Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:45 AM
Rajiv Dholakia
Rajiv Dholakia
Connect Directly
E-Mail vvv

Beyond Passwords: Why Your Company Should Rethink Authentication

Scaling security infrastructure requires scaling trust of users, devices, and methods of authentication. Here's how to get started.

Many simply call it "the problem of the password." But those five words summarize one of the most enduring challenges in the history of technology: From both a user experience (UX) and security standpoint, passwords and authentication protocols are as dangerously problematic as they are ubiquitous.

They're certainly the bane of most end users — and have been for some time. One survey famously found nearly four out of ten people would rather clean their bathroom than change a password. But this cognitive burden is dwarfed by the growing extent of the security threat. Indeed, weak or stolen passwords account for up to 81% of all data breaches and have the potential to create threats to our civil and national infrastructure, according to the 2017 Verizon Data Breach Investigations Report. 

Standardizing Authentication
Fortunately, we're seeing momentum behind standards for stronger, open, and scalable authentication that is both interoperable and non-phishable and secures the authentication process. The more we understand these efforts and the challenges that drive them, the more we can embrace solutions and put them to work in our industries.

You can see some of that momentum in what the FIDO (Fast Identity Online) Alliance has done to develop ubiquitous, technology-agnostic security standards for authentication. FIDO released a set of standards aimed primarily at mobile authentication shortly after its founding in 2012 by a half-dozen companies — including Nok Nok Labs, Lenovo, and PayPal. 

Since then, the nonprofit industry consortium has grown to hundreds of members — including the biggest names in technology, banking, telecommunications, consumer electronics, and many other sectors. This past April marked the release of the FIDO2 standard — supported by Google, Microsoft, and Mozilla — to expand stronger, phishing-resistant authentication to web browsers.

The Achilles' Heel of Authentication at Scale
The Holy Grail for authentication is to unify standards not just around all kinds of devices but also around all modes of authentication — passwords, biometrics, smart cards, security tokens, and even new methods that haven't been invented yet. This is the kind of ubiquity needed to scale security infrastructure — to literally "scale trust."

If this sounds like a stretch, look no further than the OPM and Yahoo breaches, or any other attack aimed at databases that aggregate many passwords or any kind of secrets together. The threat levels have grown despite the advent of more complex password requirements and other new forms of authentication; and databases that aggregate many credential secrets together remain the most coveted breach targets in cyberspace.

Indeed, in a 2016 study of 900 phishing attacks, Verizon found nine of out ten were in search of user credentials. Unfortunately, this context shows how the lack of a standardized, secure authentication ecosystem is the Achilles' heel of operating at enterprise scale — creating serious vulnerabilities in the computing infrastructure that powers our daily lives.

Putting Better Authentication Standards to Work
For your own company, the key to standardizing authentication is proper integration. For instance, FIDO standards — including the most recent FIDO2 enhancement — are not about any specific method of authentication. They're about creating a flexible infrastructure in which you can use any method of authentication that's right for the business application. And it's about doing that with a single developer API and a single back end that can power authentication regardless of whether you're using a mobile device, PC browser, kiosk, set-top box, or some other device. 

This highly technical work should be guided by the same principle behind a fairly accessible analogy: Think of the average household kitchen and imagine if — every time you bought a dishwasher, microwave, toaster, or some other appliance — you had to bust open the wall and install new custom wiring all the way back to the electricity pole! Thankfully, unified electrical standards save us from that fate, keep us safe, and allow us ease of use.

Your IT solution should achieve the same things with authentication, and your efforts should be guided by three key questions:

Question 1: What is the experience you want to create for the end user?
Answer: It should be frictionless. For consumers or business users, remembering passwords is a big point of friction. If you can eliminate passwords and replace them with strong, flexible cryptographic security and open standards, you can provide a better experience for your users and you'll see fewer abandoned transactions and reduced call center costs. However, you must remember that different users require individualized experiences. For example, office workers who sit at desks may require a different experience compared with first responders who are mobile in the field and work with different equipment through their shifts.

Question 2: What risks and security problems are you trying to retire or prevent?
Answer: With 81% of today's data breaches attributed to scalable phishing attacks against passwords (according to the 10th edition of the Verizon Data Breach Investigations Report in 2018) and the ever-increasing specter of consumer fraud, it is important to focus on mitigating the risk across all channels and devices, including web, mobile, Internet of Things, etc. Some security problems are universal, such as phishing. Solutions that rely on end users making distinctions between good and bad requests are doomed to fail — many legacy authentication mechanisms like SMS OTP fall into this category. Some security problems are also specific. For example, a defense contractor has to worry about determined adversaries, such as nation-states, that may conduct targeted attacks on its high-level employees. The defense contractor may require strong authentication solutions that need something you have, something you are, and something you know to be required to raise the level of security.

Question 3: What are the economic considerations or profitability measures that affect how you build and fund your solution?
A business that makes $2/user/year may not be able to afford to distribute $10 tokens to its customers. A defense contractor, on the other hand, may spend upward of $100/user/year to adequately protect its employees. Ask yourself questions that will affect your top line and bottom line, such as: How do I increase my customer revenue and employee productivity with better experience and engagement? How do I reduce costs? (Think of the cost of password resets, cost of hardware tokens, expensive vendor lock-ins with a proprietary solution, and cost of integration and development of a new application.) You want to build a solution that is simple, secure, and scalable.

Finally, remember to embrace agile development processes. Find a business sponsor internally who wishes to transform customer experience, lower friction in engagement, or meet a regulatory hurdle. Run a small proof of concept and embrace fail-fast iterations to learn and improve on your solution. As confidence and success stories grow within the organization, create a multiyear road map for which authentication systems you'll employ — and how you plan to integrate them. The result will be a much more solid and secure foundation as you scale the business.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Rajiv Dholakia is the vice president of products at Nok Nok Labs and is responsible for strategy and the development of the company's products and solutions. He has more than 30 years of global operating experience in private and public companies spanning security, ecommerce, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.