Without a crystal ball, we still know this much: Static passwords are not the future of authentication. People still fail to set strong passwords. And the 2018 Verizon Data Breach Investigations Report shows that use of stolen credentials and privilege misuse rank 1st and 4th respectively of the top 20 threat actions that resulted in a confirmed breach.
Two-factor authentication (2FA) is better but cumbersome and inconvenient. The next step, multi-factor authentication (MFA), is more flexible but can be a burden on users. The good news is that a new day is dawning with the promise of safe, low-friction authentication approaches that can support diverse users, applications and endpoints.
I recently hosted a webcast on what authentication will look like in 2023. Here’s a summary of highlights:
- Passwords become just one factor. Leading platforms including Facebook, Google and Microsoft say passwords’ days are numbered. But the decline will be long and drawn out. Eventually, passwords will be just one authentication factor that can be augmented or replaced by stronger methods.
- Password Manager/Vaulting Technologies Grow: These high-security systems take a user’s password, transform it into an impossibly complex code, and vault it in a secure digital location which users unlock with a master password. In the future, the vault will be unlocked via an MFA approach that combines the password with a more advanced, low-friction factor such as finger swipes or iris scans.
- Risk-based analytics will get stronger. Heuristic, self-learning analytics engines will make real-time access decisions based on risks to the organization, users and data. Using predictive analysis, users can be given access, provided with a step-up method or denied access.
- New modalities will drive authentication. Biometrics will be crowned the king of authentication. Fingerprints, iris scans, voice recognition and the like have already gained ground for high assurance authentication. Thanks to the iPhone 5S Touch ID and now Face ID, users are all in. Biometrics; however, can still be spoofed and should always be used in tandem with another modality.
- Face recognition will lead the way. Our faces are unique. What could be more convenient and faster than unlocking a device by just looking at it? In some professions like healthcare and law enforcement where gloves are worn or hands are unavailable to grab a device — face ID is perfect.
- Behavioral biometrics show enormous promise. Everything we do — typing, swiping, pressing keys — we do in a unique way. By just doing what we do, biometrics can recognize us and use machine-learning to adapt to our evolving behaviors. Banks have used this for over 10 years, and it will become increasingly widespread.
- Contextual factors will factor in other elements. In addition to who we are and how we do things, other situational factors such as network plugins, time of attempted access and location will also be able to be more accurately analyzed. Gathering contextual information is subtle and non-invasive, another plus.
- Continuous authentication is the Holy Grail. Even with strong authentication for access, sessions can being hijacked, and man-in-the-middle and other relay attacks are threats. Continuous authentication is still aspirational and comes with technical hurdles, but the proliferation of cell phones, combined with behavioral authentication methods brings us closer.
- Power is shifting to consumers. The power to drive change is increasingly in the hands of consumers who want instant access to apps and are increasingly concerned about security. To meet these demands, the security industry is investing in emerging technologies for competitive advantage.
Stronger authentication is on the way with advanced technologies in various stages of development. For now, experts agree that the best solution is a combination of modalities.
Explore DigitalPersona to find out how you can prepare for the next step in secure, convenient authentication.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.