Logging into an account has been a fundamental part of computing since the beginning. The first computer password, used at the Massachusetts Institute of Technology, back in 1963, provided a way to compartmentalize a common mainframe computer for multiple users. The simple act of using a password hasn’t changed much since those early days, but the authentication act, proving that you are who you say you are, has. One of the main reasons for this is that a password alone has been proven to be insufficient for modern authentication requirements. You don’t attack the most robust encryption, if stealing the necessary credentials is much the smaller obstacle to gain access. Multi-factor authentication helps here to make an attack much harder and the global IT market sees the potential within this area. Estimated value of the global multi-factor authentication market will be in the region of $9.6 billion by 2020.
But what does all this mean, and where do we expect the industry to move in the future?
The Current Authentication Landscape
Multiple factor authentication
Multiple factor is made up from at least two types of credentials: either something you know (e.g. password), something you have (e.g. a mobile device) or something you are (e.g. a biometrical feature). Most communally two-factor or 2FA is used, helping to protect against remote attacks like spear phishing or credential exploration which was most likely the initial step for the high profile Target Corp breach of 2014. In this case, attackers used an administration account with a single factor to get access into the companies’ network. If the administrator authentication had required a second factor, perhaps a mobile based factor, it would have been more difficult to initiate the attack.
One-time passcodes (OTP)
A one-time passcode is a useful method for a second factor authentication, the token providing the OTPs are part of the ‘something you have’ category. Again, it is used to help prevent account exposure by brute force or theft. Unlike in the case of a traditional password – something you know – a OTP based system generates a new passcode every time it is used. Generating such OTP codes with Smartphones is widely adopted. But more traditional smart cards, token devices or even smart things like watches are also used for this purpose. Particularly in the financial services segment strong authentication based on OTP is broadly used. They often rely on specialized hardware (i.e. smart cards) despite of higher costs of such a solution, simply because not every customer possesses a mobile phone.
Mobile Phone
The smartphone revolution has provided the perfect conduit for a second factor authentication method (something you have). There are several options to implement authentication with a mobile phone. Text message based challenge response methods (mTAN) are an ideal ‘out-of-band’ option for second factor and are being widely used across web applications and platforms. However, text messaging is not very reliable in certain countries. Alternatively, pre-initialized and offline soft tokens provided by a mobile app such as Google Authenticator are increasingly popular due to their relative low cost. Another option available is using a certificate stored on the mobile itself, for instance on the SIM card, as it is offered in Switzerland with Swisscom MobileID.
But the authentication via mobile phone is at risk. More and more such devices its communication channels are targeted by hackers and for example, we are now even seeing mobile malware that intercepts 2FA text codes, sent when a user performs a mobile banking transaction.
It is also important to outline that not only the 2FA authentication is the main concern when talking about the mobile phones. It’s rather becoming the main device with which company data is retrieved by employees, customers and partners. In the process of digitalization, companies implement mobile apps that provide access to confidential data and therefore require strong authentication to protect them.
The fact that mobile apps are implemented differently than web applications has a strong influence on how authentication methods can be applied.
Biometrics
Biometrics has been a slow burning fuse in the world of authentication. It wasn’t really until the inclusion of fingerprint recognition (TouchID) in Phone 5 that the general public finally accepted it in commodity products. In the area of physical access biometrics have been used, but it had the reputation of being troublesome with false positives. Now, biometrics is taking off and being used across many areas authentication: from hotel room access via fingerprint, to voice recognition in cars, and gesture movement to login to phones. Biometrics is broken up into two main areas: physical – like the fingerprint or retinal scans – and behavioural. The behavioural biometric options include attributes such as how you type and common spelling mistakes made, are widening the scope of the discipline. The reliability of this sub-method is however, still being evaluated.
Contextual Authentication
This method, sometimes called risk based authentication or trust elevation, is a step-up process used in combination with 2FA. It is a way of handling risk, whilst retaining usability. A user can be required to use additional factors, if login is deemed to be within a higher risk situation, for example, if a client access from an unusual destination. Using user behaviour is not new in the world of authentication, numerous attempts have been made, for example, web activity monitoring.
Single Sign On (SSO)
The drawback of strong authentication measures is that they can be onerous for the user. Ultimately, the levels of security required across an enterprise can result in a reduced level of usability. Finding the balance between security and user convenience has resulted in the development of SSO. This is an intelligent way of maintaining the security across federated services and related IT systems, whilst allowing the user to only sign in a first time and stay logged in. This keeps user identity control under the auspice of the organization. An example if in the use of Office 365. The users login credentials for 365 are delegated to the company and managed by the company, login being seamless to the user.
The Standards Landscape and Projects
The number of online accounts owned per user is becoming unmanageable. In a recent Dashlane survey they found that the average number of online accounts was 90 per user, with this expected to top 207 per user by 2020. Strong authentication is expensive and using one authentication method for many services is a great way for companies to reduce costs. Vendors now react to the cost pressure of their customers and are increasingly supporting standards. This has driven working groups to look at how to tackle the issue of problems such as password fatigue, phishing, and ease of login. Here we look at some of the most forward thinking and innovative movements in this area.
FIDO Alliance: This alliance, made up of industry members, has been working on the creation of standard specifications in the areas of password free login (UAF) and second factor authentication (U2F) to increase the user experience in the authentication process. The system works via a combination of public-private key pair cryptography, an authenticator app, and a mix of biometrics. A user’s device creates the private key during registration. At login, the service sends a challenge to that device. The users must unlock the FIDO authenticator app, using a method such as fingerprint, voice or similar biometric. The device then uses the user’s unique identifier, sent over by the service to choose the correct response to the challenge. The digitally signed response is then returned to the service, and matched with the public key to finalize to login.
FIDO is now working with EMVco to extend their range of specifications to encompass mobile payments. The new standard will simplify an overly complex payment network. Again, this system will utilize biometrics, including face biometrics. It will also work using contextual or risk based authentication to improve the user experience of authentication.
FIDO is also working with the World Wide Web Consortium (W3C) to enable FIDO based authentication across web browsers. How easy it will be to enforce the standard across all web browsers remains to be seen.
OpenID Connect (OIDC): OIDC is based on the OAuth 2.0 protocol, adding authentication to OAuth 2.0 which allows the identity of a user to be established. An identity provider that uses the OIDC protocol to communicate between services, handles the authorization and control to a service based on user ‘claims’ or attributes (an attribute being anything that identifies that person, including email address, name, role, and so on). OpenID Connect has been designed to accommodate that elusive mix of usability and security and has much easier on boarding of ecommerce services than its enterprise counterpart, SAML 2.0. USP’s Secure Entry Server® offers support for SAML 2.0 and OpenID Connect.
Where Do We Go From Here?
The future of user authentication needs to be one that combines ease of use with security. The ineffectiveness of passwords is obvious to everyone. Account takeovers rise as result of continued large data breaches and scams like phishing remain successful. With the inclusion of ‘something you are’ – not just ‘something you know’ – into the multiple factor equation, we may finally escape the drudgery and risk of remembering multitudes of passwords and create more secure web applications. In this context cloud single sign-on and federation will become essential.
The continued quest for better usability during authentication sparks further innovation. One of the more innovative advances in the area of authentication has been the inclusion of behavioural context / risk based factors, which enforces security when it is most needed – whilst keeping an authentication process as seamless as possible under normal circumstances. Ubiquitous smartphones are removing traditional logistical hurdles and are paving the road for wide spread acceptance of Biometric Identification / Authentication. But that’s not all: Smart Things will become convenient authenticators as well.
The authentication provider market is facing dynamic developments in the next few years, but it remains fragmented due to niche authentication needs. It can be a wise decision to implement a web access solution that allows an easy use of different upstream authentication technologies and concepts. A universal web access solution or a web application firewall supporting a wide range of authentication features allows companies to remain agile and to provide business-aligned access to applications – from any device, from anywhere, and anytime.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.