Print Issue: March 2020
During Operation Overlord, Allied forces needed a way to identify and authenticate friendly troops when they could not see them. The solution was to issue signs and countersigns—code words that could be used in a sentence during the Battle of Normandy in 1944 to communicate soldiers were on the same side and not to open fire.
One such sign–countersign code was Flash–Thunder. A soldier would call out a sentence using the code word “flash.” The other soldier would respond with a sentence using the word “thunder,” and the first soldier would say back a phrase using the word “welcome”—indicating that his use of the word flash was legitimate.
Today, methods of authentication are more sophisticated but tend to rely on three factors—something we know, something we have, or something we are—to gain access. But these authentication methods depend heavily on what some see as an outdated and insecure tool: passwords.
“Passwords are not providing sufficient protection,” wrote Andrew Shikiar, executive director and chief marketing officer of the Fast Identity Online (FIDO) Alliance, and Adrien Ogee, project lead for the World Economic Forum’s Platform for Shaping the Future of Cybersecurity and Digital Trust, in a recent paper Authentication: The Next Breakthrough in Secure Digital Transformation.
FIDO was created in 2012 to address interoperability among authentication technologies. It has since released standards to create stronger authentication mechanisms that reduce reliance on passwords.
“Authentication is so much broader than passwords,” Shikiar and Ogee explained. “It is the foundation of digital trust, an enabler of cybersecurity in the digital economy and of the Fourth Industrial Revolution: in short, authentication is a critical enabler of the future.”
Accessing online and internal systems using usernames and passwords is an authentication method that’s been mainstream since the 1980s. However, it puts the onus on users to create strong, unique passwords for hundreds of accounts.
“Passwords force users to create and memorize complex amalgams of letters, numbers, symbols, and cases; to change them frequently; and to try not to re-use them across accounts,” Shikiar and Ogee wrote. “Numerous studies and cumulated company experience prove that individuals don’t think or act this way. As a result, they re-use the same passwords repeatedly, which is one reason why passwords are at the core of the data breach problem.”
In 2017, the average employee used 191 passwords to access accounts, according to the Password Exposé published by LastPass—a password manager. Considerable time is also spent entering or resetting passwords each year; FIDO found that employees averaged 11 hours per year spent on these activities.
“For a company of 15,000 employees, on average, this represents a direct productivity loss of $5.2 million,” Ogee and Shikiar explained.
IBM also found that just 42 percent of millennials and 49 percent of people 55 and older reported using complex passwords.
This raises concerns because passwords are one of the most commonly compromised information sets in a data breach that can then be used by malicious actors.
“The vast majority of data breaches stem from weak or stolen authentication credentials,” Shikiar and Ogee wrote. “Today, credential stuffing attacks, i.e. attacks leveraging stolen credentials, are so common that over 90 percent of all login attempts on major retail sites are malicious, with average success rates around 1 percent.”
And this level of fraud has a major economic impact on organizations and compromised users. “In the past six years, USD 112 billion has been stolen through identity fraud, equating to USD 35,600 lost every minute,” according to IBM Security’s Future of Identity study.
“Recent data breaches have been a resounding wake-up call to the fact that new methods are needed to validate our identities online,” IBM said. “In an era where personal information is no longer private, and passwords are commonly reused, stolen, or cracked with various tools, the traditional scheme of accessing data and services by username and password has repeatedly shown to be inadequate.”
Users are also increasingly preferring more secure methods of authentication to access accounts related to their financial activity. In a survey of roughly 4,000 people around the globe, IBM found that 70 percent ranked security over convenience for accessing banking websites and applications—as opposed to social media accounts where only 34 percent ranked security ahead of convenience.
“It turns out that users place more value on certain types of data, and as a result will prioritize security and privacy in some cases, while prioritizing speed and convenience in others,” according to IBM.
However, this may be misguided because many users are using their Facebook and Twitter accounts to authenticate and access other applications and services.
“Many popular services that house sensitive information, like delivery services, online shopping, and dating apps, encourage users to log in using their social accounts,” IBM wrote. “Therefore, if one of these social accounts is compromised, there could be a domino effect on how many additional accounts may also fall into the attacker’s hands.”
This plays into a broader lack of trust and confidence in organizations’ ability to keep information, like passwords, secure.
“Individuals are wary about giving out too much personal information; partners fear the loss of confidential information and business processes; and global enterprises risk the loss of reputation and revenues when systems and customers are compromised,” Ogee and Shikiar wrote.
These factors are coming together to push innovators to develop and implement new authentication methods that users are receptive to, including biometrics, security keys, QR code authentication, behavioral analysis, and zero-knowledge proofs.
In just a few years, consumers have already become accustomed to using biometrics—such as facial recognition and fingerprints—to access their smartphones. Apple announced its version of the solution, Face ID, in 2017 when it unveiled the iPhone X.
Along with touting the ease of using the facial recognition scanning technology to unlock iPhones, Apple also stressed how the biometric data is securely stored and processed to prevent compromises.
“All saved facial information is protected by the secure enclave to keep data extremely secure, while all of the processing is done on-device and not in the cloud to protect user privacy,” Apple said in a press release. “Face ID only unlocks iPhone X when customers look at it and is designed to prevent spoofing by photos or masks.”
The technology follows the six building blocks that FIDO identified as necessary for building an authentication program capable of passing the test of time: security, privacy, sustainability, inclusiveness, scalability, and user experience.
“Security technologies tend to be short-lived and evolve rapidly,” Shikiar and Ogee explained. “Whether operational one year or 10 or more, cyber criminals are generally adept at finding ways to circumvent security controls. Authentication technologies are no exception. It is consequently critical to build out a long-term security strategy.”
FIDO, which was originally founded by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio, released the FIDO Universal Authentication Framework (UAF) and the FIDO Universal 2nd-Factor (U2F) in December 2014 to help guide developers and transition away from password usage.
Since then, numerous other companies have come on board and released password-alternative authentication methods that meet FIDO standards.
For instance, in 2019 Microsoft made FIDO authentication a fundamental component of its efforts to provide a seamless, password-free login experience. The U.S. General Services Administration also enabled FIDO authentication for login.gov, the single sign-on website for U.S. public and federal employees to interface and transact with federal agencies online.
Additionally, Google added FIDO support across its platforms—including the ability to use Android phones and iPhones as a physical security key for its Advanced Protection platform. The platform has traditionally required a security key as an authentication method.
“According to a study we released last year, people who exclusively used security keys to sign into their accounts never fell victim to targeted phishing attacks,” wrote Shuvo Chatterjee, product manager for Google’s Advanced Protection Program, in a blog post. “But, using security keys can be a hurdle for users: they can be costly, and acquiring and keeping track of two extra pieces of hardware is a burden.”
This led Google to create a method that allows a smartphone to act as a user’s security key, in a way that is compliant with FIDO’s standards.
“Everything becomes much simpler when the things we’re already carrying around—our smartphones—have a built-in security key,” Chatterjee explained.
Intuit also released a FIDO-approved passwordless authentication method across its mobile apps, which reduced sign-in times by 78 percent and successfully authenticated users 99 percent of the time. This marked an increase over the 80 to 85 percent authentication rate for SMS-based multifactor authentication Intuit was using previously.
“Never before have service providers and developers had the ability to enable convenient, cryptographically secure authentication to a user base this broad,” Shikiar said in a statement. “Service providers are now taking advantage of these new capabilities on a global scale.”
However, the transition away from using passwords is not where the development of new authentication methods will end.
“Criminals adapt and security controls tend to be short lived,” Shakiar and Ogee wrote. “The future of authentication will take many paths, some that we are only starting to explore like blockchain-based self-sovereign identities and zero trust networks. But the immediate journey for platform businesses to embark on leaves passwords behind.”
Megan Gates is editor-in-chief of Security Technology. Connect with her at [email protected]. Follow her on Twitter: @mgngates.