Javier VelandiaMarch 18, 2021
The Evolution of Strong Authentication
Widespread password theft means that a successful login is no longer a guarantee of legitimate access to sensitive systems and accounts. The number of exposed credentials has risen by 300% since 20181. The vast number of compromised credentials makes the username/password combination an ineffective method for strong authentication, yet a large majority of organizations still rely on this model.
Throughout this blog, we will explore different authentication factors to better understand their unique qualities, as well as the timeframe during which they came to market.
Each authentication factor falls under one of these three categories:
1- KNOWLEDGE (least effective) – Something I know
- This category is usually easy to implement. The most basic example of something a user knows is their password. However, being that credentials can be easily compromised, knowledge is the least effective category for strong authentication.
2- POSSESSION (stronger) – Something I have.
- Possession comes in second as it’s more difficult to compromise. Being that a user must physically have this factor with them adds a challenge but is still not a bulletproof solution.
3- INHERENT (strongest) – Something I am.
- This is the strongest category of authentication. It’s far more difficult for fraudsters to replicate human characteristics, making the inherent category a less attainable target for fraudsters.
It’s important to note that neither of the three categories are enough on their own. To successfully implement strong authentication, one must use at least two authentication factors that fall into different categories. For example, something the user knows (knowledge) combined with something the user is (inherent) secures the login session more effectively.
Each authentication factor has its advantages and disadvantages. To better understand these, we must first take a look at the evolution of authentication.
PASSWORD – Early 1960’s
Category: Knowledge
The first password-based system was created in the early 1960s at MIT, meaning that the password is more than five decades old; multiple lifetimes in the tech world2. Even then, it wasn’t secure. We know this from one of the researchers first using the system who was only allotted four hours of use per week, which wasn’t enough to run his tests. So, he hacked the master list of passwords stored on the system to use more of the computer system’s time. Clearly, passwords have never been synonymous with security.
Advantages: Easy to implement, cost effective.
Disadvantages: Easily compromised, weak authentication factor.
TOKENS – Late 1980’s
Category: Possession
Hard tokens were first patented in the late 1980s by Security Dynamics Technologies.3 These physical tokens provide a one-time password (OTP), and displays a random number that changes periodically. The hardware token contains an algorithm, and a ‘seed record’ used to calculate the pseudo-random number. The user enters this number to prove that they have the token.
Advantages: Unique numerical code that changes with frequency makes it hard to compromise.
Disadvantages: Physical tokens are dated and have been replaced by smart devices which are far more accessible.
DEVICE RECOGNITION – Late 1990’s
Category: Possession
Cookies were created in the late 1990s and became very mainstream in the early 2000s. They were the first example of widespread device recognition. Since then, the technology has evolved and improved to include a variety of methods that are constantly being updated.
Advantages: Convenient for the end-user.
Disadvantages: Malicious actors can access a device remotely using a Remote Access Trojan (RAT).
SMS OTP – Early 2000’s
Category: Possession
These were widely used in the early 2000’s and marked the beginning of passwords being delivered to phones in general (eventually through email and later soft tokens).
Advantages: No additional hardware or download required by the user, simple way to implement strong authentication.
Disadvantages: Inconvenient for users who may have lost their device, or no longer have access to the registered phone number.
PUSH – 2009
Category: Possession
Push notifications were first used by Blackberry, but Google and Apple took them mainstream in 2009 and 2010. This factor presents a pop-up message to a user’s mobile device enabling them to simply accept or decline a transaction or login attempt.
Advantages: Highly secure method since it’s reinforced at the device level.
Disadvantages: Like SMS OTP, it relies on the user having access to the device that was originally registered to the account.
FINGERPRINT BIOMETRICS – 2013
Category: Inherent
TouchID from Apple in 2013 popularized fingerprint biometrics. This method simply requires the touch of a registered user’s finger to confirm their identity, making it difficult for a fraudster to replicate.
Advantages: Being that it falls under the ‘inherent’ category, fingerprint biometrics provide a more secure experience.
Disadvantages: May cause friction for the end-user if hands are not completely dry, or fingerprint scanner isn’t working properly.
QR Authentication– 2015
Category: Possession
WhatsApp web launched QR authentication in 2015. QR codes offer a strong form of authentication, giving each of user a unique code.
Advantages: High speed, convenient and highly secure form of authentication.
Disadvantages: Can only be used in out-of-band processes.
FACIAL BIOMETRICS – 2017
Category: Inherent
FaceID from Apple was one of the first examples of facial biometrics to authenticate users. This factor allows a photograph when authenticating to validate that the user has a high degree of similarity to the image recorded at the time of login.
Advantages: Convenient and frictionless for the end-user.
Disadvantages: Depends on the lighting and angle of a user’s face. It can be intercepted using a photo or video of the user.
It will be interesting to see how authentication factors continue to evolve. Biometrics are likely the way of the future, eliminating passwords altogether. For organizations that can’t fully eliminate the password just yet, strong authentication using a risk-based approach is crucial. Contextual data and analytics based on a user’s typical behavior provides a bigger picture, therefore challenging the user without causing friction.
Though many authentication factors provide some level of protection, no single factor is effective enough on its own. It’s important to ensure that your organization implements strong authentication using multiple factors that fall into different categories.
To learn more about implementing strong authentication across your organization or eliminating passwords altogether click here.