Q&A: Are online passwords dead?

We spoke to Simon Moffatt, Senior Product Manager at ForgeRock, about password-based authentication.

With global use of online services continuing to grow at an exponential rate, so too does the need to securely protect all of the sensitive data and information stored within them.

The humble password has long been seen as the guardian of the Internet, but as online criminals get more creative and intelligent with their tactics, there’s reason to believe that passwords alone no longer cut it. We spoke to Simon Moffatt, Senior Product Manager at ForgeRock about why password-based authentication is no longer up to the job and what are some of the more robust alternatives.

Why are passwords no longer considered secure?

Passwords have been used since the birth of computing. However, it is now generally accepted that password-based authentication, on its own, is a low security option. Indeed, many companies are ignoring the basic good housekeeping with respect to passwords storage, including using salted hashing as opposed to encryption or clear text.

Advances in computing power mean that it is now much faster for cyber attackers to run automated programmes to de-crypt poorly protected password databases.

Many service providers enforce so-called password complexity rules for their users, for example stating that all passwords must contain at least one letter, one number and one special character. However, more often than not this results in password reuse and the dreaded anti-pattern of writing the password down! A new sub-industry of security focusing entirely on password management via browser plugins has looked to alleviate some of the end-user burden with respect to generating and storing complex passwords. But, whilst this increases user convenience, it does not solve the underlying issue of passwords being a weak form of authentication.

From a workability perspective, passwords still play a big part in many end-user login journeys and whilst more secure login processes exist, until user convenience increases with those more secure processes, passwords will be around for some time yet.

Is this an enterprise problem or just a consumer issue?

Password management really affects all users, devices and systems, from both an internal and external standpoint. From a consumer perspective, the big paradox is between user convenience and security. End users want to trust that their passwords and personal data are being kept safe, but find it too difficult to remember multiple unique and complex passwords. The service provider, on the other hand, wants to reduce the time and friction that often occurs during sign up and sign in. If the security mechanisms and measures are too obstructive, this can turn users away from their service.

Internet-facing or consumer-based services often have a bigger attack vector from malicious parties and software that can access their public-facing applications and sites. This is where increasing security is now a big driver for many providers.

The other way that this is becoming an enterprise concern is when it comes to the compromised passwords. Even if an individual’s personal social media account details have been attacked initially, malicious parties could attempt use the same details for work accounts. This is the kind of tactic used in a well-researched spear phishing campaign.

How can the shortcomings of password authentication be addressed?

The rise of mobile devices presents the most obvious path to greater online security controls. Mass adoption of mobile devices around the world means organisations can implement more robust, two-factor or multi-factor authentication systems without having to worry about the high cost of providing the devices to consumers themselves.

Under a two-factor authentication system, traditional usernames and passwords remain the first identity verification step, but users are then required to input a second authentication factor to further verify who they are. Typically, this involves sending a unique code or password to the user’s mobile device, which must be inputted alongside the user’s credentials in order for access to be granted.

Will mobile-based authentication become the new industry benchmark?

Mobile-based authentication is certainly becoming the benchmark standard for online businesses, which is great news for consumers and their data. However, it is not without its issues. Mobile devices are not always secure and unfortunately, a growing volume of malware is being specifically programmed to target them.

Such malware can allow criminals to scrape verification codes directly from the devices if they are sent over the data network. The impact to user experience is also a concern, as many consumers do not want to have to enter multiple passwords every time they want to access their online accounts.

If mobile-based authentication isn’t entirely secure, how can it be improved?

One option is to add a biometric layer to the authentication process, such as fingerprint, voice or facial recognition technology. This could further boost security, with minimal impact to user experience. High-end smartphones do indeed offer these capabilities, but until they are more widely available, biometric authentication is unlikely to be a viable solution for the majority of consumers.

Another alternative is to add extra layers to the two-factor process, such as push authentication, which increases security but doesn’t impact on customer experience. The first time a consumer signs into a website that uses push authentication, they will be asked to scan an on-screen QR code with their mobile device. This creates an ‘ID tether’ between the user and their device. 

With the tether created, the next time the user logs in, a push notification is sent to their device and all they have to do is tap ‘approve’ in order to proceed. Importantly, these messages are usually sent using a different network, the cellular network most often, making interception by malware or other criminal monitoring of data activity difficult.

Is there an even better alternative on the horizon?

The rise in demand for multifactor authentication has accelerated in recent months as businesses wake up to the threat posed by online criminal activity. But just as some are catching up, the most forward-thinking organisations are already looking to take their security practices one step further. One way they are doing this is by implementing solutions that offer adaptive risk authentication and continuous security.

As robust as multifactor authentication is becoming, it still relies upon a lock and key approach to online security. This means that once someone is through the front door and have gained entry to the account, there are usually no other obstacles between them and the sensitive data contained within. Adaptive risk authentication and continuous security approaches take a more progressive, on-going view of online security, meaning that just because someone has gained access to an account, they don’t have free rein of the data.

In practice, this involves creating a score of user behaviour based on key criteria such as IP address, device ID and number of failed login attempts, in order to establish if the behaviour is consistent with established ‘normal’ user behaviour patterns. Any deviations result in a higher risk score, which triggers additional security questions, re-authentication, or if necessary, the removal of the token assigned to the online session.

Importantly, the algorithms responsible for scoring each session run silently in the background, meaning that the user is only made aware of them if their behaviour is deemed to be suspicious. As such, the user experience is not compromised in any way, despite the higher levels of security in place. 

Image source: Shutterstock/scyther5