In today’s connected world, authentication is ubiquitous. Whether it’s a website, mobile app, laptop, car, hotel door lock, retail kiosk, ATM machine, or video game console, security is essential to all networked systems. Even individuals must use authentication through state-issued ID cards to validate their identities within the network of a city or state.
Whether virtual or physical, the improper access obtained from failed authentication has tangible eﬀects ranging from stolen identities, fraudulent transactions, intellectual property theft, data manipulation, network attacks, and state-sponsored espionage. These consequences have the potential to cost companies millions of dollars, ruin reputations of individuals, and disrupt business.
Authentication in the Internet Age
Let’s be honest. Historical forms of authentication were never meant for the networked landscape we live in today. The ﬁrst passwords were adequate authentication solutions only because the systems they secured were isolated. Unfortunately, the isolated systems that pervaded the early days of the computer revolution has set the foundation for authentication in the Internet Age.
Within just a few years, the global computer market transitioned from a disconnected world of isolated computers to a fragmented world connected by the cloud. Not only are computers now interconnected, devices themselves and the applications running on them are as mobile as the users who own them. No longer are applications restricted to speciﬁc machines or data centers, they can be distributed, dispersed, or local to mobile devices. The security of any individual system or user now aﬀects the security of those systems networked to it.
The Internet has been ingrained in global culture and commerce to such a drastic degree that every new day increases the risk and impact of improper authentication. And with the impending Internet of Everything — that is, the millions or billions of devices, sensors, and systems that will connect to the Internet — not only is the need for secure authentication exponentially rising, the landscape is also changing.
Today, the tempo of security breaches directly related to stolen passwords and bypassed authentication is increasing along with the severity of their consequences. Further compounding these issues, past breaches are creating a snowball eﬀect resulting in subsequent attacks being easier, quicker, and more widespread than their predecessors.
A new approach to authentication and authorization is required to face the new generation of modern security challenges.
Houston…We Have a Password Problem
I believe that passwords aren’t simply used incorrectly today; they’re fundamentally insecure and present problems for device authentication in the future.
Traditionally, the primary form of user authentication in networked systems has been the username and password combination. More recently, the concept of strong authentication has become popular whereby an additional factor of authentication is used on top of the password layer for added assurance. Unfortunately, neither passwords nor strong authentication built on top of passwords are bulletproof solutions for today’s security challenges.
As we begin to consider an Internet of Things (IoT) world of connected devices, it’s easy to see how passwords are incompatible with the vast majority of smart objects that constitute the future of our networked world. The in-band centralized nature of passwords requires that users input credentials into the requesting application. However, most devices, such as sensors, door locks, and wearables don’t have an attached keyboard for password input. This means that authentication must happen out of band. Instead of the user supplying a device with credentials, that device must obtain authorization externally in a decentralized manner.
The Problem with Two-Factor Authentication
Security experts have long recommended strong authentication to compensate for the weakness of passwords. While strong authentication is the correct approach to take, the traditional method, known colloquially as two-factor authentication, is inadequate.
Let’s take a look at a few of the key issues:
Shared secret architectures involve a token or one-time password (OTP) that is sent to a mobile phone or fob that the end user owns. This OTP is compared with a token generated by the application being secured.
The symmetric key cryptography that this process relies on is an inferior security approach because if either the user’s device or the application is compromised, the shared secret can be obtained, thereby allowing an attacker to generate their own correct token. Additionally, since the user’s token must be transposed or delivered back to the application for comparison, there is a risk that the token can be intercepted by a hacker, malware, or observer in a man-in-the-middle (MITM) attack.
Password Layer Remains Unresolved
Traditional two-factor authentication retains the in-band password layer which means the core password problems remain unresolved. The application still holds on to the “bait” that hackers and malware are after, keeping the application layer in the crosshairs of any attack on the authentication layer.
Poor User Experience
Transposing tokens that quickly expire may be considered an annoying user experience that many users will opt to avoid in lieu of a smoother authentication ﬂow. OTP ﬂows that rely on SMS are unreliable and inconsistent. End users’ preference towards convenience over security means traditional two-factor authentication implementations like OTP may go unused. For organizations and applications, traditional two-factor authentication means sending their users outside of the branded experience that they control.
Additionally, traditional two-factor authentication approaches involve sending the end user to a third-party application. Often, this involves a company or online service forwarding their users to mobile apps or hardware with unaﬃliated branding and user experience. Such an approach is often unacceptable, especially for consumer-facing organizations.
Use Cases Are Limited
Authentication is integral to more use cases than login forms. Whether a user wants to approve a purchase in real time, sign for a package, verify their identity, or access a secure corporate oﬃce, authentication plays a critical role. In many of these scenarios, an input form to submit credentials like a password and OTP token isn’t available, thereby placing such scenarios out of the scope of traditional two-factor authentication.
Many two-factor authentication solutions represent a tangible cost and logistical burden. A single hardware token can cost as much as $100 or more, making a two-factor authentication solution that only satisﬁes a limited subset of use cases unrealistic.
Time to Move Beyond the Password
Password-based authentication is no longer capable of meeting the demands of modern security. Passwords are inherently insecure as a method of authentication, and their eﬃcacy relies on end users, developers, system administrators, and the applications themselves, all of which are vulnerable to a wide variety of attack vectors currently being exploited by cyberattacks around the world today.
Traditional strong authentication methods like two-factor authentication built on top of passwords does nothing to address the liability and risk of the insecure password layer, while their shared secret architecture (e.g. OTP) is cryptographically inferior, vulnerable to many attack vectors, and creates a cumbersome experience that users dislike and often avoid. Furthermore, both passwords and the strong authentication built on top of them are incompatible with many of the devices and remote “things” that will require user authentication in the future, but lack the requisite input mechanisms like keyboards and forms to use them.
Organizations and applications must remove the vulnerability and liability that passwords have created while implementing more secure authentication methods that account for an evolving and diversiﬁed landscape of use cases, end users, and threats.
About the Author: Geoff Sanders is Co-Founder and CEO of LaunchKey