Logging into any type of application has to be one of the most talked about topics in security. It sometimes feels like it is the last frontier as far as technology innovation is concerned. Why is this so? Well it is likely because it is the point where the human – computer interface first comes into contact. This creates usability vs. security conundrum which is always hard to resolve. Part of the issue has been ‘password fatigue’ which has been a topic raging in the industry for many years and yet we don’t seem a lot further forward. But this isn’t true, technology in the area of authentication is moving forward. I’ve named this post “The Good, Bad and Ugly…” but in truth, each authentication measure can have a little of each and it really is more about choosing the right one, for the right scenario that counts.
The Password is Dead, Long Live the Password
The first ever type of login option in computing, used by MIT in 1961, was of course the humble password. We have used it almost religiously ever since, for everything, from logging into online banking to offline desktop computer login. It is so successful because it is both easy to program support for username and password access, but its also easy for the user logging in…mainly.
I say mainly because we now find ourselves in a situation whereby both security and usability have been severely compromised. In terms of security, the use of username and password in an Internet connected world has left the password highly vulnerable. Phishing, and in particular spear phishing, has meant that cybercriminals can very easily steal a username and password. Either by sending the phished individual to a spoof site which then tricks the user into revealing their login credentials, or by installing malware which exfiltrates them when they are used.
And then there is the usability aspect. The average user has to use passwords across many multiple sites and counting. Either you use the same or a few similar passwords, which is insecure, or you have to remember a different one for each site. Whichever it isn’t ideal. A report by identity vendors CSID found that amongst U.S. consumers, 61% reused the same password across multiple sites and 46% of them had 5 or more passwords to remember. You can, of course use a password manager, but that brings its own issues.
As an alternative, social and similar platforms, such as Facebook, Twitter, Google, Papal and Amazon, offer federated login which can be used as an alternative to a username and password. There are pros and cons to the use of this type of credential, of course.
And when you bring the password into the Enterprise, usage behavior becomes even more concerning. Password sharing is one of the most prevalent insider threats. A survey by Centrify into password habits, found that 52% of U.S. based IT administrators had shared their username and password with a contractor and 59% of them with a colleague.
A Multitude of Options with Multiple Factor Authentication
The above username and password issues leads onto how can we improve things without upsetting the apple cart too much, after all, we like passwords, in the main.
If username and password are something we know, we can call this a first factor. If something we have, like a mobile device is also used to login with, alongside username and password, then that becomes a second factor or 2FA. 2FA is becoming more popular for the reason that it allows you to multiply the security needed to login to any system and it can be highly preventative in any phishing attempt.
The types of second factor authentication available are increasing, but the most common are mobile device based apps, or codes set by SMS text. You do also get hardware devices or ‘security tokens, especially in enterprise environments, but these were becoming less attractive as they cost per device and BYOD meant that employees were using smartphones at work, so why not utilize those. However, a recent innovation in security tokens, U2F, has made them more attractive as an option.
Mobile App Based 2FA
Mobile based 2FA apps offer support for the following options:
- HOTP: A code is sent to the mobile app. This code is hashed. The user enters the code into the application during login, after they have entered their first factor.
- TOTP: This is also a code but it is time-limited, i.e. It only lasts for a few seconds and must again be entered after a first factor has been entered for login.
One of the issues surrounding mobile code based access is the security; some implementations being more secure than others. The most secure way of using a mobile app based 2FA method is for the app to communicate the code directly to the back end of the application, rather than the user inputting the code into a user interface, which is open to a Man-in-the-Middle attack.
SMS Based 2FA
Mobile phones, including those that aren’t smart, as well as modern landlines, can use SMS based codes to login as a second factor. One of the downsides of using SMS code based 2FA is that it costs the vendor who is sending out the codes as generally this is done via a third party SMS gateway system.
The security tokens mentioned earlier have been improved in recent years using a new authentication protocol called U2F developed by a consortium of large technology vendors, including Google, and known as the FIDO Alliance. In fact Google have implemented a version of U2F based on a key, which is inserted into a USB port, the user ‘clicking’ a button on the key to sign into web apps. Of course the issue with this is that if you are using an iPad or Smartphone for access there is no USB port.
You’ll Know It’s Me
The next major advance in authentication is the biometric. Anyone with an iPhone 5S or later, will know about their TouchID biometric login system, which uses a fingerprint to open the phone for use. This is probably the most well known type of biometric in common use and certainly it has broken down some of the barriers to biometric acceptance.
One of the earlier barriers to success with biometrics was an alarmingly large rate of false negatives or positives. Advances, such as that seen at Carolinas Healthcare System, which uses the veins in a person’s palm, has seen match rates increase to 99.9% in the last ten years. This is another issue with biometrics that is breaking down to allow a more global uptake of the method.
It looks like biometrics will start to be used more. As we see advances in biometric management, accuracy of biometrics results, and as the spectrum of biometric types increases, then it is a natural way to login and so will be opted for by the user.
Adaptive authentication is less of an authentication method and more of how you use existing methods, more efficiently, with added security and improved usability. Adaptive authentication allows you to configure policies, which determine the level of authentication required under any given circumstance. It works by accessing the risk level of a specific access attempt. The best way to describe it is with examples. So, for example, you could set a policy that says that if a user is attempting access from a given IP or IP range, such as you’d get by accessing within the headquarters of an enterprise, then single sign on (SSO) is allowed. Or you could allow access from certain devices within a given geographic location but only using a second factor. Another example could be to increase the requirements of login, even going as far as to ask knowledge based questions, if you don’t meet certain criteria, or there is a pattern of failed login attempts and so on.
Adaptive authentication is a really good method of making the most of what you’ve got and it can really help with resource protection and handling varying levels of risk, especially in an extended supply chain where a variety of people across many jurisdiction require access rights.