Can new authentication methods change business?
17 May 2018
TEISS guest blogger Jackson Shaw, senior director of product management for One Identity shares advice on how new authentication methods can change business
There comes a point in one’s life where the same password, or iteration of a password, that has been used ten, twenty, thirty times, reaches a point of exhaustion. Whether it’s because the inevitable happens in the form of an email notification from the likes of Yahoo, Twitter or other online service stating that the password has likely been compromised and needs to be updated; or suspicious activity is noted on a social media account.
This will raise issues around the number of times the password has been potentially used elsewhere, even for corporate use. In fact, as many as 81% of all data breaches involve weak, default or stolen passwords according to Verizon’s Data Breach Investigations Report.
Once one password is compromised, there are potentially a whole host of others that are also subject to compromise for any other accounts using the same word or theme. Bad guys are resourceful and guessing passwords can be quite simple using a modicum of computing power or algorithms to brute-force a way in.
Therefore, the big question becomes: are passwords fit for purpose anymore and how can we be smarter about passwords in the enterprise?
Also of interest: The C Suite interview: Peter Woollacott, CEO of Huntsman Security
Evolution of authentication
Passwords in essence represent the simplest form of authentication, but as a society we’ve used the notion of these “secret” words or phrases so much that the average person now has 27 discrete online logins – and this could rise to the hundreds for some people.
It should come as no surprise then that 20-50% of all helpdesk calls are for password resets according to Gartner Group, costing over £50 each time a call is made as cited by Forrester’s Benchmark Your Employee Password Policies and Practices Report. This had led to a global industry worth over £6 billion for self-service password resets, stronger authentication and specialist Government ID systems. And yet associated risks as well as costs continue to rise.
Industry and technology developers have rallied to help with the likes of password wallets, OTP & SMS tokens, QR codes or even software tokens; but all of these do not lead to better usability. Customers and employees alike can get frustrated with the extra steps and “friction” these so-called solutions add to problem.
Mobile technology is perhaps leading the way in authentication – we can now unlock our phones with a fingerprint or by using facial recognition. While these alone don’t offer the strongest form of authentication, in terms of ease of use, biometrics offer the convenience of something that is always “there”.
The benefits increase exponentially if compared to the 4-digit passcode, which has a 1: 10,000 chance of getting hacked; whereas a fingerprint is 1:50,000 and facial recognition is 1:1,000,000.
The challenge enterprises are facing nowadays is how to take that convenience, preserve security and move the market to a point where biometrics are the norm in a business setting.
Also of interest: WannaCry, one year on…can we ever trust the NHS?
Reaching a tipping point
As biometrics become more acceptable, we get closer to a series of tipping points around hardware and software alike, from Apple’s Secure Enclave which boots separately from the rest of the device running its own microkernel that is not directly accessible by the operating system or any programs running on the device.
It stores 256-bit elliptic curve private keys that are unique to the device, and are never synced to the cloud or even directly seen by the device’s primary operating system.
Instead, the system asks the Secure Enclave to decrypt information using the keys. These “security by separation” techniques are advocated through the FIDO Alliance, which publishes technical specifications designed to heighten security across mobile and website services making them resistant to phishing or man-in-the-middle attacks.
In industries where security is paramount, such as financial services, there is huge support for the FIDO Alliance and it is something other industries should take note of.
In fact, Gartner has suggested that by 2022, 70% of enterprises will combine biometric methods with analytics and either mobile push modes or embedded public-key credentials across multiple use cases – a stark contrast to today, where this percentage is almost negligible.
Also of interest: The Netherlands – not the typical cybercrime suspect
Passwords are starting to have a half-life and have outlived their usefulness as a sole method of securing the enterprise. Indeed, who wants to change passwords regularly or make them more complex, which only adds to the resources needed to manage them? Of course, there will be an associated long-tail, just like what we’ve experienced, and in some cases, are still experiencing, with mainframes.
But as the market moves towards more interoperable, open standards in biometric authentication and increases security to ease people’s privacy concerns, authentication will become universally stronger. But perhaps the biggest win of all will be usability – which has typically been security’s biggest nemesis.
For more information, go to One Indentity