The Password is Dead. SMS is deprecated. What’s Next for Authentication?

Passwordless MFA

The Password is Dead. SMS is deprecated. What’s Next for Authentication?

Read more
Oct 29, 2017

“The tongue has the power of life or death,” goes the old Proverb, and it’s true in the modern era as well: Words – in this case, passwords – have the power to protect a user’s or company’s data, ensuring a safe life for essential information that needs to be protected, or “death” at the hands of hackers who raid bank accounts and databases, and ruin personal and corporate reputations without a second thought.

The Password Problem

Unfortunately, the words used by too many people are associated with the latter: A Verizon report shows that two out of every three data breaches are due to stolen passwords or misused credentials. “The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works,” the Verizon report says. Making it even easier for hackers is the fact that many users have easy to guess passwords, with 6% using the same password for all of their accounts.

But “guessing” passwords are so 2012. In today’s attack landscape, many compromised passwords are stolen not by guesswork or password cracking – but by keyloggers that hackers manage to get onto systems using phishing or social engineering exploits. “Password guessing from an InfoSec perspective has been around at least as long as the Morris worm, and has evolved to prominent malware families like Dyre and Zeus,” a report by InfoSec says. The malware, designed to (among other bad things) capture keystrokes from an infected device, have “nullified” the unending efforts to get users to use special characters, upper/lower case numbers and minimum lengths” for more secure passwords, InfoSec says.

Because of this more sophisticated attack landscape, the days of passwords as the single authentication factor are gone. “Passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own,” the report says; if a site or app insists on using them, a second factor needs to be added. Companies have already come to this realization; Twitter, Apple, Facebook, Google and many others now use two-factor authentication, requiring users to validate multiple pieces of information. We will see this requirement become even more widespread in 2017. The public is certainly ready for a change; over 50% of consumers prefer other forms of authentication, preferring more convenient and secure authentication methods.

The alternative to Passwords

If not passwords, then what? Biometrics shows promise as an authentication method, and in fact is used by many organizations as well – including Apple, which has implemented thumbprint authentication for iOS devices and for Apple Pay. But here, too, NIST, National Institute of Standards and Technology, does not recommend relying too extensively on biometrics. Although it would perhaps take more effort to hack a thumbprint than a text message, it’s certainly possible. Biometric characteristics “do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns),” according to the agency. To be effective, the system “shall be used with another authentication factor.”

A proper two-factor authentication system requires two methods of ensuring the identity of the user – who they are, what they know, and/or what they have. If it’s secrets that we need to be secure, then they had better be very good secrets that are practically impossible to guess – unlike the “secrets” constituted by passwords, which, as NIST points out, are woefully inadequate.

No Password Authentication

One way to ensure that the secrets we have are top-notch is by eliminating the password altogether – and instead, using a strong mobile authenticator to execute authentication.

In general, authentication schemes are based on the Public Key Infrastructure (PKI), It’s a tried and true system, but it’s not sufficient. PKI-based key exchanges rely on a single channel to send the symmetric keys that are required for authentication. The keys are sent via a secure channel, of course, but they are not invulnerable to hack attacks – and if a hacker gets hold of a key, that’s the end of the authentication scheme.

With the Secret Double Octopus method, that can’t happen. Instead of using passwords, keys that are used for authentication are split into several channels, each with a chunk of the key – useless to hackers who manage to get hold of them individually. Only when the key is reassembled into a single unit on the server, the device is authenticated – covering the “what you have” aspect of authentication.

The Secret Double Octopus system provides almost impenetrable security – with nary a password in sight. The only thing a user has to do is open up an app, respond to a push notification, and press their thumb or fingerprint on the device’s reader.

A trend that is set to grow

According to Gartner, by the end of 2019, 50% of all enterprises using phone authentication will move towards push authentication over other methods (such as a one-time-password and SMS), compared to less than 10% today- a 500% growth for the push authentication method. It’s a trend that is set to grow significantly in 2017 – and one that Secret Double Octopus has been leading for some time now. As experts in authentication, we can help businesses ensure that their systems are as secure as possible and make the shift towards the industry’s new authentication method.

More Things That Might Interest You

Passwordless MFA

No-password login: The frictionless and secure alternatives to passwords

Read more
Aug 22, 2017

Passwordless MFA

Password-Free, High Assurance Authentication for Active Directory Domains

Read more
Jan 17, 2018

Passwordless MFA, Threats and Attacks

What you need to know about password vulnerabilities (Pt. 1)

Read more
Feb 1, 2018