Citi Ventures & Goldman Sachs have joined as additional investors in our record-breaking $543M funding! Read more

Passwords and The Evolution of Imperfect Authentication

In a constant effort to stay ahead of hackers and fraudsters, authentication technology is constantly (and quickly) evolving. The latest becomes outdated extremely quickly. The rapid change of authentication has seen an industry evolve from the creation of basic passwords to upgraded methods like one-time passwords (OTPs) or time-based one-time passwords (TOTPs) and multi-factor authentication. So, given the constant change it’s only natural to ask where the next progression of authentication is headed?

The future of authentication is evolving to a solution that can strongly authenticate users, across all devices and channels without ever compromising user experience.

In this article we’ll discuss the progression of passwords and authentication, and discover the breakthrough technologies emerging that will lead the charge for secure authentication.

Are passwords dead?

No. But they should be. Since the 1960s, passwords have been the default method that allows users to authenticate themselves to a device or service. It’s a well understood concept even for the non-technical minded among us (Hi Mom!) that doesn’t require any hardware. While their simplicity and familiarity is a huge strength, passwords are inherently insecure. Despite their bad reputation, passwords are still very much in use leaving the security of a company at the mercy of their users’ creativity and memory.

The weaknesses associated with passwords are both technological and human in nature. To authenticate a user with a password it must be revealed and stored in some kind of centralized infrastructure which is not always protected. Not to mention, a user needs to keep track (and memorize) a multitude of login information and passwords. The average employee manages around 200 passwords. Naturally, in order to keep track of all the various, yet crucial, accounts users resort to bad password hygiene – leaving inviting cracks for hackers to take advantage of such as password guessing.

It’s not surprising to learn that, according to the 10th edition of the Verizon Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen and/or weak passwords.

There’s long been an industry movement to move away from passwords and while there have been many attempts each new iteration comes with it’s own pros and cons.

Authentication takes a leap forward with OTPs

Moving from passwords to one-time passwords (OTPs) allows for authentication that doesn’t solely rely on one memorized password. The Two-factor authentication (2FA) approach relies on SMS messages to provide time-based one-time passwords (OTP) for a single login attempt. An algorithm generates a unique value for each one-time password by factoring in contextual information, like time-based data or previous login events. While they do add another ‘layer’ of security, just like passwords, they suffer from the problem that they are not auditable and are vulnerable to SIM swapping or social engineering attacks. Proving that more factors doesn’t necessarily mean more secure.

The road to biometric authentication

In contrast to the older measures mentioned above, the FIDO alliance standard, WebAuthn brings a stronger authentication mechanism by defining an API that both authenticators and web browsers can implement. The driving force behind the approach is to increase security for the authentication process by removing or complementing password-based authentication while remaining convenient for end-users.

WebAuthn relies on biometrics (fingerprint, face scan, retina scan and even vein scan) coupled with Public Key Authentication rather than passwords making it an option that’s a step in the right direction for enterprises looking for more secure methods of authentication. This technology, which might have once seemed futuristic, is already part of our daily lives. Think of Apple products and Microsoft Hello that unlock using a fingerprint or facial recognition. A huge draw to the use of biometrics is convenience and ease of use.

According to Jesse McWaters from the World Economic Forum, ‘Biometric authentication has the potential to simultaneously ‘streamline users’ digital experiences while also improving the security of their personal data’.

However, there are some issues when it comes to rebinding. Every time a user replaces a device the biometrics need to be rebound to the associated account. Oftentimes, in order to rebind a device the process includes falling back to insecure measures of authentication like an OTP. Many enterprises experience this issue and cyber criminals leverage this to their advantage. Another limitation is that WebAuthn doesn’t allow for cross channel authentication. Without a unified authentication experience across all platforms, enterprises are susceptible to cross channel attacks.

Upgraded modes of operation with authenticator apps

Authenticator apps are a strong contender for an enterprise-level worthy method of authentication. OTP and push notification are tied to your device (rather than your number) and can function without network service or data. Since the OTP codes expire quickly, the risk of compromised SMS messages is reduced. Authenticator Apps like Google Authenticate and Authy may tackle the issue of cross channel usability that WebAuthn is unable to provide but adoption rates suffer.

Application fatigue sets in hard with the average consumer already having about 80 apps installed on their device. Knowing this, expecting customers to download yet another app is unrealistic. Plus, traditional authenticator apps don’t solve the issue of portability.

The future of customer authentication

The future of customer authentication

Until now, biometric authentication was seen as the new way forward in the identity and security sphere. Sure, biometrics are great and are really convenient but alone they are not effective enough for enterprises to rely on. But, if used in combination alongside new technologies that ensure a cohesive bulletproof method of authentication – well that could be a suitable solution. What if you could have an authentication method that uses the convenience of biometrics, is portable between devices and is secure enough to properly authenticate users?

Transmit Security has pioneered the future of authentication with its latest solution that provides a truly passwordless and portable authentication experience. Using device-based biometrics, BindID allows for reliable and consistent authentication across every channel and device for all users. The perception that authentication is a trade-off between enterprise security and end user convenience is dispelled with BindID.

Enterprises can strongly authenticate customers with a simple yet unified user experience that doesn’t require a username and password. There’s no application download needed but rather relies on standard built in device biometrics. And unlike previous authentication methods, mobile app-less authenticator allows for identity portability across all devices and channels. Meaning enterprises can quickly and securely register new devices.

BindID enables strong portable authentication for all your users

BindID allows users to seamlessly extend trust to other biometrically enabled devices creating a secure shared network of trust. Using true passwordless security you can authenticate users on any web or mobile application using built in biometrics. Need to re-authenticate a new device? The BindID Network of Trust extends trust throughout a users’ devices allowing for a hassle-free and safeguarded re-registration process. Call centers are now able to prevent account takeover and securely authenticate users with biometrics instead of knowledge-based questions or OTPs. And whether online or in-store, customers can enjoy and benefit from a unified authentication experience using BindID.

Within this network of trust, information can securely be shared between members. This way, regardless of whether a user logs into an account once a week or a different account once a year their data will remain up-to-date.

In conclusion, the future of authentication is the possibility of secure, portable authentication for all your users. A mobile app-less authentication experience that’s powered by a network of trust.