Ready for more secure authentication? Try these password alternatives and enhancements

Password-only authentication is dead. Combine passwords with multifactor authentication, social login, biometrics, or risk-based authentication to better protect users and your reputation.

1 2 Page 2
Page 2 of 2

“Social logins are interesting because we have really strong OAuth built around them,” says Irwin. “They do two things: They connect your social media account with services where you don’t want your social media provider partaking in, especially if there’s a way to target ads against them.” She adds that social media companies already have so much data about a person that can be used in ways they don’t expect. Giving them more information through social logins so those companies know all your relationships on the web, “is not OK. It’s a little creepy,” she says.  

Irwin sees social login having value in some instances. “For shopping websites or websites where users don’t maintain good user names and passwords, [social login] takes away a lot of the work the user has to do. That’s awesome,” she says, “but it also makes the password and user name for the social media site super, super valuable.” Irwin says that family members, domestic partners or friends who are angry with a user sometimes use that person’s social media login to make trouble. “It could be pretty catastrophic.”

Kaskade believes the risks associated with social login are being mitigated by companies who implement it smartly. For example, an organization might use social login as part of a “light" authentication scheme, such as using, say, Facebook for simple services like downloading gated content, and then requiring a higher level of login security (e.g., MFA) for access to more sensitive information like accessing your checking account. 

He notes that even banks and healthcare providers—highly regulated organizations when it comes to protecting individuals’ data—are starting to use social login where it makes sense. They do so to make it easier on people and reduce what he calls registration and login fatigue, but they obviously augment social login with other means of identification. Janrain’s social login product adds security by allowing organizations to set up rules around user behavior. “If someone logs in from the U.S. and a few minutes later logs in from the Middle East, it knows from simple rule sets to enforce MFA,” says Kaskade.

Biometrics: Not as foolproof as you might think

The term “biometrics” encompasses a range of authentication methods that scan some physical attribute of a person—including the face, the eye’s iris, a heartbeat, vein pattern, or fingerprint—to prove identity. These attributes are unique to an individual, which has advantages and disadvantages for authentication purposes.

One advantage for biometrics is that it’s convenient for users. With the press of a thumb or a scan of the face, users can access their devices or services without having to remember a password or answers to security questions. The downside is that biometrics are far from foolproof. The latest face ID technology from Apple was defeated by a 3D printed copy of a face. Less advanced face ID technology is fooled by a photo of the authorized person.

A person’s biometric data is stored as a digital profile, which can be stolen. Once that happens, it’s useless for authentication. “I’m not a fan of passwords, but you can change them,” says Sverdlove. “What happens when a fingerprint gets stolen, when a face is stolen, when DNA is stolen? It’s all immutable and impossible to change.”

Stealing biometric data is considered harder than stealing or cracking a password, and the risk of a thief targeting an individual’s biometric data stolen is low. The risk rises significantly if the thief can target many profiles. “Millions of fingerprints stored in a clearinghouse will become a target,” says Sverdlove. “Once they are compromised, there’s not a lot of recourse.”

Sverdlove advocates that companies not create a single repository for biometric data. “Learn from the lessons of the past: No single database storing everything. It will get stolen,” he says.

Risk-based authentication: Eliminating the password

Passwords, MFA, social login and biometrics all place the burden of proving identity on the user. Risk-based authentication allows organizations to take responsibility for identity assurance. It’s not a new concept. Credit card issuers, for example, have been using risk-based analytics to detect fraud by looking for abnormal transaction patterns.

Device metrics, or behavioral biometrics, is one aspect of risk-based authentication aimed to eliminate passwords. Software analyzes typing patterns, interacts with a screen, the device IP address, or geographic location to match that data and behavior to a specific user. That usage profile is built up over time through machine learning, although data such as IP address and location is pulled in directly from the network.

“You as an organization may define what is or isn’t an acceptable geolocation,” says Block. “We start to chart where you as an individual come from. We plot where you come from, the browser type of your devices, the phone number you might be using.” This allows the software to determine whether the call is coming from a known carrier within the geography. Combined with a person’s device usage profile, the risk-based authentication system can make a reasonably accurate decision whether to grant access without requiring a password.

“Your end user thinks, ‘I won’t have to use a password,’” says Irwin. “That’s great, but they give up super private information they didn’t know was valuable. Would you want an app provider to know how you used your phone all the time, how you touched it, when you touched it, when you clicked ‘yes’ or ‘no.’ I wouldn’t want that information captured for me. Sometimes this happens inside of apps for advertising purposes.”

Risk-based authentication is not foolproof. People tend to be predictable in their behavior, but circumstance can lead to changes that give false positive results for fraud. “What happens when someone has Carpal Tunnel Syndrome?” asks Sverdlove. “Behavioral biometrics represent another criterion to be used. It should never be used in exclusivity.” Sverdlove notes that a person’s digital behavioral profile can also be spoofed or altered by a determined criminal, though not easily.

Metrics like typing or screen swipe patterns are dependent on what the user is doing with the device. “There are inherent issues with [keyboard and screen metrics] in that some of it is very application dependent,” says Block. That makes it harder to understand and interpret the keystrokes. SecureAuth uses behavioral metrics, but also relies on hardware-based metrics like mobile gates and device type.

Finding the best authentication strategy

There is no one answer that can replace or strengthen password authentication across the board. Organizations need to take a risk-based approach that assesses the value of the data being protected, the likelihood of abuse, and the consequences of a compromised identity. For most, this means matching authentication to the application or circumstance and backing it up with some type of MFA.

For example, a bank might require customers to provide only a password at login. This lets customers see basic information about their account. If a customer wants to perform a transaction, the bank might ask for more identifying data such as a verification code. At the same time, the bank uses behavioral analytics software to see if the usage patterns and device metrics during the session match those associated with that customer. If something falls outside a predetermined parameter, further authentication is requested or access is denied or limited.

“We feel that at every authentication point there should be a number of pre-auth risk analysis checks accomplished to help you determine whether this valid user identification is trustworthy enough to allow or deny or step it up for further challenge with another factor.” says Block. He adds that some of SecureAuth’s consumer-focused customers are moving in this direction, but the industry as a whole isn’t there yet.

Most experts don’t see the password disappearing anytime soon, but there is real opportunity to reduce the number of passwords people need to manage. This is particularly true for corporate systems. “We’ve seen companies go to what they say is passwordless but what I’ll say is the reduction of reliance on passwords,” says Block. “If their employees manage 20 different passwords today, maybe they can get down to managing five and the rest are done with some other kind of primary authentication.”

1 2 Page 2
Page 2 of 2
NEW! Download the Fall 2018 issue of Security Smart