wei - stock.adobe.com
Identification and access management: some possible futures
Learn about how we might be using our heartbeats, brainwaves and eye movements to unlock our mobiles in the future
The demise of the password has been picking up speed since Bill Gates sounded its death-knell in 2004. While famed as one of the oldest security tools in the world of software and the internet, passwords are increasingly letting users down as the gatekeeper of our most valuable information.
The weak link lays in poor password management – particularly, password fatigue. We each have a multitude of online accounts, from banking and healthcare to internet shopping and social media platforms. The average person has 40 accounts, so remembering a different password for each one is virtually impossible – so people cut corners.
What’s more concerning in the current climate is while the world is rightfully focused on fighting Covid-19, hackers are taking advantage to launch spear-phishing and phishing attacks using information on the virus as a lure.
We estimate that more than 50% of newly created domain names linked to the virus can lead to the injection of malwares. With this being the case, there is a growing need for companies to educate employees on the responsibility they have online when it comes to the security they use to protect their data.
However, despite increased security concerns and warnings against using easy-to-guess static passwords, ‘123456’, ‘qwerty’ and even ‘password’ are still the most popular combinations, according to a study by SplashData of more than five million passwords, while Verizon’s 2019 data breach investigation report revealed four out of five users reuse the same password time and time again.
It’s no surprise then that 81% of hacking-related breaches come from weak, stolen or reused passwords, according to Verizon. The simple password spray attack attempts the same password over a very large number of usernames until it reaches a match. With static passwords that never change and are easily guessable, it essentially means hackers will get in eventually.
As more businesses wise up to the risks of online security, we’re seeing tech converge to create alternatives for ID validation, and there is already a range of options available, offering both effective security and a convenient user experience. By 2022, Gartner is predicting that 60% of large and global businesses will have brought in passwordless authentication – a massive jump from the current 5%.
So, while the conventional password edges closer to retirement, and the risk of security threats grows each day, there is no time to delay in rolling out alternatives across your business. With so many options already available, the future of passwordless authentication is looking bright, but what possibilities are out there?
Analysing the characteristics of devices can be used as a form of password – if the network, device and location of device all line up with regular behaviour.
These characteristics create a ‘digital fingerprint’ and if unusual activity is detected – such as logging in from an expected place or using someone else’s computer – access will be denied or the account will set off a security check, like sending an email security alert or push notification.
While touch ID has been around for a few years, it’s still dependent and can be overridden by a password. In the future, we could see devices beyond mobiles – laptops, computers, electronic cars and even front doors – open with our touch.
In the meantime, encouraging employees to use fingerprint technology as part of a multi-factor authentication, alongside a pin for example, will provide maximum security.
In the consumer world, online services are increasingly using SMS as a form of verification. Users provide a phone number that is usually pre-linked to an account. When they log in, they submit their phone number and are sent an SMS that they are then required to enter. No password is required.
Taking ID authentication offline with a physical key may feel archaic but it could stop hackers in their tracks. Hardware-based security keys – fitted with USB or NFC connections or Bluetooth capabilities – could be used to switch between iPhones, laptops and computers, safely and securely.
FIDO (Fast ID Online) security tokens, simply require users to insert their device during login to authenticate their account. This is a convenient solution for workers who move between devices in the office and at home.
Through cryptographic connections, identify verification could rest in the hands of peers. Using established relationships with colleagues, workers could vouch for each other, providing permission to access accounts.
Researchers have developed a way to use people’s heartbeat patterns for security purposes. Through wearable devices, the technology can monitor people’s heartbeats and use an electrocardiogram to turn them into unique keys that could unlock phones or open apps.
The next step in iris recognition software, the gesture-based system will allow users to open their phones or log onto their bank accounts based on their eye movement.
Identifying blinking as part of a pattern, this biometric password could be rolled out across all mobile devices and computers in the future.
Instead of asking for a passcode, a computer could measure the brainwaves of a user wearing anelectroencephalogram headset. Sensors would scan for brain activity which could then be used to trigger a certain software action, such as unlocking a mobile device.
The slow death of the password has been part of security conversations for the past two decades, but with little in the way of alternatives. Now with the dawn of passwordless authentication, there is simply no excuse to go back to the static password that can be easily guessed.
More options are available than ever before – from two-factor verification to biometrics and hardware keys. Now is the time to take action and make changes to ensure your company, and the valuable data it holds, is protected.
Francois Lasnier is vice-president of access management solutions at Thales.