Too Many Passwords: Is the End in Sight?
Since passwords are a shared secret between a user and a system, a threat vector exists at both the client and the service provider.
Experts have declared for years that the password alone was never considered a long-term solution for securely identifying a user, according to CNET. End users are finding it increasingly difficult to protect their passwords from advanced phishing and malware campaigns. For service providers, the risk of storing and protecting too many passwords is also growing. Will passwords soon become things of the past?
Too Many Passwords, Too Much Risk
Many organizations have turned to single sign-on (SSO) solutions to pass the risk to identity providers, or they simply haven’t been able to address this risk before suffering a data breach. According to security expert Troy Hunt, compromised account data increased from 256 million records in 2015 to over 2 billion in 2016.
It’s clear that we need a long-term solution that addresses these security shortcomings and supports an engaging experience for end users. Knowledge-based schemes remain an important aspect of multifactor authentication, but new internet-scale token and biometric solutions must become viable single-factor alternatives themselves.
Three Keys to Advanced Authentication
The good news is that progress is being made toward implementing advanced authentication solutions that address these problems. These strengthen the use of passwords and, more importantly, introduce viable single-factor schemes based on tokens and biometrics. This progress can be attributed to three key areas of investment and collaboration:
- Open Standards: Emerging standards document a set of registration, verification and security credential management processes for adopting and using authentication solutions.
- Research: Continual investment in new algorithms address the acute challenges presented by the weakness of the existing password regime but also leverage new device opportunities.
- Industry Engagement: Technology vendors actively collaborate with service providers and clients to develop and launch solutions that leverage open standards and research assets.
Let’s expand on these key aspects with examples that substantiate the claims.
1. Open Standards
The proliferation of mobile devices and their advanced capabilities have created new opportunities to deliver innovative authentication solutions. As a result, device manufactures have become key stakeholders in the design of enterprise-ready authentication solutions. Both Apple and Samsung, for example, have leveraged their positions of trust with consumers to introduce widely adopted biometric authentication solutions.
Consumer enthusiasm for these capabilities is driving collaboration between device manufacturers and enterprise security vendors to address the advanced authentication challenge. This collaboration is exemplified by the composition of the working groups defining the Fast IDentity Online (FIDO) Alliance and W3C’s Web Authentication open standards.
Historically, adoption of biometric authentication systems has largely been focused on closed systems. But increased demand for mobile and internet-scalable authentication solutions also exposes new paradigms and, therefore, potential compromise. Biometric information will be a target for adversaries, so new solutions must minimize the widespread impact and cost of possible breach of that data.
Many enterprises are leveraging device support for biometric authentication provided by fingerprint readers as a way to protect passwords and deliver a frictionless user experience. These are early steps, but they make use of research around secure device enclaves and biometric algorithms. According to The Next Web, systems must collect, securely transport and encrypt biometric data. However, the debate around who is responsible for where data will be stored will be a deciding architectural factor.
Researchers continue to develop individual authentication mechanisms and implement those on a wide array of Internet of Things (IoT) devices. In the future, these mechanisms will combine with algorithms that, at scale, will continuously recognize end user behavior so that systems can isolate compromises. At the same time, individuals and jurisdictional privacy concerns must be considered.
3. Industry Engagement
In 2016, many technology providers appeared optimistic about the broader adoption of nonpassword authentication schemes. Microsoft and IBM, for example, both released mobile, out-of-band authentication solutions. IBM is combining identity use cases with behavioral biometrics capabilities in an effort to move toward a more frictionless, secure engagement. Similarly, Google’s program to implement tokens as a way for employees to authenticate to internal systems has been successful, according to the FIDO Alliance.
Companies such as Apple, Google and Samsung are in a race to capture the greater biometrics market through consumer trust of their ubiquitous devices. The good news for both enterprise and consumer authentication is that the industry strategy and investment trends are aligned to promote further technological advances.
Preparing for the Password-Pocalypse
A number of key technologies and standards are emerging, as evidenced by the use cases described above. Organizations providing secure access to personal data and services are starting to adopt device token and biometric mechanisms to simplify the authentication experience. This is a good first step toward more widespread adoption of these techniques.
Although knowledge data such as passwords will continue as a single-factor mechanism in 2017 and beyond, the emergence of new authentication methods will build the case for replacing passwords where appropriate. This will ultimately reduce our dependence on too many passwords and encourage us to strengthen those we must retain.