Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

Authentication Grows Up

Which forms of multi-factor authentication (MFA) are working, which are not, and where industry watchers think the market is headed.

More people log into their devices and apps with smartphones at the ready, knowing a second-factor code will appear in the most common form of multi-factor authentication (MFA) as this security process increasingly becomes mainstream for consumers and businesses.

"I think that in the last couple of years end users started to broadly accept multi-factor authentication as necessary," says Paul Rabinovich, research director at Gartner.

By now, many know a simple password is no longer enough, a point emphasized by a growing number of security breaches and employers aiming to avoid an incident. CISOs used to educate users on quality passwords; now they know the ideal passwords are too complex to remember.

"For a long time the conventional wisdom was to just keep educating users on the quality of passwords they should be using without really taking into account the reason why people are forced into reusing them," says Wendy Nather, director of advisory CISOs at Duo Security.

When companies realized people were writing down long, complex passwords, or neglecting to adopt complex passwords altogether, they began to create and provide different methods of multi-factor authentication to employees and consumers. Over time, several forms of authentication have made their way into the mainstream.

So which techniques are working, which are not, and which will drive the future of MFA? Here, security experts weigh in.

Authentication Evolution: What Works, What Doesn't

Let's start from the beginning: "It's hard to talk about authentication without talking about passwords and the old way companies would authenticate," says John Sarreal, senior director of global product management at Experian.

"Obviously, everyone's used to passwords, but we also know passwords have been severely compromised over the years," he continues. Now, we're at a place where passwords are no longer sufficient and companies are forced to balance the ways they verify users. The crumbling security of passwords has driven the mainstream rise of multi-factor authentication.

There are three basic factors for verifying your identity during login: something you have (smartphone or hardware token), something you know (password, verification code), or a form of biometric authentication like a fingerprint or facial scan. Several forms of MFA have made their way into businesses: SMS and email codes, hardware tokens, and authenticator applications.

Not all MFA is created equal. Some forms – for example, SMS verification codes – are easy to implement and deploy but leave users open to compromise. In 2017 the National Institute of Standards and Technology (NIST) released Special Publication 800-63: Digital Identity Guidelines, which outline new identity management and authentication standards.

Their new guidelines suggested "deprecating" SMS 2FA because of its vulnerabilities as a second factor. Indeed, earlier this summer Reddit declared it detected a data breach and the main attack was conducted via SMS intercept. The company reported "We learned that SMS-based authentication is not nearly as secure as we would hope," as per a blog post.

A few months after it issued Special Publication 800-63, the NIST backpedaled, relaxing its previous statements on text-based authentication. It swapped the term "deprecated" for "restricted," a sign it meant to convey businesses are taking a risk with SMS 2FA, and not that the second factor will be faded out entirely. After all, SMS is often the only choice people have.

Despite the comparatively weak security, Nather says SMS tokens, or the "lowest common denominator," remain the most common form of authentication. Smartphones are expensive, she notes, and the bulk of mobile phone users around the world still use feature phones. New authentication technologies may be more effective but can't be implemented on most devices.

"SMS is still the only thing most likely to work across all types of mobile phones," she says.

Other forms of MFA, like hardware-based tokens, provide a higher level of security but pose a greater barrier to adoption, and haven't quite hit the mainstream because they require greater investment and effort on the part of organizations and their employees.

From an enterprise perspective, many organizations are grappling with the fact that the consumerization of IT means their staff and users are much pickier about the user experience they will accept, Nather explains. The business used to be able to dictate the devices and software their staff used; now, users demand to use their own devices and intuitive software.

Security vs. Convenience: Striking a Delicate Balance

As a result, one challenge for many authentication providers is building a secure tool people will consistently use. "The companies that are successful and that provide a frictionless user experience – they have a competitive advantage in the marketplace," says Sarreal.

In Experian's Global Fraud and Identity Report, researchers found three out of four businesses seek advanced authentication and security measures with little to no impact on the customer experience. While MFA adoption has improved, many still don't want to bother. Forty-two percent of millennials said they would conduct more online transactions if they encountered fewer security barriers, while only 30% of those 35 and older said the same.

"We have seen customers who have yet to pull the trigger on multi-factor authentication because they think they would get backlash from end users," says Thomas Pedersen, founder and CTO of OneLogin. "But the only way to protect against password theft is MFA."

A major authentication trend is the use of the password manager, at least at an enterprise level, Nather points out. It's becoming more popular to insert these between the user and the site or system their logging into. She anticipates the trend will continue to grow as companies seek out easy-to-use authentication to align with consumers' expectations.

Any time you start overloading users with more tools, there is a risk of pushback, she explains. However, most users find password managers easier than memorizing passwords on their own.

Users, especially in business-to-consumer scenarios, demand low-friction or no-friction authentication, says Rabinovich. There are many authentication technologies existing today, such as mobile push, which aim to provide that low-friction experience. Typically, apps supporting mobile push notifications will also support mobile one-time passwords (OTPs), which act as a soft token similar to a hardware token like RSA SecurID or Yubikey, he adds.

Other promising solutions, he says, involve passive behavioral biometric authentication. Examples include keystroke patterns, mouse movements, and mobile-device handling.

However, Rabinovich says, these technologies are "still in their infancy" and are often used alongside more traditional authentication methods. In the future, however, experts anticipate they'll become more sophisticated and increasingly more widespread.

Factors of the Future: What Comes Next?

The convenience barrier is driving authentication providers to build more seamless solutions designed to authenticate based on several factors – users who log in with the same device each time, usage habits, time of day they're online, and so forth. If someone always accesses their account on the same laptop, for example, the risk factor is lower.

"I feel like what this is evolving into, and where the market is heading … is applying multi-factor techniques in a more contextual way," says Sarreal. The need for improved security is especially great in account creation, during which organizations need to verify users are who they claim to be during the onboarding process. MFA doesn't help if that component is vulnerable, he notes.

The term some use to describe this is adaptive authentication, and the industry is seeing greater interest as businesses aim to increase security and decrease friction. Biometrics is seeing renewed interest, especially in the context of new FIDO standards, says Rubinovich.

However, there are tradeoffs, Sarreal says, citing his experience in the fraud space. As security tools become more advanced, so too are attackers. "The tradeoff is the more layers you add, the more passive authentication systems you rely on, fraudsters can detect those," he says.

There's an "arms race" of applying increasingly advanced techniques to protect the perimeter, and he advises clients to implement a holistic layered-security strategy so they know which level of protection each vendor is providing and orchestrate between them.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.