelberger is the CEO of Nok Nok Labs.

Half a century later, the password has long since outlived its usefulness. It’s imminent demise has been just around the corner for years – decades – now. So long, in fact, that our guest on this week’s podcast, Phil Dunkelberger, says he has stopped prognosticating. 

Still, events have conspired to accelerate the shift away from passwords. Chief among them: a string of mega data breaches stretching back years. The sum of those can be found in online forums with names like Collection 1: huge agglomerations of stolen credentials that can be used for so-called credential stuffing attacks against popular online services or a range of other targets. (Check out Podcast Episode #130 with Troy Hunt, where we talk about Collection 1.)

Episode 103: On the Voice-Controlled Internet, How Will We Authenticate?

NOK NOK Labs is a pioneer in driving the adoption of password-less next generation authentication that includes biometric, token or wearable-based authentication of devices and users. The company’s technology works on mobile, PC & IoT platforms, delivering strong, multi-factor authentication.

CTSS MIT
The first account passwords date to the mid 1960s, when MIT’s Computation Center developed the CTSS – the Compatible Time Sharing System.

Phil has a long history in the authentication and data security space. He served for 8 years as co-founder and CEO of PGP Corporation until it was acquired by Symantec in 2010. Phil served as Entrepreneur-in-Residence at Doll Capital Management (DCM), served as President and CEO of Embark, and COO of Vantive Corporation. He has held senior management positions with Symantec, Apple Computer and Xerox Corporation. 

Bank Attacks Put Password Insecurity Back in the Spotlight

To start out, I asked Phil about the movement towards password-less security including FIDO, or Fast Identity Online, a protocol that NOK NOK helped develop and launch. Phil says that we stand on the cusp of major changes. Among them: the W3C will require FIDO support for all W3C certified browsers. Phil says that FIDO support will help to move users away from passwords and toward more secure login methods like biometrics of various sorts, smart phones and USB tokens. Paypal already uses FIDO, as does the Alibaba AliPay system.


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more.

Tags:

2 Comments

  1. Jeff Strubberg

    I cringe when I see companies like this talking about how biometrics are going to kill the password….that biometrics are the solution. Step back for just a moment and ask yourself why passwords fail as a credential so often:

    1. People reuse them. Will biometrics fix this problem? No, they will make it many times worse. You only have one set of fingerprints. You have no option but to reuse them!

    2. Passwords get stolen. Some of that is guessing passwords, which is not likely to happen with a biometric, but these large repositories are not coming from someone guessing passwords! Credentials are being stolen FROM repositories. Until it’s much easier to secure those “vaults”, biometrics cause more problems, not less. Imagine your fingerprint getting stolen. What are you going to do, create another one? You’re out of luck.

    The issue isn’t the password per se. The issue is that we don’t take credentials seriously enough, and we far too often rely on one credential where we should be using multiple ones.

  2. Pingback: Podcast Episode 142: On Supply Chains Diamond-based Identities are forever | The Security Ledger