For some time, we’ve been aware of the long list of issues that comes with using passwords as an authentication mechanism, including poor usability, expensive maintenance and vulnerability to server breaches. Despite this, there hasn’t been a particularly compelling authentication technology that could serve as a viable replacement for passwords.
Fortunately, that is changing. A number of recent developments, trends and new standards are coalescing to enable a powerful new model for user authentication – one that minimizes the “something you know” of passwords in favor of “something you have” plus “something you are.”
The first trend leverages a user’s mobile device for either supplementing or even replacing a password login. Mobile phones, due to their processing power, connectivity, user interface and the affinity their owners have for them, make a very useful “what you have” authentication factor. It doesn’t require that employees carry their phones with them to enable a second authentication factor, as employees already carry them.
There exist different models for using a phone as an authentication factor. A popular one is the evolution of previous SMS-based systems. In this new version, the user installs an authenticator app onto the device. In doing so, that device is effectively bound to its account at the authentication server. At login time, the authentication server sends a notification to the app through the relevant push notification service. Then on the phone, the user responds to the notification whether through a simple gesture or copying a code from phone to another computer. If the response is successful, then the authentication server can be confident that the valid device owner is attempting the login.
A second authentication trend leverages the emerging biometric capabilities of PCs, laptops, and mobile devices. More and more computing devices are being shipped with integrated biometric hardware, such as the iPhone’s TouchID and Samsung S5’s fingerprint scanner. In addition to biometrics in hardware, there are multiple apps available for download that enable other biometrics, like voice or face recognition. There is even an app that authenticates the user by detecting the characteristic pressure pattern on the screen when the phone is held to the ear for a call.
Typically, phone biometrics present an alternative to the typical PIN or pattern modes for unlocking the phone – or potentially a particular app on that phone. While useful, these biometrics don’t enable authentication of the user to an online server – a fundamental requirement if we are to reduce the use of passwords for that mechanism.
The FIDO Alliance is defining a suite of specifications that close this gap. FIDO standardizes a model in which the user logically authenticates to a device, potentially – but not exclusively – via biometrics. This local authentication serves to unlock a cryptographic key can then be used to authenticate to an online authentication server. Critically, in the FIDO model, the biometric data never leaves the device and won’t be compromised should the authentication server get breached.
Another example of a biometric authentication model is that of Nymi – a wristband that can measure a user’s ECG and compare it to that previously recorded. If the patterns match, then the wristband indicates that to a companion phone application.
The authentication models discussed so far presume an explicit authentication action by the user – be it entering a PIN, swiping a phone screen or applying a fingerprint to a scanner. While these alternatives offer a better user experience than passwords, there is a need for a more seamless authentication experience.
Authentication models presume an explicit authentication action by the user – be it entering a PIN, swiping a phone screen or applying a fingerprint. While these alternatives offer a better user experience than passwords, there is a need for a more seamless authentication experience.
The third authentication trend moves away from explicit logins, toward a more passive model – characterized as “recognition” by Bob Blakley in 2011. This authentication model is generally referred to as “continuous” to distinguish it from today’s intermittent reality. The premise is that the systems, applications and devices with which we interact will constantly monitor our behavior, actions and physical attributes. Then they will compare all that information to the expected patterns, transactions, face geometry and more to assess the identity of the user.
The list can include measuring how hard we swipe our phone screens, how fast we type common words, our gait as we walk, having our computer mouse scan our fingerprints and perhaps even how often we Tweet or post to Facebook.
Initially, continuous authentication models were more likely to be used to detect anomalous behavior, such as determining that somebody else is not you. As a concrete example, Apple was recently awarded a patent for using its phone camera and facial recognition software to authenticate the user. Of course, this is not a new idea. What is arguably novel here is that Apple’s model will not allow the phone to take a picture of the user once, but rather at a defined frequency. According to the patent:
“In an embodiment of the invention, an unlocked mobile device is configured to capture images, analyze the images to detect a user’s face, and automatically lock the device in response to determining that a user’s face does not appear in the images.”
In other words, in addition to unlocking the phone when it recognizes the user, the system will lock the phone when it does not recognize the user.
We’ve presented three authentication trends – mobile devices, biometrics becoming mainstream and the emergence of continuous authentication. While discussed as mostly independent, their real impact lies in their combination.
In the future, explicit logins will become the exception rather than the rule – the decision to require a login determined by some calculation of risk by the system. When we occasionally do have to login, we’ll leverage the biometric capabilities of the mobile devices and other things around us. That being said, passwords will also be the exception and not the norm. And those same devices will monitor us over time, alerting the authentication server if and when our status changes.
Taken together, these technologies and models enable a far less intrusive authentication experience for users, yet with enhanced security characteristics compared to today’s password status quo – a dynamic thought to be impossible in the past.