On the password paradox and authentication innovation

Chances are that the device on which you’re reading this blog was accessed through one form of authentication or the other. One of the most wide-spread of those methods are passwords. They’ve become such an integral part of our lives that we often don’t think about them anymore. However, danger lurks right around the corner if we drop our guard. The key to good authentication is to combine user-friendliness with security. It’s a challenge to strike a balance, but that challenge can be met if we rethink and reinvent authentication. With the newest technologies at our fingertips, user-friendly and secure authentication is within reach. IBM’s Security Access Manager (SAM) allows you to do just that.

Read more about the future of authentication.

Time and time again, we hear of massive data breaches where the data of millions of accounts is being compromised. Moreover, a recent research report analyzed more than 10 million passwords sourced from 2016 breaches, and found that the 25 most used passwords constituted a whopping 50% of passwords analyzed. Surprising? Not at all. In fact, it’s in our nature to struggle with passwords: we simply can’t remember (or can’t be bothered to remember) large numbers of long and difficult passwords – so we settle for easy passwords, that we often use for multiple accounts. That starts from a young age already: part of my job as a cybersecurity expert at IBM is creating awareness with children about STEM subjects. During one of my so-called Hack4Teens sessions, the kids had to fill in a form (including name and …password) to win a prize at the end of the session. Not to my surprise, most of them admitted having submitted a password they use for Facebook, Whatsapp.

Easy to use, hard to hack

The goal of any solid authentication method can be summed up in two principles: easy and user-friendly access for yourself, impossible access for everyone else. Forcing users to make their passwords harder, among other things by adding numbers, special characters and capitals may sound like a smart tactic, but it doesn’t really address the easy and user-friendly access.

Read here why passwords alone aren’t enough.

Innovation in authentication

It leads to what I call the password paradox. If you use too few, easy-to-remember passwords, you’re prone to being hacked. But if you use a wide variety of long, complex passwords, you won’t be able to keep track of them at all. Modern authentication methods can help create more user-friendliness, while at the same time guaranteeing more security. All authentication methods can be split up into three big groups, based on certain unique features only you know, have, or are:

What-you-know: This method exploits things only you can know, like passwords and PIN codes, or security questions.

What-you-have: The most well-known example is a debit card. Even if you have the pin code, you’re nothing without the actual, physical card.

What-you-are: This group of authentication methods encompasses all modern types of biometry. Some physical characteristics are unique to you, and only you – think of a fingerprint, the iris of your eye, your face… There’s also behavioral biometry, exploiting the talk you talk, the walk you walk, or even the unique way in which you smash the keys on your keyboard.

Ideally, for optimal security, a combination of two or more methods – the so-called multi-factor authentication – is necessary. Examples include a password combined with a login code via SMS for some social networks, or the debit card example above.

View use-case scenarios for mobile multifactor authentication here.

Pass up on passwords?

A major driver for authentication innovation is mobile. With the adoption of mobile devices all over the workplace, and the increased precision and lower cost of biometric authentication methods, frictionless or password-less authentication is right around the corner. Good news for both user experience and security: the less effort a user must put in, the more inclined he or she will be to keep security into account.

Is anybody home?

One of these new mobile methods is presence authentication. When you log into an application, the device will notify the user and let him or her respond to a yes/no prompt, ensuring that user and device match. It improves the user experience towards frictionless authentication: you don’t have to receive an SMS anymore, open it, remember the code, and then type it into the app or website… 

The example above consists of using your smartphone as the What-You-Have. Each device is unique, and registering it (so-called ‘device fingerprinting’) makes it a unique authenticator. In case that your password gets stolen, nobody can do anything with it, except if they also steal your mobile device. For additional security, the What-You-Are can be added. After notifying the user, the device can then let the user provide fingerprint authentication – provided of course that the device is equipped with a fingerprint reader.

Watch this short film to learn how to achieve simple, strong mobile authentication.

Moving towards a secure and user-friendly future

The key, then, is to move as much of the authentication process to the background. The modern methods discussed above are ways in which user experience design and security form the perfect marriage. At IBM Security, we have recently updated our existing IBM Security Access Manager (SAM) to include these stronger mobile methods. We released a Mobile SDK (Software Development Kit) which allows developers to easily include modes like fingerprint authentication, one-time password generation and presence authentication. The off-the-shelf solution is called IBM Verify: a ready-made mobile app built based on that same mobile SDK. With these modern forms of authentication at your disposal, users can be authenticated without compromising user-friendliness too much.

Read here how organisations are using mobile multifactor authentication.