The future of authentication does not include more complex passwords or passphrases or better multifactor authentication. Not at all.
Authentication likely sees a surge of evolution in the background; such developments that are invisible to the user. These developments are likely to focus on continuous monitoring and frictionless interaction: identifying risk- and behaviour-based authentication.
The authentication factors in these scenarios may mean identifying a way to convince computer systems or other technology solutions that you – the user -- is who say you are.
Current authentication solutions detect if a user has the right to access the data services that they are attempting to access. Common authentication factors are the username and password; in other words, a single-factor authentication protocol. Multifactor authentication (MFA) requires more than one authentication source, like the password and proof of identity, such as the user entering a pin code from a text message. A second authentication method requires more work on the part of the users, as well as provides additional protections for the gated information.
Passwords are so passé
As passwords have lost their ability to protect data, the use of MFA solutions has grown in popularity. However, not all parties are convinced. There seem to be two camps. One supports the idea that two-factor authentication is the future of security measures. Another group believes that technology is vulnerable, so they will fade and make room for new, more robust security technology.
For those in the first camp, validation comes by the fact that the technology, when used properly, can help secure applications more than they previously were when only a password was required. There are thousands of organisations employing 2FA solutions – including American Christian Credit Union, Bank of America, Duke University, Harvard University, Stanford University, Cigna, Google Fit, DocuSign, Amazon Pay, PayPal, US Veterans Affairs, Facebook, Twitter, and many others.
For those in the camp that 2FA is not the crème de la crème, they also express concern about it being inconvenient for the user. Helpdesk teams report that users hate it or find ways around it. No matter what, two-factor authorisation is and never will be a silver bullet that can stop all brute attacks or breaches. It is an effective solution to countermeasure these efforts as part of a larger defence plan.
Two-factor auth is a solution that checks user credentials in an attempt to verify an identity to determine is a person is who they claim to be by verifying the type of identifying evidence. While not a new concept, it has proven to be and remains a powerful defence. The additional layer of MFA is the most straightforward solution for preventing a breach of security. It requires one of two other factors to gain access into any online account, or the company's server. To work effectively, the user inputs the traditional username/password combination before putting a second or multiple layers of security. When a user passes the first security hurdle, the process of MFA prompts the user to input another factor.
Multiple-factor authentication reduces website attacks and identity theft. As companies move their businesses to cloud technology, the need for MFA has never been stronger. Mobile technology is creating a shift in parameters of online security.
Smart device technologies reduce friction for 2FA users because, in addition to the password, these are devices already in hand to complete the second authorisation factor. If these technologies were not helping make MFA/2FA easier, the fact that so many organisations are implementing the technology is an impetus for doing so.
"I think the multifactor authentication field is moving towards being ever more convenient for the user and ever more secure against miscreants," Uku Tomikas, head of research, Messente Communications. "Seamlessness would be a keyword I'd use to describe the future applications of 2FA. So, instead of having to input codes, receive messages or type in knowledge factors, at least some part of the process would happen without the customer noticing.”
Because of the increased ease of use across several platforms – many listed above -- the future will see significantly wider adoption of these methods, and less friction when it comes to using them. This leads to fewer compromised accounts.
Two-factor authorisation is not fool proof
Kevin Mitnick, who was once the FBI’s most wanted hacker who now helps companies defend themselves, in an interview with CNBC, said he found that two-factor authentication can be vulnerable. Here’s how: An attack against multifactor authorisation begins when a hacker sends an email message that looks real, asking the receiver to click on a link. Once the link is clicked, the user is directed to log into the real website, and prompted to enter a code sent to their cell phone. Secretly, however, the login went through the hacker's server, and they were able to get the session cookie, Mitnick said.
“If we can steal the user session cookie, we could become them, and we don’t need their username, their password, or their two-factor,” Mitnick said. Mitnick uses LinkedIn as an example to demo the attack for CNBC, saying many other websites also are vulnerable. For instance, he clicked on an email that looked like a real LinkedIn connection request but came from a fake domain, lnked.com. Most people don’t realise the difference.
Despite frictionless authentication, solutions have never been so easy to use in their long history, and an ever-ongoing move toward easier-to-use 2FA/MFA is the immediate path forward, Tomikas said. Convenience is the key to producing more secure systems to protect against the miscreants.
“Seamlessness would be a keyword I'd use to describe the future applications of 2FA,” Tomikas added. “So, instead of having to input codes, receive messages or type in knowledge factors, at least some part of the process would happen without the customer noticing. Security will remain a prime concern throughout the process, though. With EU data privacy requirements demanding more from companies and will continue to do so, using higher levels of cryptography, pseudonymisation, and MFA factors that enable a lower risk of fraud. Such as stronger requirements for inherence factors (more unique data points) or higher and more sophisticated knowledge factor requirements (as are already being applied)."
Passwords will stick around
Despite its potential flaws, multifactor authorisation is part of the future conversation regarding access management. Nevertheless, multifactor authorisation is here to stay. Secure sites will start needing more than three sources as more and more IoT devices become a part of our daily lives, said David R. Lee, chief operating officer of Kastling Group. "I think we will see these devices optimise verification steps with more complex security patterns, such as fingerprint and optical scanners for facial or iris recognition.”
Tomikas agrees but adds that it's going to expand. "We've seen similar instances already – think of the Apple Face ID software, for example. Gaining access to your handset has become nearly seamless, yet the security level is still super high because of the intricacies of the biometrics used. If multiple seamlessly working factors of authentication work simultaneously without the customer knowing, the application of multifactor authentication by the users will become much more prevalent as well."
As MFA expands, its future will shine through its use of non-static information to verify consumer identity, including biometrics, behaviour, and one-time-use tokens. But more than that, multifactor authentication is a bridge technology, intended to increase the usable life, reliability, and security of existing single factor, static identifiers, including usernames and passwords, Robert Capps, vice president of market innovation for NuData Security, a Mastercard company, said.
“Passwords and multifactor authentication will be around for a long time, and will only be replaced when we have a universal, easy to use method for consumers to positively assert and have their identity validated in non-face to face transactions, such as online shopping or banking,” Capps said.
Passwords. The ultimate never-say-die concept. It seems any conversation about the future of access governance, and even cybersecurity must include discussion of passwords and the evolution of such. For now and the foreseeable future, passwords are central to data governance and access to such data.
What does the future hold?
But what does the future hold? The answers are many, but it's safe to say that passwords are likely here to stay since substituting current knowledge factors, with little or no input from the customer, seems out of our grasp. "We could change things up and log in with possession and inherence factors alone, but the prevalence of the latter is still too low for global application. Once more people obtain devices with biometric capabilities, I see losing knowledge factors as a possible way to go," Tomikas said.
And the future of multifactor authentication? The jury is still out, but technology's leaders have their thoughts. For example, "multifactor authentication will likely evolve more over the next few years to break their dependence from passwords. Currently, they have proven to provide a better level of security over just simply using just passwords. With the accessibility of smartphones, MFA deployment has become much more affordable and practical," said Ahmed Amin, founder of GuruSquad.
Passwords, alternatively, when eventually replaced, will be so with some sort of biometric authentication, such as fingerprint, iris, or face scanners, Amin says, especially as these solutions become more affordable and accurate. Perhaps we're moving towards a seamlessly integrated authentication world where we no longer need to remember passwords, and each factor used is scrutinised via an ever-growing amount of data points.
Tom Mowatt, managing director, Tools4ever West Coast