Authentication plays a key role in driving a seamless and secure digital experience
Nearly every online interaction today involves the indispensable need to prove that we are who we say we are. This can be done by providing one or more of the following three bits of information:
- Something you know, such as a password, passphrase or PIN.
- Something you have, such as a soft or hard token.
- Something you are, essentially your fingerprint or some other biometric data.
Given the important role authentication plays in driving user experiences that could directly impact privacy, security and revenue, it’s worthwhile thinking through what the future may hold.
While passwords have traditionally been the most popular means of primary authentication, they have limitations — particularly that the onus falls on users to remember and update passwords regularly. Security analysts will frequently cite stolen usernames and passwords as common methods to gain or escalate access during a breach. It’s nearly impossible to ensure that passwords don’t fall into the wrong hands, and the public usually has to rely on public disclosures of data breaches to find out if passwords have been hijacked for malicious means.
Multi-factor authentication mechanisms like short message service (SMS), tokens and biometric authentication are a fantastic improvement to protect accounts — but it’s important to acknowledge they aren’t foolproof. It doesn’t take a sophisticated hacker to hijack text messages. And while hardware authentication devices offer a secure method of authentication, they tend to be expensive, can be misplaced and can be hard to maintain.
With more sophisticated mechanisms like biometric authentication, there’s a chance of false negatives that disproportionately affect vulnerable communities and minorities. What’s more, a breach of biometric data could potentially have significant impact beyond the falsification of important legal documents like drivers’ licenses and passports. While acknowledging these limitations, let’s look at the future of authentication.
Password-free authentication has emerged as a leading trend. They generally rely on protocols such as FIDO2, public/private key cryptography and WebAuthN. These standards are designed to replace passwords with devices that people already use and carry, such as security cards, smart phones and smart watches.
Imagine walking up to your computer terminal and it instantly logs you in by recognizing your face, fingerprint, mobile device, smart watch, workplace security pass or, better yet, a combination of two or more of these factors. Such rapid and convenient authentication can provide a frictionless experience without compromising on security as you do away with passwords entirely. It’s also worth noting that organizations tend to see a decrease in total cost of ownership because passwords can be expensive to maintain. But an organization should take the following into consideration:
- It’s important to select the right technology, and how an organization deals with scalability and stolen devices should be top of mind when making this decision.
- Moving away from passwords is a cultural change no matter how you slice it. Consider training and winning hearts and minds.
User and entity behavior analytics
Rapid digitization, increased customer expectations and evolving regulatory requirements are driving adoption of biometrics among many organizations. It’s now common to authenticate using biometrics and then seamlessly conduct e-commerce and other online interactions. The next evolution will involve user and entity behavior analysis, offering more ways to authenticate users in a low-friction manner. It also addresses some risks, such as fraud and identity theft, that have become common and costly in today’s fast changing digital environments.
This type of authentication is largely invisible to the user. It builds a profile of normal user behavior, while identifying some unique user characteristics as normal via technologies such as machine learning. These patterns may be keystrokes and device handling — but it steps up to a stronger authentication method when something deemed suspicious occurs, such as unrealistic geo-velocity, where the access location of a user doesn’t match the time difference.
This method of authentication offers consumers almost invisible security. And while such emerging possibilities to combat fraud are clear, it’s also important to consider and at all times protect privacy.
There’s no doubt that passwords, cumbersome to manage and easy to exploit, should be a thing of the past. Transitioning away from passwords to reliable and convenient new methods we’ve discussed will require a change in mindset — and now is the right time to start. Users are already accustomed to their personal mobile devices providing biometric features like fingerprint and facial recognition. Businesses should welcome new ways to interact with their customers and workforces securely and conveniently.
A seamless and secure digital experience awaits.