Advancements in Authentication: Improving Security
There are more headlines each day about hacks and data breaches that can be blamed on authentication shortcomings, yet industry news claims that new authentication methods are making us more secure. Certainly we have better authentication techniques today than in the past, but does that make us more secure? We do have new tools and techniques that position us well to improve security, and there is still ample room for improvement in the authentication space.
Let’s highlight two types of improvements we’re seeing: tweaks that make it easier for people to live with passwords, and new second factors to supplement or replace user-generated secrets (passwords).
Well-designed password meters – solutions grounded in empirical research on how people actually use passwords – help users cope. These are the indicators that dynamically guide the user to create a strong password. When the user is given concrete feedback on why the password is weak and how it can be improved, a stronger password is possible.
This approach enables us to focus on solutions that address real problems. Better passwords is an improvement and modern password managers help users in more substantial ways by generating long, random passwords, recommending unique credentials and auto-filling.
The exploration of new second factors also improves security. Push-based notifications via a mobile app to deliver an authentication request verifies that the user is in possession of the smartphone associated with the account, and security keys introduce a physical token for hardware-based protection. Both of these help address the shortcomings of passwords and are designed to be more human-centered and usable.
"Businesses that can adapt to this new model, and close the gap between policy and behavior, will succeed in improved security"
Let’s embrace improved authentication solutions while also minding the gap between the user behavior required to achieve the desired security properties and the user’s actual behavior. Employees are hired for their skills in a specific domain. Yes, they need to adhere to the security policy, but it is the CISO’s responsibility to deploy a realistic security policy that matches the threats employees face while giving them reasonable tools to achieve those goals. It’s futile to proclaim employees must do something for security’s sake or decree that a useful third-party digital channel, like Slack or WhatsApp, can’t be used. Make it easy to do the right thing, and users will more easily oblige with security protocols.
It's important to do your homework. Start by looking at which services and tools your employees are using to accomplish their goals. It’s become increasingly common for an employee to need a variety of third-party services to do their job: are you aware of all of them? Enterprise security is no longer about managing your own network. For example, collaboration tools like Slack are de facto requirements to work productively. Also, markets increasingly rely on WhatsApp for business communications. Adjust your threat model to accommodate new technology, and figure out how the authentication choices mesh with your plan. Next, embrace your role as an educator: design your policy and teach employees how it complements their workflow instead of hindering it.
Once you know what services are being used, security policies can be crafted accordingly. Use your judgment and require or recommend two-factor when it makes sense, it’s almost always better than a naked username and password. Unfortunately, despite advances in authentication, passwords are still the most widely deployed authentication method. Deploy a password manager and train your employees on how to use one effectively.
CISOs must understand which services their employees are actually using to do their job. Once they have that information, they will find it’s more straightforward to create and implement a reasonable authentication policy. Authentication is only one piece of your organization’s overall security policy. The system doesn’t stand alone, and you must ensure security plans match the reality of your company’s employees. Businesses that can adapt to this new model, and close the gap between policy and behavior, will succeed in improved security.
Advancements in Authentication: Creating New Problems
Creating New ProblemsWhen faced with the simple question of whether personal authentication is easier than it used to be, the vast majority of people will acknowledge that increased security has meant increased checks and complexity. When it comes to authentication, there are even bigger issues.
Let me start by asking these questions:
• How many passwords do you have today compared with 10 years ago?
• How much longer are those passwords than they used to be? Are they longer or shorter?
• For your most secure items, for example, your bank accounts: How complicated has setting up and using the authentication process become? Is it easier or harder?
• How secure do you think each authentication process you use really is?
• Are you making secure transactions (for example, payments or digital signatures) more frequently or less frequently than a few years ago?
• If your bank account was compromised due to unauthorized access, would the organization be accepting the blame or using their authentication features to blame you (the user) for leaking information that made the intrusion possible?
Most of the latest and ‘best’ authentication technologies rely on capturing significant amounts of personal information. They want to understand the people that need to be authenticated – their location, habits, working times, face, fingerprints, voice and more. This information can help authentication technologies run many different checks, often without needing to disturb the user.
The difficulty is that there is usually more than one entity that wants that same information from you. The company that employs you may want that for their authentication systems, but so does your bank, your home devices, your favorite web applications, and so on.
If all those entities have that information, is that really making you more secure? Is it really making the authentication process stronger? Also, what else might they use that personal information for?
It certainly doesn’t feel like I have improved security. It feels like there is more information about me online than there ever was.
From a capabilities perspective, there is no doubt that authentication security technologies have improved significantly. The issues are that these advancements have made managing access harder for the users of systems. Improvements in authentication have mostly relied on building out more personal information about who you are than you may even know about yourself.
These enhanced authentication techniques also mean that unlike passwords, where we really could have something unique for each system, most of us only possess, for example, a single face – and it turns out that it is pretty hard to encrypt your face. Your face can get photographed, scanned and each time a new technology claims to have achieved a new level of facial recognition security, an article comes along shortly afterwards about how the latest facial recognition security has been cracked.
If you thought authentication was a pain in the neck for regular people, it is even more complex for security functions inside companies and government organizations. Getting the rich diversity of internal, cloud, mobile, smart and other applications to use a common access and authentication architecture is usually significantly harder than herding a flock of cats towards a barking dog.
The main executive and critical departments within an organization must fully trust their security function, which must contain or access the right expertise and have a deep, accurate understanding of the business requirements of their organization. These things rarely exist together.
If you are a miracle worker and you have managed to get that executive support to mandate a standard access and authentication architecture, then you still have a further problem: What should you buy?
Gone are the days when authentication was a binary deal. Now even your authentication options have options. Even if you get the initial choice right, how long will the authentication work effectively for? Are there any legal or privacy concerns with the way any component in the authentication techniques work? Will you really be able to use it for everybody? For example, if your suppliers or customers have to use something else to access your systems, what holes in the authentication security does that create?
Although there are better authentication technologies available, the lack of government e-identity or a single trusted standard means that most people are using a more complex range of authentication techniques than ever before.
To conclude:
• There are too many authentication technologies
• Enterprise authentication solutions are expensive
• It’s a confused market with too much noise and choice
• Trust in ‘free’ authentication platforms has eroded
• Getting an enterprise to coordinate their access and authentication policy is like being effective at herding cats
Authentication may be more sophisticated than ever, but for most of us, it is not in a better and more secure place than in the past.