Historical forms of authentication were never meant for the networked landscape we live in today. The ﬁrst passwords were adequate authentication solutions only because the systems they secured were isolated. Unfortunately, the isolated systems that pervaded the early days of the computer revolution have set the foundation for authentication in the Internet Age.
Within just a few years, the global computer market transitioned from a disconnected world of isolated computers to a fragmented world connected by the cloud. Not only are computers now interconnected, devices themselves and the applications running on them are as mobile as the users who own them. No longer are applications restricted to speciﬁc machines or data centres, they can be distributed, dispersed, or local to mobile devices. The security of any individual system or user now aﬀects the security of those systems networked to it.
A password-free future
Today, the tempo of security breaches directly related to stolen passwords and bypassed authentication is increasing along with the severity of their consequences. Further compounding these issues, past breaches are creating a snowball eﬀect, resulting in subsequent attacks being easier, quicker, and more widespread than their predecessors. A new approach to authentication and authorisation is required to face the new generation of modern security challenges.
The future of authentication is free from traditional passwords. In order to kill passwords from the security landscape, however, one must first deﬁne what future solutions should look like.
At LaunchKey, we’ve set out to evolve authentication and authorisation beyond the password era, and have identiﬁed the nine core traits of a next-generation authentication and authorisation solution as:
1. Password free 2. Decentralised 3. Platform agnostic 4. Superior cryptography 5. Anonymous 6. Multifactor 7. Dynamic 8. Mobile 9. Scalable
Let’s take a quick look at each.
Central to a next-generation authentication and authorisation solution is removal of the traditional password layer. Applications must cease relying on collecting traditional in-band passwords as a viable form of authentication.
Decentralising the authentication and authorisation layer is the biggest fundamental architectural diﬀerence between a classic password-based approach and a next-generation approach. As opposed to an in-band authentication and authorization approach whereby end users supply credentials to the application being secured via one central public authentication and authorisation layer, a decentralised approach does the opposite: the application reaches out to individual users and asks for authorization through a unique authentication and authorisation layer accessible only to that user.
By shifting the authentication and authorisation layer outside the application being secured, attacks on the authentication and authorisation layer are segregated. This has the added beneﬁt that the application no longer needs to hold onto any of the sensitive data utilised in authentication that hackers and malware are after such as credentials, personally identifying information (PII), and authentication data such as geolocation and biometrics. Further, this decentralisation means the hardware that contains the application being secured no longer needs any relevant input mechanisms requisite for authentication such as a keyboard, ﬁngerprint scanner, or camera.
Modern applications are no longer exclusive to websites and desktop software. The growing number of smart devices, consoles, and Internet of Things devices requires that a next generation authentication and authorisation solution be broadly compatible with both online and oﬄine applications in a variety of use cases. One consolidated authentication and authorisation solution is needed capable of authenticating a user to platforms ranging from game consoles and kiosks to vehicle, sensors, wearables, servers, and beyond.
In order to defend against an evolving threat landscape and increasingly sophisticated hackers and malware, next generation authentication must be cryptographically superior to its predecessors. Instead of the symmetric shared secret architecture of classic two-factor authentication like one-time password (OTP), a superior asymmetric cryptographic approach with public/private keys is mandatory. Additionally, one must always assume interception of data transmitted in the authentication and authorisation process is possible, thus TLS/SSL and forward secrecy (PFS) should be used along with the largest possible encryption keys and strongest available hash functions to defend against brute force attacks.
Furthermore, such a cryptographic approach will ensure that an application can trust and validate the responses from end users by eliminating the possibility that data can be altered or spoofed in transit, thereby maintaining the integrity of the authentication and authorisation service.
Decentralised authentication and authorisation solutions must be anonymous with respect to the service (e.g. API) that is transmitting authentication and authorisation data between applications and end users. By making the data anonymous, both an attacker that has breached the service and the authentication and authorisation service itself are incapable of identifying an individual user. This eliminates the possibility of targeting speciﬁc individuals in an attack for the purpose of bypassing authorisation or correlating such data with applications or users externally. Additionally, any requisite personal data used to authenticate a user, such as biometric or geo-data, should be stored locally by the end user making such information inaccessible to both the application and authentication and authorisation service. Such an approach not only maintains the integrity of the service, but it also protects the privacy of its users.
Depending on the implementation, end user, and attack vector, authentication factors provide variable levels of reliability. This is why next-generation authentication solutions should use multifactor authentication (MFA) whereby all three primary types of authentication factors are used in conjunction.
These factors include:
- Possession factors - something only the end user possesses such as a device
- Knowledge - something only the end user knows such as a unique phrase
- Inherence factors - something inherent only to the end user such as their ﬁngerprint
Security is neither static nor one-sided. Both applications and users have unique security needs that can change at any time based on the use case, risk, or personal desire of either. A next generation authentication and authorisation solution must be capable of altering the level of security dynamically at any given time. Additionally, such alterations to security should be controlled and inﬂuenced by both the end user and the application.
Hardware and applications are becoming as mobile as the humans that use them. The need for authentication and authorisation can happen anywhere at any time. As such, next-generation authentication and authorisation solutions must be mobile in terms of where they can be accessed, their remote capabilities, and their ability to be used in real-time.
The ubiquitous nature of authentication and authorisation, along with the growing number of use cases in which it is needed, requires an authentication and authorisation solution that is scalable at a global level. A valid next-generation authentication and authorisation solution must take into account changing technologies while avoiding the hurdles to mass adoption in the form of expense, availability and comprehension.Read more: A Quick-fire Guide to Secure Code Development
Time to move beyond the password
In today’s connected world, authentication is ubiquitous. Whether virtual or physical, the improper access obtained from failed authentication has tangible eﬀects ranging from stolen identities, fraudulent transactions, intellectual property theft, data manipulation, network attacks, and state-sponsored espionage. These consequences have the potential to cost companies millions of dollars, ruin reputations of individuals, and disrupt business.
Traditional strong authentication methods like two-factor authentication built on top of passwords does nothing to address the liability and risk of the insecure password layer, while their shared secret architecture (e.g. OTP) is cryptographically inferior, vulnerable to many attack vectors, and creates a cumbersome experience that users dislike and often avoid. Furthermore, both passwords and the strong authentication built on top of them are incompatible with many of the devices and remote ‘things’ that will require user authentication in the future, but lack the requisite input mechanisms like keyboards and forms to use them.
Organisations and applications must remove the vulnerability and liability that passwords have created while implementing more secure authentication methods that account for an evolving and diversiﬁed landscape of use cases, end users, and threats. By instituting the nine core traits of a next-generation authentication and authorization solution that I’ve listed above, businesses of all sizes can be better prepared to face the ever-growing security challenges of today, and beyond.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
About the Author
Geoff Sanders is CEO and co-founder of LaunchKey, a cybersecurity company specialising in next generation authentication solutions. The third cybersecurity CEO in his family, Geoff’s a self-taught full stack developer and designer who has been leading product development and management for more than a decade. Prior to LaunchKey, Geoff ran his own web and application development consultancy after studying electrical engineering at the University of Texas at Austin.
Follow Geoff on Twitter at @GeoffSanders. Follow LaunchKey on Twitter at @LaunchKey.