• United States




What is the future of authentication? Hint: It’s not passwords, passphrases or MFA

Oct 03, 20189 mins

Passphrases and MFA are not password saviors. Ultimately, authentication will rely on algorithms to determine user identity and detect fraudulent actions.

The future of authentication is not more complex passwords or passphrases and better multi-factor authentication (MFA). Instead, most authentication will happen in the background, invisible to the user, much like the way credit card companies have been doing fraud detection. They have been dealing with low friction, risk analysis-based authentication for decades and are the super geniuses in this space. Their experience and intelligence are being mapped over to the rest of the digital world. The keywords of this authentication paradigm shift are continuous, frictionless, risk-based, behavior-based authentication.

People who rail on about password ineffectiveness often point to longer (but not necessarily more complex) passphrases and multi-factor authentication (MFA) as the solutions to the problem. Luckily, they won’t be.

I’ve recently covered some the issues with passwords, long passphrases, and MFA. To recap, regular long and complex passwords that are frequently changed actually increase the risk that you or your company will be compromised. The National Institute of Standards and Technology (NIST) has recommended for years, through NIST Special Publication 800-63, that people and companies not use them. Many experts are recommending long, non-complex, passphrases as the solution. A growing chorus of experts, including myself, are calling for more use of password managers and MFA.

The problem with giving current best advice is people are sometimes under the false impression that it’s the best advice for the long-term. This problem is what is still leading 99.999% of computer security experts to recommend and companies to use long, complex, and frequently changing passwords, despite gobs of data to the contrary. It reminds me of the William Faulkner quote, “The past is never dead. It’s not even the past.”

The problem with MFA

MFA has many problems, not to mention the fact that it can often be easily hacked. Sometimes it’s as simple as sending a regular phishing email. I’ve been giving seminars in how to hack 2FA all around the world, including at Black Hat Las Vegas.

Since I’ve been giving my Hack 2FA talks, I’ve been frequently contacted by vendors offering new and improved MFA solutions. They all want to show me their solution and how incredibly “unhackable” it is. Their advertising literally includes the words, “can’t be phished” or “unhackable.” When shown the solution, I’ve always been able to come up with multiple hacking scenarios around their MFA solution within a few minutes, and I’m not even that good of a hacker.

Suffice it to say, when 2FA becomes the de facto authentication standard, it will be hacked to death with tens of millions of compromises, just like passwords. It’s already happening.

User friction and support costs are also big problems with MFA. User friction is another way of saying the always present usability-versus-security paradox. As users are forced to do more things to authenticate, the security of that authentication method usually goes up and reduces risk. As users are forced to do more things, however, the more likely it becomes that they will do something to get around it. The best example is passwords written down on Post-It notes.

On top of that there are the purchase and support costs of MFA solutions. Even if your solution was free to start with, anything with more user friction increases support costs. It takes longer to get people going on MFA solutions, they make more mistakes with it, and they lose and damage MFA solutions far more often than non-MFA solutions.

The average password reset support call cost something like $45 to Microsoft, my former employer, and they essentially automated as much of it as possible so the number of support calls related to passwords dropped significantly. A support call for a physical smart card was on the order of $245 per call. Not only did it take more staff time, but when the card was lost, it had to be replaced. That meant the user had to show up in person or get a FedEx package sent their way. Then they had to re-connect with tech support to provision the card. It seemed every time the user had to renew a digital certificate on the card, it prompted another support call. Ask any admin that has ever supported a physical 2FA solution.

Phone, SMS-based 2FA solutions are all the rage now, because usually both initial purchase costs (near zero) and ongoing support calls are less than physical solutions. They are being hacked so badly that NIST isn’t even allowing them as a legitimate authentication solution — never mind that my bank, credit card company, social-media web sites, and even identity theft monitoring program seems intent on using SMS-based solutions.

As much as we all need improved security, the future of authentication is less user friction and less support costs.

How credit card companies show the way on authentication

The future of authentication is so much less friction, continuous authentication, that users don’t even really notice. Our children and grandchildren will probably not even recognize the words passwords or MFA. They will just use their devices and services and have them work when they need them while they keep the bad guys out…at least most of the time.

Think about how your credit cards work today. You use them all the time, and the store clerk or website doesn’t ask you to type in a long passphrase or use an MFA solution. It isn’t always frictionless. My wife and I were recently buying TVs and other furniture to put in our new house. The TVs alone were so big that we split up into different carts in different checkout lines. My multi-thousand-dollar purchase went through with no problem. My wife’s purchase got blocked, probably due to the “unusual” second big purchase. I got an SMS-based (argh!) message from my credit card company. I answered “YES” to their query to confirm that it was an allowed transaction, and my wife’s purchase went through the second time.

Credit card companies want to prevent that sort of false-negative user friction just as much as they want to stop real fraud. They are getting darn good at it, and getting better all the time.

How many times have you’ve been stopped by your credit card company from making a legitimate, valid transaction in the last 10 years? Probably not much. How many times did your credit card company proactively call you to say that a strange transaction was occurring and to confirm? That’s probably happened more than the latter. By the time you confirm that it’s a fraudulent transaction, they’ve either already blocked the attempt or they tell you that new cards are already on their way in the mail. This is not like the old days when it took an act of Congress to make something happen. Today, even the incidents are fairly frictionless.

What does the future of authentication look like?

You will probably need to register on every device and service you have during first use, just like you do today. After that, the system and devices you register will learn what your normal behavior is based on hundreds if not thousands of attributes. A large percentage of the of most popular systems you interact with already do this whether you know it or not. They collect as much on your system (e.g., OS version, browser), location, and normal service habits as they can. Many people don’t know this, but the system you’re logging onto may even be paying attention to the way you type, how long your fingers take between particular key stroke combinations, how long you take to click on a presented button, and so on. Today’s systems might not be only looking for you to type in the right password, but figuring out if how you typed it in was normal for you.

Now, imagine that same type of evaluation of everything you do across hundreds of attributes — behaviors, choices, biometrics — done continuously on what you do and how you do it. If you do something completely abnormal or just a bit off across several attributes, you’re risk score will go up and some other additional (adaptive) authentication will be presented for you to confirm.

For example, if every day you go into your stock account to view your stocks and maybe make a few small trades, that will be considered your normal behavior pattern. If one day your stock site detects you trading all your favorite stocks at once, cashing out, and transferring the gains to new bank account that has never been registered before, that might take a phone call plus to make happen. Digital authentication essentially becomes like your credit card, allowing you to perform tasks unencumbered for what it thinks is your normal life. Abnormal events in your life, which occasionally happens to everyone, will require more approval.

All of this will be controlled by artificial intelligence (AI) and algorithms. If I were starting my computer career over today, I’d become an “algo” guy. Those men and women are already the hot commodity in this world and will be the superstars of the future.

Of course, the bad guys won’t sit still. They will be developing their bad guy algorithms to get around the normal behavioral detection algorithms to do badness before getting shutdown. In the future — and this is not hyperbole — today’s digital world of bad guys versus good guys will become a world of fighting algos. What we want to do will just be caught in the middle.

To be honest, I think this will be a better, safer, more authentic world. Because trusting humans to figure out this logon authentication stuff has not been particularly fruitful. Maybe the machines can do it better.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author