This article was published on September 2, 2017

The password needs to die and better UX will kill it


The password needs to die and better UX will kill it

For a vestige of the past, the password has managed to hold on and remain alive — even though some of the top people in computing said that it had already died over a decade ago. In one of his more famous predictions, Microsoft founder Bill Gates said that passwords were on the way out already in 2004. Problem is that Gates, for all his wisdom, didn’t tell us what to use to replace passwords.

“There is no doubt that over time, people are going to rely less and less on passwords,” Gates said at the RSA conference in 2004. “People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” How prescient he was, it turns out. There were hackers back in 2004, but hacking was nothing like the major international industry it is today — responsible for tens of billions in losses every year, and endangering businesses large and small.

That there is more than mere correlation between the ubiquity of password authentication and the high levels of hacking today is clear from a Verizon study, which shows that four out of every five data hacking-related breaches are due to stolen passwords or misused credentials. It’s a grim statistic, but one that shouldn’t surprise anyone; a study by SplashData  shows that the term “password” was the second most stolen password in 2016, right behind “123456” — which means that despite extensive education on password security and endless nagging by CISOs and security teams to users, there are plenty of people who are not listening. And for passwords that aren’t easy to guess, hackers have a slew of tools — from phishing e-mails to malware like keyloggers — that lets them steal what they want.

With all their drawbacks, passwords have remained popular mostly because people are used to them. User experience, it turns out, is a major driver of security for users. To replace passwords, you need not just tight security (any new solution should outdo passwords as a protection system), but a positive user experience as well.

There is just one method that fits both bills — password-free mobile push-based authentication systems, usually in the form of apps that do the authentication automatically, with no excessive demands on users. Push authentication involves sending a notification (via a secure network) to a user’s device when accessing a protected resource. With push, possession of the device itself becomes a prime method of authentication — and if you add a secondary authentication element (passcode, gesture or biometrics), you have an almost foolproof authentication system that is far stronger than password authentication, and easier to use.

1) A friendly user experience

Insecure they may be, but online services and network administrators just can’t seem to give them up. Why? It’s probably due to ennui. Although a user has to devise, remember, and type in a password — which seems like a lot of work — they are used to how password authentication works, and they’ve made passwords a part of their routine.

So any authentication system that seeks to step up and replace the password needs to be easier to use than passwords (i.e. no devising, remembering or typing needed), as well as more secure.

Among the candidates for a more secure and user-friendly experience are biometrics (Apple, for example, has adopted the use of thumbprints to authenticate users of iOS devices). In a biometrics-based authentication system, all a user has to do is touch the device. However, according to NIST (the US National Institute for Standards and Technology), biometrics alone is not the way to protect a system. Biometrics, says NIST, “shall be used with another authentication factor;” as an authentication system, it is not accurate enough to stand on its own.

NIST further states that biometric characteristics “do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from through objects someone touches (e.g. latent fingerprints), or captured with high resolution images (e.g. iris patterns).”

Another potential candidate to replace passwords — and a very strong one at that — is hardware tokens. But again, user experience is an issue; carrying around a token in order to connect as needed is a hassle. What about text messages — where a user types in a four-digit code sent by a site to a device via SMS? While easier to remember than passwords, this method too is insecure says NIST, which is why the industry is increasingly shifting away from this method of authentication.  

2) Strong security

The primary reason passwords are so problematic is that they constitute a single point of failure (i.e. a point at which a breach could take place that would compromise an organization’s entire security system). If hackers steal/crack/phish their way to a password, the only thing separating them from a user’s data — or a corporate server — is no longer standing in the way.

Any method that we would want to adopt would have to be equipped with more security than is available in password or authentication — utilizing multiple channels to authenticate users and/or devices.

To boost security, many organizations have adopted two-factor authentication, usually based on a code sent via SMS. Google has embraced this authentication method; when a user wants to log onto a service or website, they provide their username and password, and the Google Authenticator sends a six digit password via SMS, based on a shared secret between the device and authentication server. While better than just a single-factor authentication system — especially one based on usernames and passwords — NIST says that as SMS messages can be hijacked, a more secure second-factor authentication method would be preferable.

3) The Great Authenticator (password-free)

Mobile push-based authentication, which enables users to sign on to services with one action, and without passwords, is perhaps counterintuitively, more effective both in terms of security and user experience. A ‘Great Authenticator’ of this type enables users to access multiple services/domains. The authentication is triggered when the user taps the requested key on their device. There is no need to keep logging in or repeating the authentication; it is passed on for that session to multiple environments.

In a push authentication scenario, a notification (via a secure network) is sent to a user’s device when they access a protected resource. This method verifies the position of an authenticated device by the user. Initially it is used to verify “something that the user has” (the phone) instead of “something that the user knows,” both valid ways to authenticate. Since it’s reasonable to assume that users protect their devices and close or transfer their accounts when devices are lost or stolen — and possession is not something that can be faked by a hacker — push turns out to be far more secure than passwords or text, while being far easier to use.

Realizing that this is where things are headed, Microsoft recently introduced its new Microsoft Authenticator, which uses push authentication, by “shift[ing] the security burden from your memory to your device.” Instead of typing in a password, “which can be forgotten, phished, or compromised,” users simply respond to a push notification when they try to access their Microsoft account. Besides being more secure than a password, push authentication “is easier than standard two-step verification” as well, says the company.

Push-based mobile device authentication is a trend that is already taking hold — and is set to grow, according to Gartner, which says that 50 percent of enterprises using mobile authentication will adopt mobile push as their main authentication method by 2020, compared to the 10 percent who are using it today — a 500 percent increase by the end of the decade.

To a generation of security-challenged users, it sounds almost counterintuitive to get rid of passwords, however, even the longest, most complicated passwords are not as secure as a strong authenticator. For companies and employees, and for web sites and clients, push authentication provides a great leap forward by providing better security that is easier to use.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top