Since passwords are a shared secret between a user and a system, a threat vector exists at both the client and the service provider.

Experts have declared for years that the password alone was never considered a long-term solution for securely identifying a user, according to CNET. End users are finding it increasingly difficult to protect their passwords from advanced phishing and malware campaigns. For service providers, the risk of storing and protecting too many passwords is also growing. Will passwords soon become things of the past?

Too Many Passwords, Too Much Risk

Many organizations have turned to single sign-on (SSO) solutions to pass the risk to identity providers, or they simply haven’t been able to address this risk before suffering a data breach. According to security expert Troy Hunt, compromised account data increased from 256 million records in 2015 to over 2 billion in 2016.

It’s clear that we need a long-term solution that addresses these security shortcomings and supports an engaging experience for end users. Knowledge-based schemes remain an important aspect of multifactor authentication, but new internet-scale token and biometric solutions must become viable single-factor alternatives themselves.

Three Keys to Advanced Authentication

The good news is that progress is being made toward implementing advanced authentication solutions that address these problems. These strengthen the use of passwords and, more importantly, introduce viable single-factor schemes based on tokens and biometrics. This progress can be attributed to three key areas of investment and collaboration:

  1. Open Standards: Emerging standards document a set of registration, verification and security credential management processes for adopting and using authentication solutions.
  2. Research: Continual investment in new algorithms address the acute challenges presented by the weakness of the existing password regime but also leverage new device opportunities.
  3. Industry Engagement: Technology vendors actively collaborate with service providers and clients to develop and launch solutions that leverage open standards and research assets.

Let’s expand on these key aspects with examples that substantiate the claims.

1. Open Standards

The proliferation of mobile devices and their advanced capabilities have created new opportunities to deliver innovative authentication solutions. As a result, device manufactures have become key stakeholders in the design of enterprise-ready authentication solutions. Both Apple and Samsung, for example, have leveraged their positions of trust with consumers to introduce widely adopted biometric authentication solutions.

Consumer enthusiasm for these capabilities is driving collaboration between device manufacturers and enterprise security vendors to address the advanced authentication challenge. This collaboration is exemplified by the composition of the working groups defining the Fast IDentity Online (FIDO) Alliance and W3C’s Web Authentication open standards.

2. Research

Historically, adoption of biometric authentication systems has largely been focused on closed systems. But increased demand for mobile and internet-scalable authentication solutions also exposes new paradigms and, therefore, potential compromise. Biometric information will be a target for adversaries, so new solutions must minimize the widespread impact and cost of possible breach of that data.

Many enterprises are leveraging device support for biometric authentication provided by fingerprint readers as a way to protect passwords and deliver a frictionless user experience. These are early steps, but they make use of research around secure device enclaves and biometric algorithms. According to The Next Web, systems must collect, securely transport and encrypt biometric data. However, the debate around who is responsible for where data will be stored will be a deciding architectural factor.

Researchers continue to develop individual authentication mechanisms and implement those on a wide array of Internet of Things (IoT) devices. In the future, these mechanisms will combine with algorithms that, at scale, will continuously recognize end user behavior so that systems can isolate compromises. At the same time, individuals and jurisdictional privacy concerns must be considered.

3. Industry Engagement

In 2016, many technology providers appeared optimistic about the broader adoption of nonpassword authentication schemes. Microsoft and IBM, for example, both released mobile, out-of-band authentication solutions. IBM is combining identity use cases with behavioral biometrics capabilities in an effort to move toward a more frictionless, secure engagement. Similarly, Google’s program to implement tokens as a way for employees to authenticate to internal systems has been successful, according to the FIDO Alliance.

Companies such as Apple, Google and Samsung are in a race to capture the greater biometrics market through consumer trust of their ubiquitous devices. The good news for both enterprise and consumer authentication is that the industry strategy and investment trends are aligned to promote further technological advances.

Preparing for the Password-Pocalypse

A number of key technologies and standards are emerging, as evidenced by the use cases described above. Organizations providing secure access to personal data and services are starting to adopt device token and biometric mechanisms to simplify the authentication experience. This is a good first step toward more widespread adoption of these techniques.

Although knowledge data such as passwords will continue as a single-factor mechanism in 2017 and beyond, the emergence of new authentication methods will build the case for replacing passwords where appropriate. This will ultimately reduce our dependence on too many passwords and encourage us to strengthen those we must retain.

Watch the On-Demand Webinar: Five Steps to Overcome Customer Authentication Chaos

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…