More people log into their devices and apps with smartphones at the ready, knowing a second-factor code will appear in the most common form of multi-factor authentication (MFA) as this security process increasingly becomes mainstream for consumers and businesses.
"I think that in the last couple of years end users started to broadly accept multi-factor authentication as necessary," says Paul Rabinovich, research director at Gartner.
By now, many know a simple password is no longer enough, a point emphasized by a growing number of security breaches and employers aiming to avoid an incident. CISOs used to educate users on quality passwords; now they know the ideal passwords are too complex to remember.
"For a long time the conventional wisdom was to just keep educating users on the quality of passwords they should be using without really taking into account the reason why people are forced into reusing them," says Wendy Nather, director of advisory CISOs at Duo Security.
When companies realized people were writing down long, complex passwords, or neglecting to adopt complex passwords altogether, they began to create and provide different methods of multi-factor authentication to employees and consumers. Over time, several forms of authentication have made their way into the mainstream.
So which techniques are working, which are not, and which will drive the future of MFA? Here, security experts weigh in.
Authentication Evolution: What Works, What Doesn't
Let's start from the beginning: "It's hard to talk about authentication without talking about passwords and the old way companies would authenticate," says John Sarreal, senior director of global product management at Experian.
"Obviously, everyone's used to passwords, but we also know passwords have been severely compromised over the years," he continues. Now, we're at a place where passwords are no longer sufficient and companies are forced to balance the ways they verify users. The crumbling security of passwords has driven the mainstream rise of multi-factor authentication.
There are three basic factors for verifying your identity during login: something you have (smartphone or hardware token), something you know (password, verification code), or a form of biometric authentication like a fingerprint or facial scan. Several forms of MFA have made their way into businesses: SMS and email codes, hardware tokens, and authenticator applications.
Not all MFA is created equal. Some forms – for example, SMS verification codes – are easy to implement and deploy but leave users open to compromise. In 2017 the National Institute of Standards and Technology (NIST) released Special Publication 800-63: Digital Identity Guidelines, which outline new identity management and authentication standards.
Their new guidelines suggested "deprecating" SMS 2FA because of its vulnerabilities as a second factor. Indeed, earlier this summer Reddit declared it detected a data breach and the main attack was conducted via SMS intercept. The company reported "We learned that SMS-based authentication is not nearly as secure as we would hope," as per a blog post.
A few months after it issued Special Publication 800-63, the NIST backpedaled, relaxing its previous statements on text-based authentication. It swapped the term "deprecated" for "restricted," a sign it meant to convey businesses are taking a risk with SMS 2FA, and not that the second factor will be faded out entirely. After all, SMS is often the only choice people have.
Despite the comparatively weak security, Nather says SMS tokens, or the "lowest common denominator," remain the most common form of authentication. Smartphones are expensive, she notes, and the bulk of mobile phone users around the world still use feature phones. New authentication technologies may be more effective but can't be implemented on most devices.
"SMS is still the only thing most likely to work across all types of mobile phones," she says.
Other forms of MFA, like hardware-based tokens, provide a higher level of security but pose a greater barrier to adoption, and haven't quite hit the mainstream because they require greater investment and effort on the part of organizations and their employees.
From an enterprise perspective, many organizations are grappling with the fact that the consumerization of IT means their staff and users are much pickier about the user experience they will accept, Nather explains. The business used to be able to dictate the devices and software their staff used; now, users demand to use their own devices and intuitive software.
Security vs. Convenience: Striking a Delicate Balance
As a result, one challenge for many authentication providers is building a secure tool people will consistently use. "The companies that are successful and that provide a frictionless user experience – they have a competitive advantage in the marketplace," says Sarreal.
In Experian's Global Fraud and Identity Report, researchers found three out of four businesses seek advanced authentication and security measures with little to no impact on the customer experience. While MFA adoption has improved, many still don't want to bother. Forty-two percent of millennials said they would conduct more online transactions if they encountered fewer security barriers, while only 30% of those 35 and older said the same.
"We have seen customers who have yet to pull the trigger on multi-factor authentication because they think they would get backlash from end users," says Thomas Pedersen, founder and CTO of OneLogin. "But the only way to protect against password theft is MFA."
A major authentication trend is the use of the password manager, at least at an enterprise level, Nather points out. It's becoming more popular to insert these between the user and the site or system their logging into. She anticipates the trend will continue to grow as companies seek out easy-to-use authentication to align with consumers' expectations.
Any time you start overloading users with more tools, there is a risk of pushback, she explains. However, most users find password managers easier than memorizing passwords on their own.
Users, especially in business-to-consumer scenarios, demand low-friction or no-friction authentication, says Rabinovich. There are many authentication technologies existing today, such as mobile push, which aim to provide that low-friction experience. Typically, apps supporting mobile push notifications will also support mobile one-time passwords (OTPs), which act as a soft token similar to a hardware token like RSA SecurID or Yubikey, he adds.
Other promising solutions, he says, involve passive behavioral biometric authentication. Examples include keystroke patterns, mouse movements, and mobile-device handling.
However, Rabinovich says, these technologies are "still in their infancy" and are often used alongside more traditional authentication methods. In the future, however, experts anticipate they'll become more sophisticated and increasingly more widespread.
Factors of the Future: What Comes Next?
The convenience barrier is driving authentication providers to build more seamless solutions designed to authenticate based on several factors – users who log in with the same device each time, usage habits, time of day they're online, and so forth. If someone always accesses their account on the same laptop, for example, the risk factor is lower.
"I feel like what this is evolving into, and where the market is heading … is applying multi-factor techniques in a more contextual way," says Sarreal. The need for improved security is especially great in account creation, during which organizations need to verify users are who they claim to be during the onboarding process. MFA doesn't help if that component is vulnerable, he notes.
The term some use to describe this is adaptive authentication, and the industry is seeing greater interest as businesses aim to increase security and decrease friction. Biometrics is seeing renewed interest, especially in the context of new FIDO standards, says Rubinovich.
However, there are tradeoffs, Sarreal says, citing his experience in the fraud space. As security tools become more advanced, so too are attackers. "The tradeoff is the more layers you add, the more passive authentication systems you rely on, fraudsters can detect those," he says.
There's an "arms race" of applying increasingly advanced techniques to protect the perimeter, and he advises clients to implement a holistic layered-security strategy so they know which level of protection each vendor is providing and orchestrate between them.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.