There’s no arguing that passwords are becoming less and less reliable in protecting our data and identities. Their management, protection and memorization are becoming increasingly problematic, and malicious actors have countless ways to steal them, break them, reset them, or get past them.
A study by research firm Gartner shows that 95 percent of Web app attacks make use of stolen passwords.
“The most awesome stage”
Last year, Facebook's VP of Design thought the TNW Conference main stage was the best she'd ever been on.
Multi-factor authentication mechanisms have long been known to be the solution, but due to the complexities of their initial forms of implementations, they have failed to gain traction. Passwords continue to remain the principle method of authentication because of their simplicity and straightforwardness.
That might change in the near future as tech firms and associations such as the FIDO alliance are researching and developing simple and unified multi-factor technologies and standards to replace or improve the password experience while, at the same time, avoiding user frustrating and annoyance.
Here are some of the technologies likely to reshape the future of user authentication:
KodeKey is a mobile app and Web service combination developed by Puerto Rican startup Qondado LLC. KodeKey is based on the idea that you don’t need to create and remember passwords because you already have all you need to uniquely identify yourself: your phone and your fingerprints.
Biometric authentication has been tried and tested before, but the complications and costs its previous implementations introduced had prevented it from gaining momentum. In contrast, KodeKey’s ease-of-implementation and use has made biometric authentication easier. It takes advantage of the fact that more and more users own smartphones that have fingerprint scanners and highly-secure verification infrastructure.
We believe the winning solution must be easy for users and integrators as well as provide second factor security within the first factor – Edward Robles, CEO Qondado
An easy-to-use Web service allows user accounts to be registered with the KodeKey server and associated with phone numbers and a PIN. The authentication platform can be integrated into any website via a Web-based API, and there’s a special plugin for WordPress that makes the integration process a breeze.
Each time users enter their phone number and PIN combination in the site’s login page, a notification is sent to the KodeKey app, which prompts users to confirm their identity by performing and fingerprint scan test with their phone.
According to Robles, KodeKey eliminates the threat of social engineering hacks “by associating a client with their phone number, a pin and the fingerprint registered to their device,” three factors that can never be found in one place.
LaunchKey is a flexible multifactor authentication platform that enables users to leverage their own mobile devices in place of traditional passwords or tokens for remote login, realtime authorization, and two-step verification.
Signing up with LaunchKey-authenticated services is as easy as installing the free LaunchKey Mobile app or any other app integrated with LaunchKey’s white label SDK on a tablet or phone.
LaunchKey Engine, the online service that handles the core functionality of the system, can be accessed through a public API, but can also be independently deployed on-premise or within private clouds. No personally identifiable information is stored in the LaunchKey Engine, and sensitive authentication data never leaves the user’s device.
LaunchKey offers a plethora of authentication methods, including fingerprint verification, geo-fencing, pattern codes, and many others. Users can setup and choose any or a combination of these options based on their needs, while applications can setup policies to enforce the level of security they require, which provides maximum flexibility and unlimited possibilities.
“For instance,” explains Geoff Sanders, LaunchKey’s CEO and cofounder, “when a company wants to limit access to some of its accounts exclusively to its office buildings, they can place a geo-fence around their corporate campus while forcing employees to authenticate with a fingerprint scan. In this manner, accounts can only be accessed by users who have devices associated with those accounts, can verify their fingerprint and are physically located within the set geographical boundary.”
Applications can also send authorization requests to users when suspicious of account breaches or when wanting to proceed with critical and sensitive actions, such as payment transaction approvals.
Clef tackles two-factor authentication from a different perspective. It uses a smartphone camera, a waveform image, and an asymmetric key combination to verify the identity of the user.
When users sign up with a service that is backed by Clef, they associate their phone with their account. Subsequently an asymmetric key is produced, the public part of which is stored on the Clef server and the private part on the user’s phone.
Clef’s main point of strength is its ease-of-use, which some describe as “magical.”
Login is initiated when the user enters a Clef-backed service’s login page, after which a waveform image is displayed on the screen. Users only have to hold up their phone to capture the image with their handset’s camera, and leave the rest to the Clef mobile app, which digitally signs the waveform image’s contents with the phone’s private key and sends it back to the server. Account access is granted after the server verifies the signature with its public key.
The use of public/private key combination is a reliable method that mitigates the threat of man-in-the-middle attacks, one of the banes of password-based logins. It also eliminates the threat of identity theft in case of server breaches by not storing any critical user information on the server side.
Clef is currently powering more than 100,000 sites, and is fast becoming a favorite among Bitcoin distribution firms.
British tech startup MIRACL offers the M-Pin crypto application, a PIN and software token authentication protocol, as a substitute for traditional passwords. M-Pin involves a user-selected 4-n length PIN and a related software token to create a unique key that runs a zero knowledge proof authentication protocol against its server.
M-Pin stores no passwords or other shared secrets on the server, which according to Brian Spector, the company’s CEO, “will make password smash n’ grab attacks a thing of the past.” Instead, it stores a key, which is split in two parts and stored on two servers, one belonging to the application server and the other to MIRACL, a measure that further complicates identity theft. “No personal information is stored on servers,” Spector says.
When registering with M-Pin-enabled services, users select a PIN and associate either their desktop browser or a mobile device with their account, in which the second factor token is stored. Afterwards, accounts can only be logged into with the device that contains the token.
M-Pin has already been slated as the authentication technology to power a government-led project that will provide driving license renewal and tax form filling services to millions of UK citizens.
Yubico has long been known as one of the leading manufacturers of physical USB keys for desktop computers, and its YubiKey devices have been endorsed and adopted by quite a few leading tech companies, including Google, Dropbox and Github.
Now the tech firm intends to take physical two-factor authentication to the next level with YubiKey Neo, its brand new NFC-enabled physical key that can act as a second factor on mobile devices.
YubiKey Neo is used by being held against the back of an NFC-enabled phone and pressed to confirm user authenticity during login. The key generates a login code specific to the user and service at hand each time it’s pressed.
YubiKey Neo also offers the same features as the YubiKey 4, which means the device can also be plugged into desktop computer USB ports to be used as a normal physical USB key during logins.
The key stores no personal details and when linked to an account, anyone with your credentials will also need the physical key to login to your account.
For the moment, it’s safe to say that our password days are far from over. Yet we’ve come a long way toward developing solutions to the many threats that are plaguing our online lives and identities.
These promising new technologies are making inroads into mitigating these threats by focusing on avoiding to store critical secrets on servers and using multiple factors to verify and authenticate users, while at the same time avoiding being complicated for end users.
Read next: The ultimate guide to device authentication