The fact that we continue to rely on passwords this deep into the digital age is more than a bit jarring. These alphanumeric scraps, the equivalent of digital skeleton keys, once served as a valuable tool. Unfortunately, passwords are now far more trouble than they're worth. They provide little protection against identity theft, breaches, and myriad other problems.
Yet completely ditching passwords is out of the question — at least for now. While they may rank as an almost total security fail and a bane for everyone, they remain an entrenched standard. Consequently, multifactor authentication (MFA) has become a necessity, but it too presents challenges bordering on outright problems.
This is the first of a two-part series about how businesses can adopt stronger and better authentication methods. While there's an immediate need to boost MFA adoption, it's also critical to move to more advanced and secure passwordless frameworks, including those that use biometrics.
Embarrassment of Riches
As with every technology, an accumulation of solutions eventually becomes a new problem. Most organizations and many consumers recognize the need to move beyond password-only authentication. Yet two-factor authentication (2FA) and even many MFA techniques were never designed for today's sophisticated digital frameworks.
"When you log into six different systems during the day and each of them uses a different method ... you wind up with two-factor authentication PTSD," says Michael Engle, co-founder and chief security officer at 1Kosmos. "You spend a significant time fetching codes and launching apps."
The mix of methods — including time-based one-time password (TOTP), SMS and email 2FA, push-based 2FA, universal second factor (U2F) tokens, WebAuthn, and desktop agents — introduce an often-confusing array of options for both companies and consumers. Making matters worse, they deliver varying levels of protection, and most people aren't equipped to understand the pros and cons. For instance, widely used SMS and email codes are easily intercepted or breached when a crook has access to a device. Toolkits that facilitate man-in-the-middle attacks and other password exploits are now widely available on sites such as GitHub.
Consumer and enterprise fatigue is at a breaking point. And while significantly better MFA and passwordless systems are taking shape — Apple, Google, and Microsoft have announced they are moving to passwordless sign-ins built on the FIDO2 standard — organizations continue to struggle with adoption.
Design, usability, and functionality are all critical. There's a need to convince people to move beyond a basic password and adopt MFA, but it's also critical to deploy higher grade MFA methods while moving to passwordless.
"This requires improved UX and education. There's a need for the process to be seamless," says Don Tait, a senior analyst at Omdia Consulting.
It's a startling and entirely disturbing fact: Despite a seemingly endless string of hacks, attacks, breaches, and breakdowns — 81% of hacking-related breaches are caused by password issues — only 29% of consumers believe that the inconvenience of 2FA is always worth the security trade-off. About 36% are willing to use 2FA in some cases, depending on the importance of the account.
The reasons for this reticence are at least partly rooted in the nature of today's online world. For better or worse, people expect Web pages to load instantaneously, and they seek access to accounts without any latency — even when dozens of APIs and servers around the world are required for a transaction. Remarkably, one study conducted by Microsoft found that the average person only has an attention span of approximately eight seconds.
Yet it's also clear that MFA frameworks can be a big hassle. Oftentimes, it's necessary to request a text code or pull out a phone and open an authenticator app from Google or Microsoft and type in a code. Meanwhile, physical tokens, such as YubiKey, offer stellar security — but they can be difficult to set up and use.
MFA participation is ticking up due to the pandemic and ominous warnings about the risks of relying on a password only; Okta found that MFA adoption rose by about 80% during the early stages of the pandemic. However, attacks are escalating and becoming more sophisticated. The net result is a relative move backward.
"There are too many companies giving too little thought to how to implement more advanced MFA and passwordless systems," says Jasson Casey, CTO for authentication vendor Beyond Identity. "You can't build a security architecture without considering design and usability. As the level of friction goes up, participation goes down."
These issues unfold in several ways. Design elements may hide MFA options or deliver confusing instructions for how to set it up. They sometimes provide confusing or ominous warnings that frighten users, or a site or service doesn't communicate the value of using MFA. Frequently, users don't see any compelling reason to adopt this additional layer of security.
"People turn to digital services because they're looking for ease of use and convenience," says Kalev Rundu, senior product manager at authentication firm Veriff. MFA must not be any different. It must fit seamlessly with the broader digital interaction and deliver a clear advantage or other forms of authentication.
Designs on Security
Gaining buy-in is critical. Researchers from the Max Planck Institute for Security and Privacy; the University of California, San Diego; and Facebook found that one of the keys to convincing people to turn on MFA is to present the decision as a personal empowerment choice. This might include a message like, "You can increase your protection against account hacking" or "Protect your account, pages and friends."
When researchers tested this personal responsibility approach with accompanying buttons on Facebook, it led to an uptick in MFA adoption by 33% among 622,419 participants. When users viewed a message about the advantages of being protected, they were 28% more likely to adopt MFA. On the other hand, the corporate responsibility button didn't prompt any change in behavior.
Another technique that boosts adoption revolves around an incentive or a reward — an approach that has already gained traction within gaming platforms like Fortnight and World of Warcraft. In 2019, a group of researchers from the University of Bonn and Leibniz University Hannover in Germany found that even a small incentive, such as an upgraded avatar or another small gift, can push numbers up.
Colors, placement, and design elements also matter. Delivering the request at the right moment — without interrupting the flow of an interaction or transaction — is crucial.
"It must be so easy that doing it for the first time has nearly no friction," 1Kosmos' Engle says. QR codes and push-to-app authentications can help, especially when a user can authorize the sign-in from a separate authorized device.
Still, none of these approaches are seamless — and they aren't bulletproof. The future of MFA and full passwordless systems lies in biometrics, FIDO2, and emerging systems that not only authenticate to an account on a device, but also verify a person's identity.
"A new era of authentication is emerging," Omdia's Tait says.
In part 2, Dark Reading takes a look at the rapidly evolving passwordless space and what companies need to do to stamp out passwords once and for all.