‘Please enter your username and password’, a request so common we hardly notice it; from online shopping to online banking. In recent years we’ve become so accustomed to biometric logins and two-step authentication models when it comes to passwords; entering the same old user ID password that we’ve had for years.
In fact, 89 per cent of people use the same one or two passwords for everything. But is this the optimal security option for consumers? With artificial intelligence (AI), this could all come to an end.
The user identity and access management (IAM) industry thinks AI could kill the password as we know it. Just as investment banks use predictive data models to forecast markets, insurance companies to predict accidents, or retailers to figure out the optimal time to send you a special offer, soon user authentication could rely on similar data analytics.
Corporate security teams are using machine learning to collect and find patterns in data related to log-in times, locations and device footprints. The goal is to more efficiently spot normal vs. abnormal user behavior and change access accordingly.
This will be based on the concept of adaptive authentication, which is built around the idea that you can assign a risk score and adjust the level of access a person gets based on the task they are performing and the assurance level of the user’s authentication method. Machine learning is now being used to build more detailed user personas by doing things like picking up on users’ keystroke patterns or remembering the devices a user has near the access device. Any deviation from the norm could raise the user’s risk score.
This approach can maintain security while greatly reducing the burden on users. Imagine you’re checking your online banking but not making a transaction. If you’re doing this from a location where you’ve done it in the past and using a known device, this could require a single fingerprint login, or maybe no credential at all.
But, if you are actually transferring money, or if you’re doing it from a previously unknown device or location, that may call for the use of a second factor of authentication, such as a one-time password sent over text. The same principles can apply for an IT admin who might have to use multiple factors, such as a hardware token and password, if he or she is looking to make a change in a system, such as adding a user. But he or she could skip that step if all they’re doing is a quick check of the number of users.
A challenge is that most of these methods rely on obtaining more data about users and their surroundings – something that often raises privacy alarms. Particularly with NDB and GDPR, consumers are more concerned around data privacy and exactly what this is used for. But even as new public concerns over privacy have emerged in recent years, so too has another trend; the tech industry’s focus on usability, sometimes at the expense of security.
This is the latest swing for the security-vs-usability pendulum, which has been going back and forth for decades. The late 1990s and early 2000s were much more heavily oriented around security, with the introduction of things like PKI (public key infrastructure) and smart cards.
However, these solutions were cumbersome and saw little widespread adoption outside their niche markets. Now, more convenient options, like cloud-based single-sign-on (SSO), are gaining wider adoption by using somewhat less secure methods, such as SMS and software-based security. The sweet spot is somewhere in the middle.
Finding this middle ground will likely require the reintroduction of hardware tokens, but in a more user-friendly way, by doing things like using smart phones as smart hardware tokens. Password fatigue has been well-documented and people are more interested now than ever in frictionless authentication concepts like zero log-in and implicit authentication, where a system or device can use sensors and machine learning algorithms to simply recognise you by your behaviours.
Will AI mean never having to remember a password ever again? While the technology is not there yet, we’ve already seen a range of technologies that change how we log in and the new frontier will see context-based, risk-based and implicit authentication as essential elements. By finding the find the right balance of convenience, security and privacy, traditional passwords will be a relic of the past.