Passwords have been used for centuries but, according to some, their days are numbered. Bill Gates, for example, believes that arming everyone with yet more complex technology will make electronic transactions safer.

While this may be true for those prepared or able to use such technology, there's a lot more that communications networks can do to take the strain and keep things simple, argues Richard Baker, BT's chief identity architect.

Every day for the past 700 years, a password ritual has been enacted at the Tower of London. At seven minutes to 10 o'clock every night, the Tower is locked down by the chief warder who is then challenged by a sentry to provide the right password. The dialogue runs:

Sentry - 'Who goes there?'
Chief Warder - 'The Keys'
Sentry - 'Whose Keys?'
Chief Warder - 'Queen Elizabeth's Keys.'
Sentry - 'Pass Queen Elizabeth's Keys. All's well.'

But all is far from well in the modern world. Passwords have become a currency amongst criminals who attack banks, businesses and individuals to steal cash and other assets. In our digital world, the majority of electronic transactions and security procedures are protected by user name and password authentication.

Many people use the same password for everything while others use a different password for each system. Both approaches have serious weaknesses. The first enables a hacker who has successfully captured a password to tamper with not just one but all of a victim's electronic accounts.

The second requires people to remember dozens of different passwords and change them regularly. Understandably, people often forget their passwords, write them down or simply enter the wrong one, increasing the burden on helpdesks.

Beyond passwords, there are approaches to authentication that have previously been considered a gold standard. In reality, though, nothing is foolproof and there always has to be a trade-off between security, usability and cost.

There’s no point, for example, in a bank spending a fortune on a system that is too cumbersome for its customers to use - such a system might drive customers away.

An appropriate level of investment, however, is essential to manage the risks involved in a rapidly evolving threat landscape.

Fraud, money laundering and the financing of terrorists are activities carried out by 'professionals' who work to a business case just like any legitimate organisation. Fighting them involves working to a business case that has the opposite objectives and ensuring you are sufficiently fleet of foot to outwit the bad guys.

Challenging the password

Authentication systems revolve around one or more of three things:

  • something you know, such as a password or PIN;
  • something you have, like a smart card or an electronic token usually in the style of a key-fob; 
  • something you are - for example, individual biometrics relating to fingerprints, voice patterns and iris scans.

Until now, passwords have ruled the roost because they are cheap to implement. But Bill Gates thinks we've reached the limits of this simple technology and is advocating stronger measures based on new technologies.

Like many other companies - BT included - Microsoft believes in a 'multi-layered' approach to security in which it becomes harder and harder to penetrate systems as the potential for damage to the organisation or its customers increases.

The software giant, however, tends to focus on measures that can be installed on the desktop or back-office server or literally put into a person's hand. The latter could be an electronic token or a hand-held card reader for use in the home in a similar way to the devices that read credit cards in shops.

This isn't the only way to address the security challenge. First, though, what are the pros and cons of the approach Microsoft is recommending?

Two-factor technology

While the majority of US banks still employ a simple approach to authentication based on user names and passwords, many organisations around the world now use 'two-factor' techniques.

Typically, these involve tokens that generate a unique number that becomes useless after a time window of 30 seconds or so, or is limited to a one-off transaction. In the case of electronic tokens, the user enters this number as well as his/her user name and password. If a card reader is used, the number is read and submitted automatically.

The result is an enhanced level of security, but the technique isn't without its limitations. Citibank, for example, uses a two-factor system in the US, but it was successfully attacked by fraudsters in summer 2006.

They used a particularly sophisticated form of 'phishing' - a scam in which emails are sent asking people to visit websites to update details such as user names and passwords. The problem is that the websites are fakes. Customers who thought they were logging in to the real website at the bank’s request were actually giving their login details to criminals.

Such scams are increasingly commonplace and have made it urgent for organisations to find a way to convince the public that the websites they are accessing are genuine.

Evolving risk

One of the challenges is to find a way of doing this that delivers acceptable security, is easy to use and is of acceptable cost to the organisation and its customers.

Achieving all three can be a challenge. In Holland, for example, people are prepared to buy hand-held card readers to access their bank account but research shows that people in the UK wouldn’t be willing to pay for enhanced security.

Even if answers can be found, they may only be effective for a limited period of time. The banks, amongst others, are beginning to realise this. They face a number of challenges:

  • Securing their own websites and call centres;
  • Confirming transactions made on other commercial websites;
  • Checking that customers really are who they claim to be;
  • Encouraging people to use online services rather than going to the bank.

The picture is constantly changing. The arrival of chip and PIN authentication has seen a shift in fraud patterns from straightforward over-the-counter credit card fraud to Cardholder Not Present (CNP) fraud - either online or over the telephone.

The regulations banks must meet are changing too. To prevent money laundering, for example, both the Financial Services Authority in the UK and the Federal Financial Institutions Examination Council in the US now require banks and other financial services organisations to validate every new customer's identity.

The FFIEC considers single-factor authentication including passwords and PINs to be inadequate for high-risk transactions but recommends a 'reasonable' approach to risk. A recent report says: 'The method of authentication used in an internet application should be appropriate and reasonable from a business perspective in the light of foreseeable risks.'

Crucially, it requires financial institutions to develop an ongoing process to align the extent of authentication with the level of risk involved in a class of transaction and ensure the most appropriate authentication technologies are used in each case.

A network approach

So if two-factor techniques are already showing signs of weakness, are there any alternatives?

One that's been in use for some years is based on the analysis of people's behaviour patterns. Some credit card companies, for example, do more than check that the correct PIN is entered when a purchase is being made.

They also look at the amount being charged and the store’s location to be sure these details fit with what's normal. If they aren’t, additional checks are made.

Phone companies - BT among them - apply similar checks to customers' calls. Have they suddenly started making more calls, or started calling premium-rate numbers for long periods? Anything suspicious prompts a call to the customer to make sure all is well.

BT plans to build on such multi-layered approaches as it deploys its new £10bn 21st Century Network. The network will include an evolving set of services that allow both BT and other organisations to create multi-layered defences against criminal activity based on perceived risk.

Still in development, the idea is to capture and use for security purposes the sorts of data that people disclose as they access online services - where they are connected to the network, which computer and web browser they are using and so on. This will create a pattern of normal behaviour for each user that can be used to increase the confidence that a user is who he/she claims to be.

The information will allow BT to assign a risk rating to each user session. If the user is connecting from his/her home address, the risk will be low but, if he/ she suddenly starts connecting from a country where fraud is endemic, it will be high.

It will be up to the organisation that uses BT's service to decide how it wants to respond to each level of risk. At which level will it begin to limit what users can do, for example, and at which will it prevent access completely?

Like other security measures, it won't be perfect. Someone will eventually find a loophole that will have to be closed. However, like existing checks on credit card transactions, it doesn’t require users to do, have or buy anything special.

In many ways, users and customers are the strongest weapon against hackers and fraudsters. You need to do everything you can to keep them on your side - alert to the threat and helping you defeat it. The clearer and more straightforward security checks are to complete, the more likely your users or customers will want to work with you.