Insights

Identity protection: What future for client authentication?

Wed 31 Mar 2021

Customers authentication is constantly changing, at an ever faster pace. However, the way we access services hasn’t changed much: passwords are still the main method of authenticating users. Is there a way to a world without a password?

For all companies, authentication is a major security issue and often the main source of vulnerability to their network security.

The need for strong authentication today is due to the convergence of several elements: the rise of customer portals, the rapid adoption of IoT technologies, the regulatory compliance, and the threat sophistication.

The move to passwordless authentication has become a hot topic. However, it is not possible at present to operate completely without passwords. We therefore ask ourselves: “How will authentication methods evolve in the coming years?”

Limitation of passwords

Most organizations still use traditional passwords as their primary authentication method. However, the multiplication of user accounts creates many problems:

Poor user experience: difficulty for users to remember multiple passwords,

Support costs,

Security risks related to compromised credentials.

In fact, 81% [1] of known data leaks are due to weak, reused or stolen credentials. Thus, passwords are the main targets of cybercriminals.

As a result, the issues related to passwords are driving companies to look for other solutions to strengthen security. Combining them with additional authentication technologies and factors is essential.

Evaluation of current authentication methods

One solution is to add additional layers of authentication. There are several possibilities for combining authentication factors. The concept of multi-factor authentication (MFA) is based on the fact that each factor compensates for the weakness of the other in order to enhance security. Traditionally, multi-factor authentication may require two or more of the following components:

Knowledge (what it knows): password, pin code, secret question...

Inherence (what it is): fingerprints, facial and voice recognition, geolocation, behavioral biometrics...

Possession (what it has): tokens, cards, one-time passwords sent by SMS or e-mail...

Two-factor authentication (2FA) is more secure than a simple password, as it requires an additional authentication layer. As a result, 2FA helps reduce the incidence of online fraud, such as identity theft and phishing, because the victim's password is not enough to access information.

However, this method is not foolproof. Although Amazon offers two-factor authentication, in July 2020, several user accounts were hacked. In addition, two-factor authentication degrades the user experience because it is not adapted to a wide range of use cases and situations.

A good MFA strategy needs to be adaptable, intelligent and secure, across endpoints, users and resources. Adaptive authentication balances security and customer experience by implementing context-sensitive, risk-based security policies. That is, it requires an additional layer only when necessary, based on a variety of signals.

Nevertheless, few companies use this method because it has constraints. Indeed, this means of authentication requires more maintenance with issues related to the management of data storage, confidentiality and consent.

A strong trend related to mobile authentication is to “enroll” the phone to become one of the factors of MFA. This concept allows the user to obtain real-time authentication, which can meet both security and availability requirements. In this case, the smartphone becomes the access key and an extra step in the MFA. In the ideal design, all authentication data is encrypted and stored locally on the user's device, where it can only be accessed by the mobile authenticator.

The dominance of biometric authentication

It is also important to consider the level of security when choosing the authentication method and associated factors. Among the authentication factors, biometrics quickly emerged as the most relevant. This method allows people to be reliably and quickly identified and authenticated based on unique biological characteristics.

But today, biometrics is mainly used as a component of MFA. Because even though biometrics enhances security, it can lead to more serious consequences in the event of a data breach. If a password is compromised, it can be changed. Biometric data, on the other hand, always remains the same. The question that arises here is how to recover one's compromised identity.

In Asia and the United States, the adoption of mobile and biometric authentication methods is faster than in Europe because in Asia, there is a massive deployment of cell phones for banking or payment type uses. Whereas in Europe, the most widely used method is OTP (One-Time-Password), either to confirm a payment or to change a password or address, for example.

Finally, a world without passwords ?

Although dual-factor and adaptive multi-factor solutions provide enhanced security, they still remain password-based methods with the risk that the device may be compromised. Given the security risks and usability problems of passwords, there are therefore good reasons to move to password-free authentication. To maximize security while minimizing friction points for users, vendors are promoting passwordless authentication as a solution to achieve this balance.

The principle of passwordless authentication is a single or multi-factor authentication that replaces the password with a more secure factor such as a biometric factor or PIN code. Passwordless technologies for consumers generally fall into two categories:

  • Biometrics
  • Device authentication that allows access from authorized and controlled devices.

Password-free authentication is based on the FIDO2 standard, the latest specification of the FIDO Alliance (Fast Identity Online). This non-commercial alliance is created to develop standards for secure authentication on a global level. As a result, the FIDO2 standard, promoted by the authentication ecosystem such as GAFA and digital protection providers, facilitates the transition to passwordless authentication.

In conclusion, even if users do not all have the same level of maturity on mobile and biometric authentication and even if passwords remain the most widespread method despite its commonly accepted weaknesses, the transition to password-free authentication is well underway. Its adoption and widespread use depend heavily on the movements of the GAFA, but also leaves room for telecom operators and other digital players.

[1] 2020 Data Breach Investigations Report, Verizon

/media/images/contacts/bloggeurs/mai-phuong-bui.png

Mai Phuong Bui

Strategic Marketing Consultant