Authentication-based security is a critical component of data security, yet for quite some time it seems that how it’s approached has been slow to adapt to modern security and mobility needs. It’s becoming increasingly clear that passwords simply aren’t going to suffice, and global security leaders are stepping up to the plate to revolutionize how enterprises can approach authentication. In this article, I will outline trends in authentication-based security and take a promising look into the possibilities of our passwordless future.
Trending Towards Passwordless Authentication
We’ve gone at length before about the issues surrounding password-based authentication. It’s no secret that authentication-based security is rapidly moving away from passwords, considering that the Verizon 2017 Data Breach Investigations Report found that 81% of all hacking-related breaches leverage stolen or weak passwords.
Fastenal: Why Being Cheap Works As a Business Strategy
Fastenal is one of the best-performing stocks of the past decade. Since the beginning of January 2010, shares in the industrial distribution company have yielded an average annual return of 16%, turning every $10,000 invested into $44,264. Q2 2020 hedge fund letters, conferences and more In many ways, Fastenal is not the sort of business Read More
While passwords are certainly not going away entirely in the next three years, Gartner predicts that by 2022 we can expect that 60% of large and global enterprises and 90% of mid-size enterprises will implement passwordless methods in more than 50 percent of use cases.
Here’s the recap on the decline of passwords:
- Inconvenient: Everything that constitutes proper password hygiene is inherently user-unfriendly. Remembering unique, complex, and long passwords is a chore, particularly when nearly every service demands a password.
- Password Reuse: The inconvenience of passwords had led to a shocking 59% of users surveyed by LastPass in their Psychology of Passwords Report admitting to reusing the same password. Even when users are forced to regularly change their passwords they’ll often simply just make minor alterations to their existing password, making them easy to guess once any previous credentials have been leaked.
- Shared Knowledge: Using passwords requires that the passwords are stored in a database. Even when passwords are hashed and salted they can still potentially be decrypted after the database is breached. Should the owners of the decrypted passwords be guilty of point #2, many of their other accounts are now at risk.
Shifting From Static to Dynamic Authentication
The rapid shift to remote working caused by COVID-19 is likely to have lasting impacts in the next three years, considering that 77% of the employees surveyed by Global Workplace Analytics want to continue working from home at least once a week after the pandemic subsides.
The increase in off-site workers and the dynamic nature of enterprise mobility management will necessitate adaptive multi-factor authentication (MFA) measures to account for regular changes in device usage, location, and login times. Static forms of authentication such as username/password credentials simply aren’t able to adapt to the security challenges that this increased mobility presents. Dynamic authentication that leverages credentials that cannot be reused or shared will be a necessary adaptation for the future of authentication-based security.
Reduced Reliance on SMS for Multi-Factor Authentication (MFA)
One-time passwords sent via SMS text messages have been a common method of multi-factor authentication (MFA) for quite some time. Unfortunately, SMS really wasn’t designed with security and authentication in mind. Messages sent to cell phones can be intercepted through SIM card swapping and rerouting text messages, allowing attackers to bypass the added layer of security normally provided by this MFA measure.</p<
Adaptive Multi-Factor Authentication
MFA has long been touted as a means for improving the security of passwords. Typical MFA requires users to provide an additional authentication measure that is used in conjunction with their password, such as an SMS message, authenticator application, or answering a knowledge-based question.
Adaptive MFA further extends the security and convenience of standard MFA by requiring more or less authentication measures depending on the associated risk level of the login session. The risk level of a given session is determined by measures such as the device used, the time of the login, the specific user, and even post-login activities.
FIDO2, CTAP2, WebAuthn, & Universal Second Factor (U2F)
While U2F has been in development since 2014, it has seen major acceleration following the introduction of new standards set by Fast Identity Online’s (FIDO2) Client to Authenticator Protocol (CTAP) and Web Authentication API (WebAuthn) specifications. These promising passwordless standards aim to combine passwordless first-factor authentication with other authentication measures to overcome the vulnerabilities seen in passwords.
In their whitepaper on the future of passwordless protection, Microsoft outlines how they’ve worked with FIDO2 to develop enterprise-ready forms of authentication that can replace passwords entirely. The core of U2F leverages public-key cryptography with the use of a hardware key that contains a secret and unique key that is built directly into the device. The requirement to shift authentication to include something the user has (vs simply something they know, such as a password or knowledge-based question) mitigates the risks associated with compromised credentials as the account remains inaccessible without the physical device.
FIDO2 provides authentication methods beyond what the user knows (passwords, knowledge-based questions, PINs) by leveraging what the user has (hardware tokens, biometrics, etc). By moving away from standard usernames and passwords authentication can not only become more convenient for users, it can become more secure too.
- Public-Key Cryptography: In public-key cryptography, the public key is all that is stored in the authentication database. The public key is of no use without the private key and the private key is securely stored locally on the device that is being authenticated, making databases a much less attractive target to threat actors.
- Single-Use Keypairs: Keypairs used in public-key cryptography are only used for a specific origin (such as a website), protecting against phishing attacks and man-in-the-middle (MITM) attacks.
- Local Credentials: PIN-based logins may seemingly operate similarly to passwords, but the complexity of the PIN is not the source of the security. Instead, PINs are directly tied to the physical device and stored locally. Even if a threat actor knows the PIN, without direct physical access to the device they aren’t able to access the system. Biometrics can be used in the same way to allow users to initially login to the device before other authentication factors can be used to gain access to a given service.
These new authentication-based security options may eventually mean the death of passwords, though enterprises and consumers alike are often slow to adapt to new offerings en-masse. Even with multi-factor authentication (MFA) steadily rising in the consumer market, a measly 28% amount of respondents surveyed by Duo in 2017 actually took advantage of the added layer of security provided by MFA. Even as these new authentication methods take hold, there will still be users and services that demand the passwords they’ve come to know.