With 2019 starting, it’s a good time to look back at 2018 to remember the lessons learned from security incidents involving user authentication and examine how the landscape will look like in the next year.
Poor passwords continue to take their toll
Like every year, 2018 taught us that poor passwords haven’t gone away, and they continue to give hackers easy access to their victims. As we detailed in these pages, SamSam, ransomware that has been doing the rounds across many organizations and government institutions, uses poor passwords as its main attack vector to gain access to target computers and encrypt the files they contain.
We also saw an audit of the Western Australia government agencies showed that a considerable percentage of users continue to make poor password decisions and choose weak passwords such as “123456” and “password.” The same study showed that organizations that run password-based systems often make critical mistakes in securely storing those passwords and preventing unauthorized access to them.
Not all two-factor authentication technologies are equally secure
While we’re seeing a year-over-year increase of adoption of two-factor authentication (2FA) in different organizations and services, much more needs to be done. Earlier this year, Reddit reported that it had been hacked, giving hackers access to all its data from 2007 and before. This happened even though Reddit employees were using 2FA to secure their accounts. The problem: They were using SMS-based 2FA, which is known for its vulnerabilities.
Another problem was the wave of SIM hijacking attacks, in which hackers trick mobile carrier employees to transfer a user’s mobile number to a new SIM card that they hold, and then they use it to break into the victim’s accounts by bypassing two-step verification processes and resetting passwords.
New regulations put penalties on failure to secure user data
2018 also saw a slate of regulation regarding user data privacy put heavy penalties on organizations that fail to secure user data. Suddenly, the cost of data breaches has spiked. The General Data Protection Regulation (GDPR) sets heavy restrictions on securely storing user data and requires organizations to quickly disclose any sort of data breach. Failure to comply with the rules will incur heavy fines that can cost tens of millions of dollars.
Elsewhere, other industry-specific organizations have issued new standards for authentication and account security. Most notable among them is the new document released by the National Institute of Standards and Technology (NIST), which now requires many different sectors to implement 2FA and MFA (multi-factor authentication).
New technology trends that might shape authentication in 2019
We’re going to be looking at some of the emerging and developing technologies that can have a positive and meaningful impact on the future of authentication. Ranging from federated services and biometric to fast evolving industries such as blockchain and artificial intelligence, these technologies will help organizations comply with regulatory requirements while providing users with a smooth and frictionless login experience.
Blockchain and decentralized authentication systems
Blockchain is the distributed ledger technology that underlies bitcoin and other cryptocurrencies. The idea behind blockchain is to replace centralized data and application servers with a network of computers that encrypt and store data and stay in sync with each other. Blockchain removes single points of failures such as servers where user login information is stored.
A handful of startups and established tech companies are exploring blockchain as a medium to secure and verify users’ identities without the need to store passwords. While the methods vary, the general concept is to represent user identities with encryption key-pairs. A public key is stored on the blockchain, where anyone with access to the ledger can access it, while the private key, which the users need to log into their accounts, is stored on their devices.
To improve the security of the blockchain authentication process, key pairs can be tied to additional parameters such as the user’s biometric data instead of passwords. The passwordless experience is both more user friendly and secure.
Federated services and single sign-on authentication
Federated services enable organizations to deploy single sign-on authentication. This means that a single service is used to authenticate users’ access to several accounts. The benefit of federated services is that it enables organizations to defer the security of their user accounts to a reliable third-party service that has a proven track record of being secure.
Single sign-on can also provide better user experience because users verify their identity once and access several services and account across a corporate network.
However, single sign-on is not a perfect solution and can be a double-edged sword if it’s based on passwords, because if the federated service provider gets hacked, it will give the attackers access to numerous user accounts across several services. Organizations that want to make sure they have the most secure solution will look for providers that support the implementation of passwordless authentication on their single sign-on services.
Smart user account protection
With the AI industry taking great leaps thanks to advances in machine learning, organizations have found new ways to make sure users are who they truly claim to be. Machine learning algorithms can monitor and adapt to users’ behavior, such as what times they log into their accounts, what devices they use, what kind of resources they access on a corporate network, and even their clicking and typing habits.
As soon as a user manifests behavior that deviates from the baseline, the system can detect it and require the user to respond to authentication challenges, such as proving ownership of a linked device, going through biometric verification or getting approval from a network administrator. Called risk-based authentication (RBA), this method enables organizations to provide an easy and secure authentication experience to their users, escalating the difficulty level of the authentication process only when they detect a threat.
The benefit of RBA is that it creates a behavioral model of each user, something that is very difficult to spoof or replicate. When combined with passwordless authentication, RBA can provide a maximum-security environment that can detect account breaches in the rare event that they happen, or if a malicious insider intentionally tries to engage in harmful behavior and cause damage by stealing or tampering with information.
What’s to come
Many new and emerging technologies show great promise, whichever will prevail will combine advancement that has proven results while reducing the friction of implementation and operating staff and users, from reviewing the different solutions in the market and the threats mentioned above, we can establish that passwords and single-factor authentication are shifting from a security factor to a liability.
From a technological perspective a lot of approaches have surfaced this year, Zero Trust authentication, decentralizing identities Dynamic QR codes and others.
While some of these technologies show great promises none of them has reached a maturity level that will support enterprise cases and seem more consumer oriented. From an authentication factor decision, the industry seems to lean towards two solutions.
From both investment and adoption rate Phone-as-a-Token, together with Universal Second Factor (U2F) will prevail above SMS and One Time Passwords (OTP).
U2F is supported by the Fast Identity On Line (FIDO) alliance which enjoys the support of tech giants such as Google and Microsoft but require higher maintenance and has a higher cost per user.
The Passwordless Push notification method utilizes Phone-as-a-Token and supports a Bring Your Own Device (BYOD) approach has proven cost-effective and better serves cases of legacy software and remote workforce.
The high penetration rate of smartphones, combined with a passwordless user experience (UX) is making adoption easier and results in a reduction to password related cost, making passwordless push authentication an easy decision for IT professionals from cost, user experience, and security perspective.