Strong authentication’s war is fought not in the trenches of password management along with more complex passwords, passphrases, or even better multifactor authentication. Instead, this war must start with
fundamental authentication processes as none of the current options will become a long-lasting silver bullet. I expect to continually see a surge of evolution in the background of things so that much is invisible to the end-user. Typical authentication includes username and password—a single-factor
authentication protocol. However, for a more robust approach, multifactor authentication (MFA) requires one or more additional authentication sources for verification, like a smart card or a PIN code sent to a mobile phone. MFA checks user credentials to verify identity, determining
if a person is who they claim to be. While not a new concept (ATM cards and their associated pin codes are one example of peoples’ everyday MFA use), it has proven to be and remains a powerful defense. The additional layer MFA provides the most straightforward solution for preventing a breach in security.MFA reduces website attacks and identity theft. As organizations move to cloud technology, they need stronger secure authentication protocols. Likewise, mobile technology is shifting the parameters of online security. Smart devices can assist MFA adoption as users have them in-hand to complete the second authorization factor, typically through text verification, for example. To ensure a more secure future, we must identify and create new and more sophisticated ways of convincing machines that users are who they say they are in a manner that is seamless to users, and that integrates with user’s daily lives.
The new passé: Passwords
Passwords are no longer fully capable of protecting user and organizational data. Because of this, MFA solutions are gaining popularity, but not all belief in their capabilities. There are two current camps. One group contains people who believe multifactor authentication is the future of security. Members of another group believe MFA technology is vulnerable to breach. For those in the first camp, they support their beliefs by providing protocols for the proper use of technology. Thus, when appropriately used, MFA technology secures applications more than verification
of a lone password. Thousands of organizations employ MFA solutions, including banks, credit unions, and universities. Tech giants, like Amazon, Google, Facebook, Twitter, also use it. According to Messente Communication’s head of research, Uku Tomikas, multifactor authentication is moving towards becoming more convenient for individual users and ever more protective against miscreants. “‘ Seamlessness’ would be a keyword I’d use to describe the future applications of 2FA,” Tomikas says. “Instead of inputting codes,
receiving messages, or typing in knowledge factors, some part of the process could happen without the customer noticing.”Because of the technology’s improved ease of use, those favoring MFA say we’ll see greater adoption of these methods with far less friction. Thus, those in the pro-MFA camps say, means fewer compromised accounts. Alternatively, those in the MFA-cautious camp are not on the same page. MFA is not yet easy enough for end-users, and their support teams claim users despise the technology or find ways around it. These same skeptics
demonstrate that MFA isn’t a perfect solution even when successfully adopted.No matter what, multifactor authentication is and never will be the silver bullet that can stop all brute attacks or breaches. For the immediate future, it is one of the most effective solutions countering intrusions as part of a larger defense plan.
MFA is not foolproof
Kevin Mitnick was once the FBI’s most wanted hacker and now helps companies defend themselves. He told CNBC that MFA still contains vulnerabilities. “If we can steal the user session cookie, we could become them, and we don’t need their username, their password,” Mitnick said. Those supporting MFA say they it’s never been so easy to use despite some ongoing challenges. That says we’ll likely see an ongoing move to easier-to-use MFA. Convenience is necessary for producing secure systems. Strong security is only useful when users actively adopt it. If security measures are complicated, workarounds are found and used. Security remains the prime concern, Tomas says. “EU data privacy requirements [demand] more from companies and will continue to do so, using higher levels of cryptography, pseudonymization, and MFA factors that enable a lower risk of fraud.”Strong requirements for data points or more sophisticated knowledge factor requirements must be applied, Kastling Group’s COO David Lee, said. Multifactor authorization, he adds, is the future of access management, despite any flaws. Secure sites must use more than three sources, especially as more IoT devices become a part of user’s daily lives. He adds: “I think we will see these devices optimize more complex security patterns, such as fingerprint and optical scanners for facial or iris recognition.”Some point to current models for the path ahead. Apple Face ID is one example. When multiple, seamless factors of authentication work simultaneously without the user knowing, adoption of multifactor authentication is the result. Robert Capps, vice president of market innovation for NuData Security, says that MFA is a stopgap procedure. Still, as it expands, MFA will become less static in verifying consumer identity, including biometrics, behavior, and tokens. Multifactor authentication, however, is a bridge, intended to increase the usable life, reliability, and security of existing single-factor, static identifiers. These include usernames and passwords. Passwords are the ultimate never-say-die security concept. Conversations about the future of access governance and cybersecurity always include passwords and their evolution. For now and the foreseeable future, passwords are central to identity governance and protecting access to data.
Passwords are here to stay, for now.
“Once more people obtain devices with biometric capabilities, I see losing knowledge factors as a possible way to go,” Tomikas said.Biometrics still have much to smooth over for them to become the dominant means of authentication. Simple biometrics, like fingerprints, can be replicated, and more advanced options, such as facial recognition, can still be fooled. Try to imagine practical biometric enforcement, and it’s hard not to begin envisioning the stereotypical dystopian future where everyone has an implanted microchip. Further, the sheer amount of Personally Identifiable Biometric Information that would have to be collected and stored poses one of the most substantial security challenges (read: nightmare) for the solution. It wouldn’t be difficult to argue that such a trial would be the greatest in the whole history of cybersecurity. If Equifax’s breach can expose millions of Americans’ records (e.g., social security numbers), how catastrophic would a breach of biometric data be?What about the future of multifactor authentication? There’s little consensus, but there are many thoughts. “Multifactor authentication likely evolves to break itsdependence from passwords,” said Ahmed Amin, founder of GuruSquad. “MFA has proven to provide a better level of security over just passwords.”Passwords, Amin says, are likely, eventually, replaced with biometric authentication. These may include fingerprints, iris scans and even face scanners. As these technologies become more affordable and accurate, their use will increase dramatically. We may also see seamless integration of authentication where users no longer must remember passwords. Thus, each factor is scrutinized via an ever-growing amount of data points.Ultimately, the most appropriate and nuanced take is Kevin Mitnick’s: MFA is the best current blend of strengthened security and ease for users, which will see it remain on top for the foreseeable future.However, it still has obvious vulnerabilities that must be acknowledged to
enforce identity management best, and those weak points will eventually require a more secure replacement.
Tom Mowatt is a managing director of Tools4ever, a global provider
of identity and access governance solutions.