You are here

iPhone password screen

The state of authentication: Is a passwords replacement imminent?

public://pictures/Jaikumar-Vijayan-Freelance-Writer.png
Jaikumar Vijayan, Freelance writer, Independent

New technologies and standards are transforming user authentication mechanisms at many organizations. Microsoft, Google, the FIDO Alliance, and others are working on approaches to user authentication that negate the need for passwords, which almost everyone agrees are too insecure for modern use.

Currently more than 300 products—used by over 1 billion people—have the new protocols embedded in them. Organizations that have adopted FIDO standards include Google, American Express, PayPal, Salesforce, Samsung, and DropBox. But those products also still use passwords.

So what's in store for the beleaguered password authentication scheme? 

State of Security Operations 2018: Go Inside World SOCs

The anti-password movement is growing

Over the next few years, expect new technologies to replace passwords, says Ramesh Kesanupalli, founder of Nok Nok Labs. "What we are seeing is an acceleration of businesses looking to leave passwords behind and adopt strong, simple forms of authentication," he says.

The proliferation of mobile devices has given organizations a way to enable new forms of authentication for replacing passwords entirely—or strengthening them, Kesanupalli says.

"Within in the next few years, having a mobile application asking you for a username and password will be the exception rather than an unwelcome expectation."
Ramesh Kesanupalli

How the new authentication technologies work

Microsoft's new phone sign-in for user accounts is designed to shift the login burden from the user to the device. Users add their accounts to the Microsoft Authenticator app for iOS and Android devices and then enable the phone sign-in feature. To log in to an account, all that the user needs to do is enter the username. Instead of having to enter a password, the user gets a phone notification prompting approval.

This process is significantly more secure than a password—and also easier for the user than standard two-factor authentication (2FA).

Google similarly is working on a password replacement technology that uses what the company calls a "Trust Score" approach to authenticate users to enterprise applications from their mobile devices.

The technology measures multiple factors such as the user's voice, physical movements, facial features, typing speed, location, and proximity to previously used Wi-Fi networks to assign a trust score. If the score is high enough, the device automatically authenticates the user to the account. Otherwise, it might request additional information, including a password.

The trust scores needed to access an account can vary. For instance, the trust score for a gaming or entertainment app could be much lower than that needed to access a critical financial app. Google has said it will roll out a Trust API for Android sometime this year.

Meanwhile, the FIDO Alliance's U2F and UAF protocols are standards for strong authentication technologies such as fingerprint and iris scanners, and facial- and voice-recognition technologies. Nok Nok Labs, Lenovo, and PayPal originally created the alliance to foster the development and creation of interoperability standards for password replacement and 2FA technologies.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Password weakness forces hand

Kesanupalli and many others, however, do not believe one technology can completely replace passwords. "The password problem—unfortunately—is not siloed to one vertical or one interface or one device or, even, one type of user," he says.

What is needed is a fundamentally new architecture and infrastructure that is flexible and adaptable enough to accommodate multiple forms of authentication.

Passwords have a significant amount of inertia that keeps them alive, but the paradigm itself is fundamentally unsuited for modern applications and threats, Kesanupalli says.

"The only way for the password to finally be put to rest is for a new technology—or, more accurately, a new set of technologies—to rise up and replace it."
—Kesanupalli

In the meantime, expect organizations to use new authentication tools and approaches to augment existing mechanisms. "As we have seen from the numerous data breaches making headlines over the last several years, passwords alone are no longer enough to protect people online," says Ryan Disraeli, co-founder of TeleSign.

As it is, even the most complex passwords are hackable with today’s technology. Making the situation infinitely worse is the poor password habits of most people, such as using easily guessable passwords or reusing passwords across multiple accounts.

In a survey of 1,300 adults that TeleSign conducted last September, 46% of the respondents had at least one password that was five years old or older. More than 70% of the accounts that the respondents had were protected by a duplicate password, while 35% of millennials had fewer than five passwords protecting all their accounts. A stunning 81% of all hacking-related data breaches that Verizon investigated in 2016 resulted from the exploitation of stolen and weak passwords.

"The good news is enterprises can augment their existing authentication mechanisms to provide better security for their users without requiring a complete overhaul of their current login flows," Disraeli says.

Authentication methods such as one-time passcodes delivered via SMS or biometrics such as fingerprint and iris scans work well with existing authentication methods and can be deployed across an organization.

"What we are seeing is more and more organizations offering additional layers of security to their users, such as two-factor authentication, biometrics and more."
Ryan Disraeli

The survey showed that companies these days on average use more than three methods to authenticate users, with about 45% offering 2FA.

Is resistance to change futile?

Despite the progress, passwords will linger around for quite some time yet. Resistance to change is one big factor. Despite awareness of the inherent security weaknesses of passwords, many organizations are reluctant to rip and replace them abruptly for fear of disrupting customer experiences and introducing new technology management challenges.

Nearly seven in 10 of the respondents to the survey said usernames and passwords are no longer enough to protect consumers online, but it is unlikely that many organizations will replace them soon, Disraeli says.

The lack of a truly scalable, standalone alternative to passwords has been another factor, at least till recently. John Pescatore, director of emerging threats at the SANS Institute, says that the only simple and almost universal solution available currently is text message-based challenge and response, given the ubiquity of mobile phones.

Even here though, the text messaging effort only works for PC, laptop, and tablet use, where the phone is a separate device.

Next-generation of authentication still emerging

Almost every other form of stronger authentication requires hardware (most biometrics, for example) or the carrying of an additional device, as is the case with tokens. Or they require universal agreements on standards, which are still only emerging, Pescatore says.

In the absence of alternatives, he says, most organizations have tried to mitigate the biggest threats to the security of password-based systems, such as phishing, through security awareness and education. Another option has been to add back-end anomaly and fraud detection that identifies things such as a user logging in from a new piece of hardware or an unfamiliar IP address, he adds.

"IT organizations are very resistant to change in general and to any change that may drive up help desk calls—IT security can’t force this to happen."
John Pescatore 

"When I do presentations to boards of directors and C-suites, this is what I call the need for 'moon shot' projects. You should be requiring IT and IT security to show strategic approaches to the big problems [such as password replacements]," he says.