A look into authentication for the day after passwords

Much buzz has been recently generated by Apple’s most prominent new feature on the iPhone X—the face-recognition technology for unlocking the phone. Unfortunately, the authentication failed in spectacular fashion when Apple’s software head Craig Federighi announced that unlocking the phone was “as easy as looking at it and swiping up”—except that it wasn’t. He subtly called for backup to unlock the phone and the show continued.

Upon looking at the large screen above the stage, viewers saw the same classic numbers dial for entering a code, unchanged since the first iPhone (and original phone dials for that matter). Companies from Apple to your local bank are still grappling with ways to replace the password to increase security and improve user experience.

This drive to replace the password is for good reason. They are the cause of anguish and user friction, and are easy to steal. A recent 2017 Verizon survey noted that when analysing all hacker and malware attacks, a whopping 81% were based on stolen passwords alone. Companies still rely on it nonetheless, even if paired with technology like Apple’s new face-recognition. Enterprises have particular challenges, as we’ve seen cases where one compromised password resulted in entire networks being infiltrated.

There have been a number of trends led by startups over the past three years preparing for a time post-passwords. Alternatives and complementary solutions are quietly being implemented by major US banks, enterprises, and consumer software companies, and now is the time for enterprises to reframe the way they understand authentication in general. If companies can successfully diversify their authentication strategies while raising the level of security, they will be able to abandon passwords completely.

The iPhone X face-recognition technology for example, follows an acquisition of Israeli face-recognition startup called RealFace this year, and the 2014 acquisition of the 3D sensing company: Primesense.

What do you need to understand about authentication?

All authentication can be divided up into three categories: what you know, who you are, and what you have. Companies looking to strengthen security and abandon the password first need to understand this to move forward.

What you know

Passwords are something that you know. Security questions, such as “what is your mother’s maiden name,” are other pieces of information that you know. It can be hard for an outsider or fraudster to guess something that only you know, but it’s not impossible. The problem is that this information can be easily stolen or intercepted when written online, and easily forgotten by users.

Methods of authentication based on what people know has traditionally been the common for securing networks or applications. Lately, some companies looking to take this type of authentication to the next level ask questions about previous transactions or activities that they have tracked, in addition to passwords.

Who you are

The use of behavioural biometrics, or the “measurement of patterns relating to human activity” is not new—though it has begun playing a greater role in authentication beyond the password. With the help of tools generated by companies like BioCatch, NuData, and BehavioSec, sites and apps now record hundreds or parameters based on the way you interact with your computer or smartphone, and use that information to authenticate users.

BioCatch, for example, generates a profile for each user logging in to a system. They activate invisible tests to see how a user would react, like causing the cursor to disappear for a fraction of second. They then record the way you respond (how you swipe, use the mouse, speed, etc.) and use that information to authenticate in the future.

Companies – and particularly banks – are adopting this technology. NatWest, a major UK bank, has publicly acknowledged the ability of behavioural biometrics to stop fraudulent funds transfer attempts in real time, but this is the exception. Biometrics have not succeeded in serving as a sole replacement to the password.

It also has hurdles ahead. A recent announcement by the National Institute of Standards and Technology (NIST) reports that biometrics is indeed a good enough tool to serve as a secondary means of authentication, but is not yet strong enough as an industry to stand on its own. There is also a trade off – the higher level of sensitivity in a given biometric authentication the more friction it is likely to cause. People also often cannot share devices or log into a joint account when biometrics are used on their own.

What you have

There are a number of ways to authenticate people based on what they have. A push notification on a user’s phone would be one classic example, or an RSA SecurID token would be another. There have been a number of attempts to replace passwords with physical items alone, but none have successfully served as an absolute substitute especially for enterprise networks.

Major companies and startups alike (like RSA, Gemalto, Pico, Yubico) have been looking to innovate new ways to authenticate using items users hold. For example, Yubico invented a tiny USB key that you can plug in to log into applications or networks at a fraction of the size of the legacy tokens. The smaller the size of the item however, the more likely it is to be lost or kept in a computer (meaning the account is always logged in creating a lapse in security). We’ve seen less startups focused on items people have, perhaps because of the requirement for hardware in addition to software, despite the efforts to integrate physical objects for network authentication.

In terms of consumer authentication, major companies have begun spearheading authentication based on what you have. Google recently introduced Google Prompt, also known as Google Push, as one of the means to replacing the password altogether and Microsoft introduced Phone Login which has been marketed to companies and individual consumers alike. It remains to be seen if they will be successful.

Can we put the three authentication methods together?

As startups drive innovation within each of those categories, other companies are attempting to devise new ways to mix up the way they are used. One such company, Tel Aviv-based Secret Double Octopus, is applying a method called the secret sharing scheme to develop new authentication patterns that “secretly” combine at least two types of authentication methods.

The secret sharing scheme was developed in the 1970s by noted cryptographer Adi Shamir (who also invented the original RSA algorithm), as a means of preventing individuals from launching rocket attacks on their own within a single army. It requires a combination of various pieces of information—each independent and useless in its own right—to come together to fulfil an action. In our case to authenticate a device, and in the 1970s to potentially launch a missile.

Within the secret sharing scheme, a new method called the key distribution scheme has emerged, which allows different parties holding information to generate their own secret keys, unknown to the other part of the authentication.

With the advance of behavioural biometrics (who you are), authentication through the smartphone and third-party hardware (what you have) along new methods of extracting information you know (what you know), secret sharing could very well replace our reliance on the password as a backup. When applied to an enterprise, an example of how this would work would be: an employee logs in to a network by replying to a push notification to his phone, and is authenticated by answering a question about yesterday’s activities while logged in. It’s kind of like advanced two-step verification without relying on a password or other sole form of authentication.

Amit Rahav, spokesperson for Secret Double Octopus, feels that as “what you have” and “what you are” become more effective, the use of secret sharing is the best shot to replace passwords. A recent partnership between SecureAuth and startup Safe-T highlights the drive to decentralisation, and implementing multiple authentication engines as part of granting access to databases or a data exchange, similar to secret sharing.

What is the future of passwords?

The use of these new tools and methods for authentication in the enterprise depends on the willingness of enterprises to test and use it. According to Toby Olshanetsky, CEO of ProoV—a startup with a platform for performing quick proof-of-concepts for enterprises—a growing number of security and authentication solutions are being testing across industry lines. Platforms like ProoV can pit their effectiveness against each other. Some of the industries mentioned were the financial sector, agriculture companies, insurance and pharma companies, retail, and much more.

According to executives at several of the companies mentioned in this article, we can expect the password to no longer serve as the primary authentication method within the next three to six years, though none claimed that they would have expected the password to last as long as it already has. At the current rate of growth, expect to hear much more along the lines of secret sharing, behavioural biometrics, push notifications, and other password alternatives over the course of the next two years.