What is the future of authentication? Hint: It’s not passwords, passphrases or MFA

Passphrases and MFA are not password saviors. Ultimately, authentication will rely on algorithms to determine user identity and detect fraudulent actions.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

The future of authentication is not more complex passwords or passphrases and better multi-factor authentication (MFA). Instead, most authentication will happen in the background, invisible to the user, much like the way credit card companies have been doing fraud detection. They have been dealing with low friction, risk analysis-based authentication for decades and are the super geniuses in this space. Their experience and intelligence are being mapped over to the rest of the digital world. The keywords of this authentication paradigm shift are continuous, frictionless, risk-based, behavior-based authentication.

People who rail on about password ineffectiveness often point to longer (but not necessarily more complex) passphrases and multi-factor authentication (MFA) as the solutions to the problem. Luckily, they won’t be.

I’ve recently covered some the issues with passwords, long passphrases, and MFA. To recap, regular long and complex passwords that are frequently changed actually increase the risk that you or your company will be compromised. The National Institute of Standards and Technology (NIST) has recommended for years, through NIST Special Publication 800-63, that people and companies not use them. Many experts are recommending long, non-complex, passphrases as the solution. A growing chorus of experts, including myself, are calling for more use of password managers and MFA.

The problem with giving current best advice is people are sometimes under the false impression that it’s the best advice for the long-term. This problem is what is still leading 99.999% of computer security experts to recommend and companies to use long, complex, and frequently changing passwords, despite gobs of data to the contrary. It reminds me of the William Faulkner quote, “The past is never dead. It’s not even the past.”

The problem with MFA

MFA has many problems, not to mention the fact that it can often be easily hacked. Sometimes it’s as simple as sending a regular phishing email. I’ve been giving seminars in how to hack 2FA all around the world, including at Black Hat Las Vegas.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.