Although it was expected to happen years ago, the death of the password is still nothing more than a rumor. Passwords and passcodes are still pivotal elements of user authentication, so the question is not whether passwords will stick around but instead how service providers can get authentication right.
The Three Factors of Authentication
The first step in controlling access is the identification of the user, then followed by authentication. There are three common factors used in this process:
- Something you know (the password).
- Something you have (such as a smart card or tokens).
- Something you are (biometrics).
As the number of online services and billions spent on online shopping grows, so too does the number of data breaches. Record-breaking breaches have become possible because of the vulnerabilities present in various technologies used in the authentication process. Authentication is accomplished differently in each different industry: web services usually require only an email and a password, but security becomes a high priority for both the consumer and the service provider when dealing with sensitive data.
Using Yesterday’s Approach to Security Today
The problem with password-based authentication is the shared ‘secret’ that both the user and the service provider know, the hashed password that is stored online by the service provider. Cyber criminals have successfully launched attacks countless times against such credentials – you need only check the headlines regarding security breaches to see just how common it is. In most cases the whole attack starts with a phishing email, which targets the ‘human factor’ and tricks the user into giving their credentials to the attacker. Just consider the time when attackers hacked John Pondera’s Gmail account.
Such hacks allow cyber criminals to impersonate you on the service that they have used to scam you. The use of time-limited one-time six-digit passcodes doesn’t help as much as it should, despite them being a second layer of security used to validate the authenticity of the authenticating user.
The problem with one-time passcodes is that they act as a bridge between legacy and modern applications. By integrating one-time passwords into authentication, service providers increase the security of a legacy identification system. By doing so they hope to be both competitive and consumer friendly by providing secure services.
Thankfully technology has opened up new opportunities for service providers and made authentication a more convenient process for consumers. Yes, biometrics is the secure method currently waiting for widespread adoption.
Offline or Online Authentication?
As a recent IBM study shows, the legacy authentication process is more appealing to older internet users. Millennials are accelerating the password-free era, as 75% are comfortable using biometrics compared to only 58% of those aged over 55.
Still, biometric authentication can be done right and wrong. The wrong approach currently utilizes a system that involves an online database of stored biometric credentials of authenticated users. We’ve already seen how this could go wrong, as with the breach involving the 5.6 million fingerprints of the US Federal Government Office of Personnel Management years ago or the Philippine Commission on Elections hack, which exposed 15 million fingerprint records.
As this clearly shows, if there is an online database with such sensitive data stored on it, then it’ll represent a target for hackers.
The right approach is offline authentication, which is something that Apple is lobbying for with its Touch ID and Face ID biometric authentication systems. The catch is that the user data is stored securely on the device and never leaves it. This makes authentication more secure because it is only used offline, locally on the device and therefore doesn’t allow hackers to get in the middle since they can only successfully attack someone through online authentication.
In other words, the potential for a password-free future is there, but it needs the combination of public key cryptography in order to make it useful for online authentication. That’s what mobile wallets seek to do and, as of writing, they do it well: mobile wallets validate user identities locally and then send the OK message to the financial institution online using cryptography in order to hide the authentication and financial data – in this case the credit card data token – from any prying eyes.
But that’s currently limited to only a handful of services, which leaves the majority of us with these legacy authentication systems. So what can you do while waiting for such a password-free future? Use a password manager to strengthen your account security and enable two-factor authentication with every service that provides it.
Best Password Managers of 2019