The Nine Traits of Next Generation Authentication and Authorisation

Author: Geoff Sanders, Co-Founder and CEO, LaunchKey

Historical forms of authentication were never meant for the networked landscape we live in today. The first passwords were adequate authentication solutions only because the systems they secured were isolated. Unfortunately, the isolated systems that pervaded the early days of the computer revolution have set the foundation for authentication in the Internet Age.

Within just a few years, the global computer market transitioned from a disconnected world of isolated computers to a fragmented world connected by the cloud. Not only are computers now interconnected, devices themselves and the applications running on them are as mobile as the users who own them. No longer are applications restricted to specific machines or data centres, they can be distributed, dispersed, or local to mobile devices. The security of any individual system or user now affects the security of those systems networked to it.

A password-free future

Today, the tempo of security breaches directly related to stolen passwords and bypassed authentication is increasing along with the severity of their consequences. Further compounding these issues, past breaches are creating a snowball effect, resulting in subsequent attacks being easier, quicker, and more widespread than their predecessors. A new approach to authentication and authorisation is required to face the new generation of modern security challenges.

The future of authentication is free from traditional passwords. In order to kill passwords from the security landscape, however, one must first define what future solutions should look like.

At LaunchKey, we’ve set out to evolve authentication and authorisation beyond the password era, and have identified the nine core traits of a next-generation authentication and authorisation solution as:

1. Password free 2. Decentralised 3. Platform agnostic 4. Superior cryptography 5. Anonymous 6. Multifactor 7. Dynamic 8. Mobile 9. Scalable

Let’s take a quick look at each.

Password free

Central to a next-generation authentication and authorisation solution is removal of the traditional password layer. Applications must cease relying on collecting traditional in-band passwords as a viable form of authentication.


Decentralising the authentication and authorisation layer is the biggest fundamental architectural difference between a classic password-based approach and a next-generation approach. As opposed to an in-band authentication and authorization approach whereby end users supply credentials to the application being secured via one central public authentication and authorisation layer, a decentralised approach does the opposite: the application reaches out to individual users and asks for authorization through a unique authentication and authorisation layer accessible only to that user.

By shifting the authentication and authorisation layer outside the application being secured, attacks on the authentication and authorisation layer are segregated. This has the added benefit that the application no longer needs to hold onto any of the sensitive data utilised in authentication that hackers and malware are after such as credentials, personally identifying information (PII), and authentication data such as geolocation and biometrics. Further, this decentralisation means the hardware that contains the application being secured no longer needs any relevant input mechanisms requisite for authentication such as a keyboard, fingerprint scanner, or camera.

Platform agnostic

Modern applications are no longer exclusive to websites and desktop software. The growing number of smart devices, consoles, and Internet of Things devices requires that a next generation authentication and authorisation solution be broadly compatible with both online and offline applications in a variety of use cases. One consolidated authentication and authorisation solution is needed capable of authenticating a user to platforms ranging from game consoles and kiosks to vehicle, sensors, wearables, servers, and beyond.

Superior cryptography

In order to defend against an evolving threat landscape and increasingly sophisticated hackers and malware, next generation authentication must be cryptographically superior to its predecessors. Instead of the symmetric shared secret architecture of classic two-factor authentication like one-time password (OTP), a superior asymmetric cryptographic approach with public/private keys is mandatory. Additionally, one must always assume interception of data transmitted in the authentication and authorisation process is possible, thus TLS/SSL and forward secrecy (PFS) should be used along with the largest possible encryption keys and strongest available hash functions to defend against brute force attacks.

Furthermore, such a cryptographic approach will ensure that an application can trust and validate the responses from end users by eliminating the possibility that data can be altered or spoofed in transit, thereby maintaining the integrity of the authentication and authorisation service.


Decentralised authentication and authorisation solutions must be anonymous with respect to the service (e.g. API) that is transmitting authentication and authorisation data between applications and end users. By making the data anonymous, both an attacker that has breached the service and the authentication and authorisation service itself are incapable of identifying an individual user. This eliminates the possibility of targeting specific individuals in an attack for the purpose of bypassing authorisation or correlating such data with applications or users externally. Additionally, any requisite personal data used to authenticate a user, such as biometric or geo-data, should be stored locally by the end user making such information inaccessible to both the application and authentication and authorisation service. Such an approach not only maintains the integrity of the service, but it also protects the privacy of its users.


Depending on the implementation, end user, and attack vector, authentication factors provide variable levels of reliability. This is why next-generation authentication solutions should use multifactor authentication (MFA) whereby all three primary types of authentication factors are used in conjunction.

These factors include:

  • Possession factors - something only the end user possesses such as a device
  • Knowledge - something only the end user knows such as a unique phrase
  • Inherence factors - something inherent only to the end user such as their fingerprint


Security is neither static nor one-sided. Both applications and users have unique security needs that can change at any time based on the use case, risk, or personal desire of either. A next generation authentication and authorisation solution must be capable of altering the level of security dynamically at any given time. Additionally, such alterations to security should be controlled and influenced by both the end user and the application.


Hardware and applications are becoming as mobile as the humans that use them. The need for authentication and authorisation can happen anywhere at any time. As such, next-generation authentication and authorisation solutions must be mobile in terms of where they can be accessed, their remote capabilities, and their ability to be used in real-time.


The ubiquitous nature of authentication and authorisation, along with the growing number of use cases in which it is needed, requires an authentication and authorisation solution that is scalable at a global level. A valid next-generation authentication and authorisation solution must take into account changing technologies while avoiding the hurdles to mass adoption in the form of expense, availability and comprehension.

Read more: A Quick-fire Guide to Secure Code Development

Time to move beyond the password

In today’s connected world, authentication is ubiquitous. Whether virtual or physical, the improper access obtained from failed authentication has tangible effects ranging from stolen identities, fraudulent transactions, intellectual property theft, data manipulation, network attacks, and state-sponsored espionage. These consequences have the potential to cost companies millions of dollars, ruin reputations of individuals, and disrupt business.

Traditional strong authentication methods like two-factor authentication built on top of passwords does nothing to address the liability and risk of the insecure password layer, while their shared secret architecture (e.g. OTP) is cryptographically inferior, vulnerable to many attack vectors, and creates a cumbersome experience that users dislike and often avoid. Furthermore, both passwords and the strong authentication built on top of them are incompatible with many of the devices and remote ‘things’ that will require user authentication in the future, but lack the requisite input mechanisms like keyboards and forms to use them.

Organisations and applications must remove the vulnerability and liability that passwords have created while implementing more secure authentication methods that account for an evolving and diversified landscape of use cases, end users, and threats. By instituting the nine core traits of a next-generation authentication and authorization solution that I’ve listed above, businesses of all sizes can be better prepared to face the ever-growing security challenges of today, and beyond.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

About the Author

Geoff Sanders is CEO and co-founder of LaunchKey, a cybersecurity company specialising in next generation authentication solutions. The third cybersecurity CEO in his family, Geoff’s a self-taught full stack developer and designer who has been leading product development and management for more than a decade. Prior to LaunchKey, Geoff ran his own web and application development consultancy after studying electrical engineering at the University of Texas at Austin.

Follow Geoff on Twitter at @GeoffSanders. Follow LaunchKey on Twitter at @LaunchKey.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritypasswordsAuthorisationNext Generation AuthenticationLaunchKeycryptographyCSO Australia

More about CSOEnex TestLabModernTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Geoff Sanders

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place