Many simply call it "the problem of the password." But those five words summarize one of the most enduring challenges in the history of technology: From both a user experience (UX) and security standpoint, passwords and authentication protocols are as dangerously problematic as they are ubiquitous.
They're certainly the bane of most end users — and have been for some time. One survey famously found nearly four out of ten people would rather clean their bathroom than change a password. But this cognitive burden is dwarfed by the growing extent of the security threat. Indeed, weak or stolen passwords account for up to 81% of all data breaches and have the potential to create threats to our civil and national infrastructure, according to the 2017 Verizon Data Breach Investigations Report.
Fortunately, we're seeing momentum behind standards for stronger, open, and scalable authentication that is both interoperable and non-phishable and secures the authentication process. The more we understand these efforts and the challenges that drive them, the more we can embrace solutions and put them to work in our industries.
You can see some of that momentum in what the FIDO (Fast Identity Online) Alliance has done to develop ubiquitous, technology-agnostic security standards for authentication. FIDO released a set of standards aimed primarily at mobile authentication shortly after its founding in 2012 by a half-dozen companies — including Nok Nok Labs, Lenovo, and PayPal.
Since then, the nonprofit industry consortium has grown to hundreds of members — including the biggest names in technology, banking, telecommunications, consumer electronics, and many other sectors. This past April marked the release of the FIDO2 standard — supported by Google, Microsoft, and Mozilla — to expand stronger, phishing-resistant authentication to web browsers.
The Achilles' Heel of Authentication at Scale
The Holy Grail for authentication is to unify standards not just around all kinds of devices but also around all modes of authentication — passwords, biometrics, smart cards, security tokens, and even new methods that haven't been invented yet. This is the kind of ubiquity needed to scale security infrastructure — to literally "scale trust."
If this sounds like a stretch, look no further than the OPM and Yahoo breaches, or any other attack aimed at databases that aggregate many passwords or any kind of secrets together. The threat levels have grown despite the advent of more complex password requirements and other new forms of authentication; and databases that aggregate many credential secrets together remain the most coveted breach targets in cyberspace.
Indeed, in a 2016 study of 900 phishing attacks, Verizon found nine of out ten were in search of user credentials. Unfortunately, this context shows how the lack of a standardized, secure authentication ecosystem is the Achilles' heel of operating at enterprise scale — creating serious vulnerabilities in the computing infrastructure that powers our daily lives.
Putting Better Authentication Standards to Work
For your own company, the key to standardizing authentication is proper integration. For instance, FIDO standards — including the most recent FIDO2 enhancement — are not about any specific method of authentication. They're about creating a flexible infrastructure in which you can use any method of authentication that's right for the business application. And it's about doing that with a single developer API and a single back end that can power authentication regardless of whether you're using a mobile device, PC browser, kiosk, set-top box, or some other device.
This highly technical work should be guided by the same principle behind a fairly accessible analogy: Think of the average household kitchen and imagine if — every time you bought a dishwasher, microwave, toaster, or some other appliance — you had to bust open the wall and install new custom wiring all the way back to the electricity pole! Thankfully, unified electrical standards save us from that fate, keep us safe, and allow us ease of use.
Your IT solution should achieve the same things with authentication, and your efforts should be guided by three key questions:
Question 1: What is the experience you want to create for the end user?
Answer: It should be frictionless. For consumers or business users, remembering passwords is a big point of friction. If you can eliminate passwords and replace them with strong, flexible cryptographic security and open standards, you can provide a better experience for your users and you'll see fewer abandoned transactions and reduced call center costs. However, you must remember that different users require individualized experiences. For example, office workers who sit at desks may require a different experience compared with first responders who are mobile in the field and work with different equipment through their shifts.
Question 2: What risks and security problems are you trying to retire or prevent?
Answer: With 81% of today's data breaches attributed to scalable phishing attacks against passwords (according to the 10th edition of the Verizon Data Breach Investigations Report in 2018) and the ever-increasing specter of consumer fraud, it is important to focus on mitigating the risk across all channels and devices, including web, mobile, Internet of Things, etc. Some security problems are universal, such as phishing. Solutions that rely on end users making distinctions between good and bad requests are doomed to fail — many legacy authentication mechanisms like SMS OTP fall into this category. Some security problems are also specific. For example, a defense contractor has to worry about determined adversaries, such as nation-states, that may conduct targeted attacks on its high-level employees. The defense contractor may require strong authentication solutions that need something you have, something you are, and something you know to be required to raise the level of security.
Question 3: What are the economic considerations or profitability measures that affect how you build and fund your solution?
A business that makes $2/user/year may not be able to afford to distribute $10 tokens to its customers. A defense contractor, on the other hand, may spend upward of $100/user/year to adequately protect its employees. Ask yourself questions that will affect your top line and bottom line, such as: How do I increase my customer revenue and employee productivity with better experience and engagement? How do I reduce costs? (Think of the cost of password resets, cost of hardware tokens, expensive vendor lock-ins with a proprietary solution, and cost of integration and development of a new application.) You want to build a solution that is simple, secure, and scalable.
Finally, remember to embrace agile development processes. Find a business sponsor internally who wishes to transform customer experience, lower friction in engagement, or meet a regulatory hurdle. Run a small proof of concept and embrace fail-fast iterations to learn and improve on your solution. As confidence and success stories grow within the organization, create a multiyear road map for which authentication systems you'll employ — and how you plan to integrate them. The result will be a much more solid and secure foundation as you scale the business.
- Cracking 2FA: How It's Done and How to Stay Safe
- Reactive or Proactive? Making the Case for New Kill Chains
- Inside a SamSam Ransomware Attack
- Why Isn't Integrity Getting the Attention It Deserves?
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info.