Passwords – devising them, remembering them, typing them in – can be a hassle for users, but polls on whether users would be willing to use alternative authentication methods are all over the place. Some show that users would rather use “anything” than passwords to authenticate their identities, while others claim that most users are fine with passwords.
But a poll of hackers asking them whether they would be in favor of a mass change of current authentication methods is rarely considered, because it would likely show that hackers would be opposed to users – their target victims – trading in their passwords for, say, Apple's new Face ID.
For hackers, like for everyone else, it's about the return on investment – how much they can get for the amount of time/money/effort expended. The traditional username/password authentication system works – for hackers. For them, passwords are like manna from heaven – their direct line into your online bank accounts and easy to guess.
According to Verizon, 81% of hacking incidents in 2016 were based on stolen or weak passwords. For the users who follow the rules and implement proper passwords – eight characters using random combinations of text and numbers, which are changed frequently – hackers have a large pool of tools to draw upon. Suffice to say that no fewer than 95% of data breaches start with an e-mail phishing campaign, according to SANS Institute.
What if users were to abandon the use of usernames/passwords all together for authentication? What if they were to migrate to alternative forms of authentication – one-time password (OTP) via SMS, biometrics, or even a no-password push authentication-based connection? Could hackers maintain their levels of success – or would alternative authentication crimp their style? Just what would happen to their ROI?
There are three general authentication methods in use today – based on what a user has, what a user is, and what a user knows. When challenged, users need to provide the correct response, depending on the meth-od used. Username/password login is the most popular example of a “what you know” scheme – but as we've seen, there are a lot of holes in that authentication method. If a user knows something, it's possible for a hacker to know it, too. Considering the many methods available to hackers to wrench that information from users, such as phishing schemes, the ROI for hackers on that is pretty good.
For various reasons – mostly due to user habit – passwords are still by far the most popular system for prima-ry factor authentication. As a result, no company today would rely solely on password authentication; a sec-ond authentication factor is generally required, at the very least.
How do other authentication methods hit hacker ROI? Do they make breaking into systems more difficult? Not necessarily. A second authentication factor will generally be based on “what you are” or “what you have”. In the former, a user must respond to a physical challenge – a biometric authentication method where the user must present the correct thumbprint, as in Apple's Touch ID, or the right face, the method used by the company's new Face ID authentication system, in order to login.
Apple claim that both systems are huge security improvements over passwords. With Touch ID, there is a one in 50,000 chance that a device's fingerprint scanner could recognize the wrong set of fingerprints as the cor-rect ones; in Face ID, the chances of the system making a mistake are more like one in a million. While those sound like good odds for safe authentication – and making things much more difficult for hackers – it will take time to see just how secure Face ID is in the field.
Meanwhile, the National Institute of Standards and Technology (NIST) says that biometrics in general should not be relied upon as a primary authentication factor. Thumbprints, for example, could be lifted and fabricated into a “fake thumb,” and Apple itself admits that the tech is not 100% accurate – for example, it does not work on young children “because their distinct facial features may not have fully developed”.
That leaves us with “what you have.” One example of that type of authentication is text (SMS) messages – where a site will send a text message to a device in the possession of a user that must be typed in for authentication to take place. Here, too, NIST has weighed in, saying in its latest draft proposal on security that SMS should not be used as an authentication method as text messages can be stolen or spoofed and, according to NIST “doesn't have the strength of device authentication mechanisms inherent in the other authenticators allowable” in its standards.
Hardware tokens are another example of “what you have”, and hackers would likely have a hard time getting hold of the physical devices that are required to log in using this method. Yet hardware tokens have been dropped by most companies – also due to ROI issues. Supplying the tokens, maintaining them, and account-ing for them is a huge expense, and inconvenient for users.
One “what you have” method worth looking at is no-password push authentication-based connections, where a device is used to authenticate the user without any password. The authentication information is sent via an app to the server, without any user involvement; it's much more convenient for users, as there is nothing they need to remember/change/update, and bad news for hackers, because there is nothing for for them to guess or steal.
In my view, this is an authentication method that will give hackers fits as they attempt to break it. The chanc-es of hackers being able to get a hold of authentication information using this method is minimized. Thus their ROI goes down to next to nothing – as the work they will be required to invest far too great to justify a payoff that is unlikely to materialize.
Until now, hackers have essentially been little challenged; it’s been relatively easy for them to break through our defenses. With an authentication that makes them work – very hard – to breach our systems, hackers will find that their work isn’t so easy anymore. It may just prompt them to find some other things to do - fi-nally leaving the rest of us alone.