Ready for more secure authentication? Try these password alternatives and enhancements

Password-only authentication is dead. Combine passwords with multifactor authentication, social login, biometrics, or risk-based authentication to better protect users and your reputation.

1 2 3 Page 2
Page 2 of 3

“Social logins are interesting because we have really strong OAuth built around them,” says Irwin. “They do two things: They connect your social media account with services where you don’t want your social media provider partaking in, especially if there’s a way to target ads against them.” She adds that social media companies already have so much data about a person that can be used in ways they don’t expect. Giving them more information through social logins so those companies know all your relationships on the web, “is not OK. It’s a little creepy,” she says.  

Irwin sees social login having value in some instances. “For shopping websites or websites where users don’t maintain good user names and passwords, [social login] takes away a lot of the work the user has to do. That’s awesome,” she says, “but it also makes the password and user name for the social media site super, super valuable.” Irwin says that family members, domestic partners or friends who are angry with a user sometimes use that person’s social media login to make trouble. “It could be pretty catastrophic.”

Kaskade believes the risks associated with social login are being mitigated by companies who implement it smartly. For example, an organization might use social login as part of a “light" authentication scheme, such as using, say, Facebook for simple services like downloading gated content, and then requiring a higher level of login security (e.g., MFA) for access to more sensitive information like accessing your checking account. 

He notes that even banks and healthcare providers—highly regulated organizations when it comes to protecting individuals’ data—are starting to use social login where it makes sense. They do so to make it easier on people and reduce what he calls registration and login fatigue, but they obviously augment social login with other means of identification. Janrain’s social login product adds security by allowing organizations to set up rules around user behavior. “If someone logs in from the U.S. and a few minutes later logs in from the Middle East, it knows from simple rule sets to enforce MFA,” says Kaskade.

Biometrics: Not as foolproof as you might think

The term “biometrics” encompasses a range of authentication methods that scan some physical attribute of a person—including the face, the eye’s iris, a heartbeat, vein pattern, or fingerprint—to prove identity. These attributes are unique to an individual, which has advantages and disadvantages for authentication purposes.

One advantage for biometrics is that it’s convenient for users. With the press of a thumb or a scan of the face, users can access their devices or services without having to remember a password or answers to security questions. The downside is that biometrics are far from foolproof. The latest face ID technology from Apple was defeated by a 3D printed copy of a face. Less advanced face ID technology is fooled by a photo of the authorized person.

A person’s biometric data is stored as a digital profile, which can be stolen. Once that happens, it’s useless for authentication. “I’m not a fan of passwords, but you can change them,” says Sverdlove. “What happens when a fingerprint gets stolen, when a face is stolen, when DNA is stolen? It’s all immutable and impossible to change.”

Stealing biometric data is considered harder than stealing or cracking a password, and the risk of a thief targeting an individual’s biometric data stolen is low. The risk rises significantly if the thief can target many profiles. “Millions of fingerprints stored in a clearinghouse will become a target,” says Sverdlove. “Once they are compromised, there’s not a lot of recourse.”

Sverdlove advocates that companies not create a single repository for biometric data. “Learn from the lessons of the past: No single database storing everything. It will get stolen,” he says.

Behavioral biometrics: A key part of the solution

Behavioral biometrics analyzes user behavior to provide a confidence rating that persons trying to access a service are who they claim to be. Behavioral biometrics tools work transparently in the background, so users do not necessarily know they are being authenticated. Those tools typically leverage technology in the user’s device, including accelerometers, pressure sensors, and touch screens.

The signals from the device and its sensors identify individuals based on their typing speed, hand movements, or even how they hold a device. Collectively, these signals build a digital profile of each individual that is then tokenized and encrypted. If the token is compromised, the biometric profile is still secure and usable.

“Behavioral biometrics are a next generation technology looking specifically at behavioral factors and trying to use as a form of authentication,” says Ben Goodman, VP global strategy and innovation at identity management provider ForgeRock. “We’re hearing a lot of demand from customers around the space. Anything that aids in the elimination of passwords is super beneficial to the end user’s quality of experience as well as increasing security.

Goodman cautions “not to get caught up in irrational exuberance” over behavioral biometrics or any other authentication technology. “We don’t see any one authentication technology as the answer in itself. We see them all working together as tools to improve the user experience and user security. Whether they use a password or traditional biometrics with face ID or touch ID. It works in conjunction with them. The right toolset will allow you to orchestrate these different modalities, methodologies, and signals that you get during a user authentication and provide the most secure authentication possible.”

For example, behavioral biometrics can be useful for avoiding robotic account takeovers. A bot would enter data, such as user names and passwords, using a much different cadence than a human, says Goodman. “I’m able to build a profile for how the human on that device or the human on the other end of that website interacts with it. When a bot or something else starts interacting, we’re going to see that there’s a pretty significant differentiation in the way those two things interact with a site or an app.”

Because it works transparently to the user, behavioral biometrics is particularly useful to authenticate in the background for low-risk actions such as checking a bank balance. The user can quickly complete the task without interruption as long as the software’s confidence rating is sufficient.

Even if behavioral biometrics can identify a user with enough confidence to allow that user to do more sensitive tasks, such as transfer funds, Goodman suggests that you might want to “introduce some sort of friction to the process” to give the user confidence that they are indeed being authenticated. ”A user may find it really jarring if they open up your app, go to transfer $10,000 and they’re never prompted to put their thumbprint down or take a selfie or do something that adds friction to the process,” he says. “We can interject that extra friction and that extra security based on the risk or value of a specific transaction and do that when appropriate as opposed to throwing up a bunch of prompts at the front door. That provides a better user experience and we think better security in the long run.”

The growth of mobile devices has made behavioral biometrics a much more viable authentication tool, Goodman believes. “More people are doing services in a mobile context. That allows us to collect a lot more data, because the phones and tablets have so many sensors on them now,” he says. Using the sensors on those devices, he adds, behavioral biometrics providers like Forgerock's partners have a lot more data collected over a longer period of time. Using machine learning, and artificial intelligence, they’ve been able to create more reliable profiles. “That’s all allowed us to get much higher levels of confidence in these behavioral biometric solutions. That’s why we’re seeing a little bit of a groundswell in the adoption of those technologies,” he says.

With all that user data, however, comes the risk of violating the ever-growing number of privacy regulations. That’s why it’s important for behavioral biometrics to be paired with tools like ForgeRock's to give users some control over it. Goodman says that privacy and consent are big concerns for ForgeRock. “We have a technology called ‘user managed access,’ which is built into our platform, that allows a user to manage PII [personally identifiable information] and consent to share data. Anyone who tries to implement these types of services and doesn’t take into consideration the long-term privacy effects are setting themselves up for failure. All the brand equity that you potentially gain by providing a more delightful, more secure user experience is lost if you violate peoples’ PII.”

A potential barrier to using behavioral biometrics is integrating the technology with legacy systems. “It's rarely so easy that you can just install this stuff and have it go,” says Goodman. You need all the connective tissue that makes this stuff possible in the real world.” He notes that some companies just want to drop behavioral biometrics into what they already have. ”It’s not that simple. You need to connect it to legacy systems, to the development environment, SDKs, APIs, everything—all those supporting technologies that make that stuff work.”

Risk-based authentication: Eliminating the password

Passwords, MFA, social login and biometrics all place the burden of proving identity on the user. Risk-based authentication allows organizations to take responsibility for identity assurance. It’s not a new concept. Credit card issuers, for example, have been using risk-based analytics to detect fraud by looking for abnormal transaction patterns.

Device metrics, or behavioral biometrics, is one aspect of risk-based authentication aimed to eliminate passwords. Software analyzes typing patterns, interacts with a screen, the device IP address, or geographic location to match that data and behavior to a specific user. That usage profile is built up over time through machine learning, although data such as IP address and location is pulled in directly from the network.

“You as an organization may define what is or isn’t an acceptable geolocation,” says Block. “We start to chart where you as an individual come from. We plot where you come from, the browser type of your devices, the phone number you might be using.” This allows the software to determine whether the call is coming from a known carrier within the geography. Combined with a person’s device usage profile, the risk-based authentication system can make a reasonably accurate decision whether to grant access without requiring a password.

“Your end user thinks, ‘I won’t have to use a password,’” says Irwin. “That’s great, but they give up super private information they didn’t know was valuable. Would you want an app provider to know how you used your phone all the time, how you touched it, when you touched it, when you clicked ‘yes’ or ‘no.’ I wouldn’t want that information captured for me. Sometimes this happens inside of apps for advertising purposes.”

Risk-based authentication is not foolproof. People tend to be predictable in their behavior, but circumstance can lead to changes that give false positive results for fraud. “What happens when someone has Carpal Tunnel Syndrome?” asks Sverdlove. “Behavioral biometrics represent another criterion to be used. It should never be used in exclusivity.” Sverdlove notes that a person’s digital behavioral profile can also be spoofed or altered by a determined criminal, though not easily.

Metrics like typing or screen swipe patterns are dependent on what the user is doing with the device. “There are inherent issues with [keyboard and screen metrics] in that some of it is very application dependent,” says Block. That makes it harder to understand and interpret the keystrokes. SecureAuth uses behavioral metrics, but also relies on hardware-based metrics like mobile gates and device type.

Finding the best authentication strategy

There is no one answer that can replace or strengthen password authentication across the board. Organizations need to take a risk-based approach that assesses the value of the data being protected, the likelihood of abuse, and the consequences of a compromised identity. For most, this means matching authentication to the application or circumstance and backing it up with some type of MFA.

For example, a bank might require customers to provide only a password at login. This lets customers see basic information about their account. If a customer wants to perform a transaction, the bank might ask for more identifying data such as a verification code. At the same time, the bank uses behavioral analytics software to see if the usage patterns and device metrics during the session match those associated with that customer. If something falls outside a predetermined parameter, further authentication is requested or access is denied or limited.

1 2 3 Page 2
Page 2 of 3
The 10 most powerful cybersecurity companies