January 16, 2017 By Christopher Hockings 3 min read

Since passwords are a shared secret between a user and a system, a threat vector exists at both the client and the service provider.

Experts have declared for years that the password alone was never considered a long-term solution for securely identifying a user, according to CNET. End users are finding it increasingly difficult to protect their passwords from advanced phishing and malware campaigns. For service providers, the risk of storing and protecting too many passwords is also growing. Will passwords soon become things of the past?

Too Many Passwords, Too Much Risk

Many organizations have turned to single sign-on (SSO) solutions to pass the risk to identity providers, or they simply haven’t been able to address this risk before suffering a data breach. According to security expert Troy Hunt, compromised account data increased from 256 million records in 2015 to over 2 billion in 2016.

It’s clear that we need a long-term solution that addresses these security shortcomings and supports an engaging experience for end users. Knowledge-based schemes remain an important aspect of multifactor authentication, but new internet-scale token and biometric solutions must become viable single-factor alternatives themselves.

Three Keys to Advanced Authentication

The good news is that progress is being made toward implementing advanced authentication solutions that address these problems. These strengthen the use of passwords and, more importantly, introduce viable single-factor schemes based on tokens and biometrics. This progress can be attributed to three key areas of investment and collaboration:

  1. Open Standards: Emerging standards document a set of registration, verification and security credential management processes for adopting and using authentication solutions.
  2. Research: Continual investment in new algorithms address the acute challenges presented by the weakness of the existing password regime but also leverage new device opportunities.
  3. Industry Engagement: Technology vendors actively collaborate with service providers and clients to develop and launch solutions that leverage open standards and research assets.

Let’s expand on these key aspects with examples that substantiate the claims.

1. Open Standards

The proliferation of mobile devices and their advanced capabilities have created new opportunities to deliver innovative authentication solutions. As a result, device manufactures have become key stakeholders in the design of enterprise-ready authentication solutions. Both Apple and Samsung, for example, have leveraged their positions of trust with consumers to introduce widely adopted biometric authentication solutions.

Consumer enthusiasm for these capabilities is driving collaboration between device manufacturers and enterprise security vendors to address the advanced authentication challenge. This collaboration is exemplified by the composition of the working groups defining the Fast IDentity Online (FIDO) Alliance and W3C’s Web Authentication open standards.

2. Research

Historically, adoption of biometric authentication systems has largely been focused on closed systems. But increased demand for mobile and internet-scalable authentication solutions also exposes new paradigms and, therefore, potential compromise. Biometric information will be a target for adversaries, so new solutions must minimize the widespread impact and cost of possible breach of that data.

Many enterprises are leveraging device support for biometric authentication provided by fingerprint readers as a way to protect passwords and deliver a frictionless user experience. These are early steps, but they make use of research around secure device enclaves and biometric algorithms. According to The Next Web, systems must collect, securely transport and encrypt biometric data. However, the debate around who is responsible for where data will be stored will be a deciding architectural factor.

Researchers continue to develop individual authentication mechanisms and implement those on a wide array of Internet of Things (IoT) devices. In the future, these mechanisms will combine with algorithms that, at scale, will continuously recognize end user behavior so that systems can isolate compromises. At the same time, individuals and jurisdictional privacy concerns must be considered.

3. Industry Engagement

In 2016, many technology providers appeared optimistic about the broader adoption of nonpassword authentication schemes. Microsoft and IBM, for example, both released mobile, out-of-band authentication solutions. IBM is combining identity use cases with behavioral biometrics capabilities in an effort to move toward a more frictionless, secure engagement. Similarly, Google’s program to implement tokens as a way for employees to authenticate to internal systems has been successful, according to the FIDO Alliance.

Companies such as Apple, Google and Samsung are in a race to capture the greater biometrics market through consumer trust of their ubiquitous devices. The good news for both enterprise and consumer authentication is that the industry strategy and investment trends are aligned to promote further technological advances.

Preparing for the Password-Pocalypse

A number of key technologies and standards are emerging, as evidenced by the use cases described above. Organizations providing secure access to personal data and services are starting to adopt device token and biometric mechanisms to simplify the authentication experience. This is a good first step toward more widespread adoption of these techniques.

Although knowledge data such as passwords will continue as a single-factor mechanism in 2017 and beyond, the emergence of new authentication methods will build the case for replacing passwords where appropriate. This will ultimately reduce our dependence on too many passwords and encourage us to strengthen those we must retain.

Watch the On-Demand Webinar: Five Steps to Overcome Customer Authentication Chaos

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today