The best thing you can say about using a password for authentication is that it’s better than nothing. High-profile breaches like Equifax, however, have exposed millions of passwords and user IDs, calling into question even that faint praise. If consumers don’t assume that at least some of their passwords have been compromised, they only create a dangerous false sense of security.
Companies that still rely on password authentication for access to important customer and corporate data are doing the same. Password-only protection is permanently broken, and any organization relying on it is placing its business and reputation at risk. Even if they avoid a breach, awareness of the shortcomings of password protection is much higher now thanks to Equifax. If that’s how you protect customers’ data, they will think twice about trusting you with it.
Alternatives like two-factor authentication (2FA), multifactor authentication (MFA), behavioral analytics, and biometrics have been available for some time, but adoption rates are low. The growing threat landscape and consumer awareness is lowering barriers to implementing these options — those barriers being, primarily, user resistance, complexity and ROI.
All these alternatives can be compromised, some more easily than others. “All authentication whether it’s a fingerprint, a face, an iris scan—all these things are broken down into bits and bytes, and they are effectively a shared secret,” says Dustin Heywood, senior managing consultant for IBM’s X-Force Red security testing team. Because these shared secrets are stored digitally like a password, it is theoretically possible to steal them. The difference is that it’s harder to do so.
The goal is to make it so difficult to gain access that most cyber criminals will look elsewhere for easier pickings. Many companies use a combination of authentication methods depending on the risk, user considerations and value of the data being protected to reach a reasonable expectation of security.
Users see value in strong authentication
The best laid authentication plans of organizations and consumer-facing websites can go awry due to user resistance or apathy. One of the few positive outcomes of recent high-profile breaches is that consumers are starting to understand the value of strong authentication and seem more willing to accept some inconvenience for it.
Jessy Irwin, an independent security researcher, believes this trend started with the Anthem breach in early 2015. “[Consumers] were worried about healthcare information getting out.” With Equifax, that concern now includes financial accounts.
While consumers might be more accepting of more complex authentication to protect health and financial data, not all service providers offer the option. “A lot of banks, because of work that was done quite some time ago, think that having security questions tied to an account is a second factor, which it really isn’t,” says Irwin. “People want an extra layer of protection, and don’t have the option to turn anything on. They have to go to customer service or an account representative or up a chain to even ask for these features.”
The lack of a mechanism to request added security layers leads some companies to believe there is no demand for them. “There’s a lot of work to be done. People know they need something, but they don’t know what the thing is. When they find out what the thing is, sometimes they don’t have the option to turn it on. It’s really an uphill battle,” says Irwin.
Competitive concerns are holding back some companies from implementing a different authentication process that might make their services harder to access. “When it comes to the consumer side, they are so fearful of impacting the user experience,” says Robert Block, senior vice president of identity strategy at intelligence-based authentication provider SecureAuth. “A lot of that is driven by a lack of understanding that there are ways to do it that aren’t very impactful provided the right variables are met.”
“Consumers are becoming smarter. They’re saying, ‘If I do business with you, do you protect my credentials? Do you offer 2FA? If so, how much control over the methods do I have?’ The idea that users are lazy and not wanting their user experience interrupted ever is probably a myth because of the impact of breaches,” says Block.
The challenge of implementing stronger authentication is not with the technology. “It’s around people, process, and culture,” says Block. “Can you get the right people around the table to decide what’s an acceptable risk? The use cases to be supported? How many factors will we support and how do we present those factors to the end user?”
To gain user acceptance, Block stresses the need to be flexible. “Whatever you can tolerate [in terms of risk], try to be as flexible as possible so the end users feel like they are in control.”
The dangers of password-only authentication
It is just too easy for hackers to crack or steal passwords and user IDs to rely on them alone. That’s true even if you follow advice for keeping them safe. “There are a lot of security requirements that make [passwords] weaker, not stronger,” says Irwin. “A lot of people think that if they change passwords frequently, they are contributing to good security behavior. They’re not. A lot of the rules for generating strong passwords are backwards. They make it easier for someone to crack a password.”
The rules Irwin refers to are widely used and based on earlier recommendations from standards organizations such as the National Institute of Standards and Technology (NIST). NIST recently revised those rules to better meet the realities of today’s threat landscape, but most organizations have yet to adopt them.
“The problem with the password isn’t the password itself. It can be hardened in certain respects,” says Heywood. “The crux of the issue is that the password is a shared secret. People reuse passwords between sites, so you’re relying not just on the security of the site you’re working with, but the security of every site you’ve ever used that password. Secrets always need to be rotated.”
Passwords are transformed using a hashing algorithm that is hard to reverse. Heywood says that too many sites are using hashing algorithms that are decades old and known to be compromised. Using today’s high-speed computers, it’s relatively easy for a black hat to reverse password hashes stolen during a breach. “There are now frameworks where we can quickly validate those credentials against other website breaches or even in real time against other websites.”
To minimize the risk of a compromised password, more people are using password vaults that encrypt and randomize passwords with very long strings using pseudo-random generators . “Some pseudo-random generators have been broken due to poor implementations, but they are better than nothing,” says Heywood.
Two-factor authentication: A small step forward
Asking users to provide another piece of identifying information in addition to a password has become the minimum standard for secure authentication. That information is typically something only the user would know where they have to answer a security question like, "What was the name of your first dog." It might be a verification code sent via SMS to their cell phone or to a token device—something they own.
“Secure” here is a relative term. In the Equifax breach, answers to security questions were also compromised for some users. Some personal information is easily found with a little research, like mother’s maiden name or city where a person was born.
Sending a verification code via SMS isn’t much better. In fact, the new NIST guidelines warn that hackers can intercept those codes. This is partly due to inherent vulnerabilities in SS7 (Signaling System No. 7), a protocol developed in 1975 that is the basis for message exchange over the telephone network. A hacker that exploits the vulnerability has access to all network traffic.
SIM card hijacking is also on the increase, says Irwin. “A social engineer will call the AT&T or Verizon customer service line and pretend to be another person to set up a new phone or make changes to an account. They are now in control of device authorization, and they can intercept SMS codes,” she says. Irwin notes that this type of attack targets people whom the hacker knows has something of value like a bitcoin account or high-level access to important data.
Using a token device or a token smartphone app that displays the verification code is safer. “You don’t have to rely on another mechanism to get [the verification code]. Someone would have to get access to the particular token you have to attack the second factor. That’s a lot of work,” says Irwin. “[Tokens] are the strongest and best delivery method for 2FA codes.”
The problem with tokens for consumer applications is that people resist using them because they require a separate device and their own app. “Tokens can require a bit of extra work,” says Irwin. She believes that if consumers better understood the benefits and token app vendors made them more consumer friendly, they would be more widely used. For now, the primary use of tokens to deliver verification codes is in corporate environments.
Whether it is a token or smartphone, requiring ownership of a device for access limits the damage a cyber criminal can do. “When the only way to know a code is to be holding a device, it makes it harder—almost impossible—to attack at scale,” says Harry Sverdlove, co-founder/CTO of Edgewise Networks.
Multifactor authentication: Stronger if well implemented
The idea behind MFA is to make hackers work harder to gain access to other people’s accounts. MFA typically requires a user ID and password, something you know, and something you possess. “If multifactor is in play and I have your password, I’m going to find somewhere where the administrator was lazy and didn’t utilize the multifactor,” says Heywood. “MFA isn’t a silver bullet, but it is extremely effective to block the majority of attacks except from a dedicated attacker.”
MFA is typically a staged process where a user is asked to provide additional identifying factors if a red flag is raised. It is often paired with risk-based authentication (see below). For example, the user attempts to log in from a new device or is trying to access a more protected area. “Routinely looking at my balance, [my bank] isn’t going to care [about asking for a second factor],” says Heywood. “If I try to transfer $10 million to the UK, they’re going to ask for my first-born, a lot of questions, a blood sample, etc.”
From January 1 to October 5 of this year, Block says about 88 percent of authentication attempts that SecureAuth processed went through on the first factor. “Why would you want to burden the user with a second factor every single time?” he says.
“We need to make MFA ubiquitous,” says Sverdlove. The most reliable scheme, he believes, would require something the user knows (password, answers to security questions), something you have (smartphone, token device), your location, and something you are (biometrics, behavioral analytics).
Social login: Useful but with risks
Large social media sites like Google, Facebook, Twitter and Instagram generally have better safeguards for user ID and password data than most other services. They also offer 2FA, at least as an option, and employ analytics to spot possible illegitimate login attempts that might trigger a request for more identifying information.
With social login, websites and mobile applications allow people to sign in using their social media accounts, often as an option for standard password authentication. Users see it more as a convenience than as added security, but websites and web service providers gain a level of secure authentication they might otherwise not have the resources to achieve themselves. Social media sites and identity service providers used for social login provide staff and technology to build strong authentication capabilities with modernized protections around user identities, says Jim Kaskade, CEO of Janrain, whose suite of customer identity and access management solutions include social login. “We stand on the shoulders of giants who have made a tremendous investment in security,” he says.
The big risk with social login is that all sites a user accesses via, say, Google will be compromised if that Google account is compromised. Attackers can take control of a social account in a number of ways: social engineering, creating a fake profile, or buying a user ID and password on the dark web. Users can mitigate this risk if they turn on optional authentication features like 2FA, but many don’t.
“Social logins are interesting because we have really strong OAuth built around them,” says Irwin. “They do two things: They connect your social media account with services where you don’t want your social media provider partaking in, especially if there’s a way to target ads against them.” She adds that social media companies already have so much data about a person that can be used in ways they don’t expect. Giving them more information through social logins so those companies know all your relationships on the web, “is not OK. It’s a little creepy,” she says.
Irwin sees social login having value in some instances. “For shopping websites or websites where users don’t maintain good user names and passwords, [social login] takes away a lot of the work the user has to do. That’s awesome,” she says, “but it also makes the password and user name for the social media site super, super valuable.” Irwin says that family members, domestic partners or friends who are angry with a user sometimes use that person’s social media login to make trouble. “It could be pretty catastrophic.”
Kaskade believes the risks associated with social login are being mitigated by companies who implement it smartly. For example, an organization might use social login as part of a “light" authentication scheme, such as using, say, Facebook for simple services like downloading gated content, and then requiring a higher level of login security (e.g., MFA) for access to more sensitive information like accessing your checking account.
He notes that even banks and healthcare providers—highly regulated organizations when it comes to protecting individuals’ data—are starting to use social login where it makes sense. They do so to make it easier on people and reduce what he calls registration and login fatigue, but they obviously augment social login with other means of identification. Janrain’s social login product adds security by allowing organizations to set up rules around user behavior. “If someone logs in from the U.S. and a few minutes later logs in from the Middle East, it knows from simple rule sets to enforce MFA,” says Kaskade.
Biometrics: Not as foolproof as you might think
The term “biometrics” encompasses a range of authentication methods that scan some physical attribute of a person—including the face, the eye’s iris, a heartbeat, vein pattern, or fingerprint—to prove identity. These attributes are unique to an individual, which has advantages and disadvantages for authentication purposes.
One advantage for biometrics is that it’s convenient for users. With the press of a thumb or a scan of the face, users can access their devices or services without having to remember a password or answers to security questions. The downside is that biometrics are far from foolproof. The latest face ID technology from Apple was defeated by a 3D printed copy of a face. Less advanced face ID technology is fooled by a photo of the authorized person.
A person’s biometric data is stored as a digital profile, which can be stolen. Once that happens, it’s useless for authentication. “I’m not a fan of passwords, but you can change them,” says Sverdlove. “What happens when a fingerprint gets stolen, when a face is stolen, when DNA is stolen? It’s all immutable and impossible to change.”
Stealing biometric data is considered harder than stealing or cracking a password, and the risk of a thief targeting an individual’s biometric data stolen is low. The risk rises significantly if the thief can target many profiles. “Millions of fingerprints stored in a clearinghouse will become a target,” says Sverdlove. “Once they are compromised, there’s not a lot of recourse.”
Sverdlove advocates that companies not create a single repository for biometric data. “Learn from the lessons of the past: No single database storing everything. It will get stolen,” he says.
Risk-based authentication: Eliminating the password
Passwords, MFA, social login and biometrics all place the burden of proving identity on the user. Risk-based authentication allows organizations to take responsibility for identity assurance. It’s not a new concept. Credit card issuers, for example, have been using risk-based analytics to detect fraud by looking for abnormal transaction patterns.
Device metrics, or behavioral biometrics, is one aspect of risk-based authentication aimed to eliminate passwords. Software analyzes typing patterns, interacts with a screen, the device IP address, or geographic location to match that data and behavior to a specific user. That usage profile is built up over time through machine learning, although data such as IP address and location is pulled in directly from the network.
“You as an organization may define what is or isn’t an acceptable geolocation,” says Block. “We start to chart where you as an individual come from. We plot where you come from, the browser type of your devices, the phone number you might be using.” This allows the software to determine whether the call is coming from a known carrier within the geography. Combined with a person’s device usage profile, the risk-based authentication system can make a reasonably accurate decision whether to grant access without requiring a password.
“Your end user thinks, ‘I won’t have to use a password,’” says Irwin. “That’s great, but they give up super private information they didn’t know was valuable. Would you want an app provider to know how you used your phone all the time, how you touched it, when you touched it, when you clicked ‘yes’ or ‘no.’ I wouldn’t want that information captured for me. Sometimes this happens inside of apps for advertising purposes.”
Risk-based authentication is not foolproof. People tend to be predictable in their behavior, but circumstance can lead to changes that give false positive results for fraud. “What happens when someone has Carpal Tunnel Syndrome?” asks Sverdlove. “Behavioral biometrics represent another criterion to be used. It should never be used in exclusivity.” Sverdlove notes that a person’s digital behavioral profile can also be spoofed or altered by a determined criminal, though not easily.
Metrics like typing or screen swipe patterns are dependent on what the user is doing with the device. “There are inherent issues with [keyboard and screen metrics] in that some of it is very application dependent,” says Block. That makes it harder to understand and interpret the keystrokes. SecureAuth uses behavioral metrics, but also relies on hardware-based metrics like mobile gates and device type.
Finding the best authentication strategy
There is no one answer that can replace or strengthen password authentication across the board. Organizations need to take a risk-based approach that assesses the value of the data being protected, the likelihood of abuse, and the consequences of a compromised identity. For most, this means matching authentication to the application or circumstance and backing it up with some type of MFA.
For example, a bank might require customers to provide only a password at login. This lets customers see basic information about their account. If a customer wants to perform a transaction, the bank might ask for more identifying data such as a verification code. At the same time, the bank uses behavioral analytics software to see if the usage patterns and device metrics during the session match those associated with that customer. If something falls outside a predetermined parameter, further authentication is requested or access is denied or limited.
“We feel that at every authentication point there should be a number of pre-auth risk analysis checks accomplished to help you determine whether this valid user identification is trustworthy enough to allow or deny or step it up for further challenge with another factor.” says Block. He adds that some of SecureAuth’s consumer-focused customers are moving in this direction, but the industry as a whole isn’t there yet.
Most experts don’t see the password disappearing anytime soon, but there is real opportunity to reduce the number of passwords people need to manage. This is particularly true for corporate systems. “We’ve seen companies go to what they say is passwordless but what I’ll say is the reduction of reliance on passwords,” says Block. “If their employees manage 20 different passwords today, maybe they can get down to managing five and the rest are done with some other kind of primary authentication.”