It's time for an update of the classic Abbott and Costello “Who's on first” routine, and if the comedy team were still around, they could build a whole routine around – passwords. In that routine, funnyman Lou Costello struggles to figure out that the names of the players - Who, What, I Don't Know, etc - on Bud Abbott's baseball team. It's a piece of comic genius based on the context of how words are used.
So imagine what the team could do with the statistics compiled by SplashData about password usage – which shows that “password” was the second most stolen password in 2016, right behind “123456.” “Password” as a password – it's got all the makings of a comedy classic!
But insecure passwords are no laughing matter – which is why the password is likely to meet its final demise, soon. As the “finger in the dike” against the flood of hack attacks, passwords have proven very ineffective. What will replace them?
Here are some thoughts about the future of authentication in 2017:
Passwords will start to pass away: For years, security experts have slammed passwords, and in its annual prediction of trends, KPMG has declared 2017 the year that passwords finally start to go away. “The security community and the business community are starting to realise that they need a more sophisticated approach to authenticating people and their actions,” said the report.
Will biometrics replace passwords? As passwords begin to fade from the scene, biometrics initially seemed geared to replace them, at least to some extent. According to KPMG, more sites and services will be relying on “biometrics, behavioural analysis and contextual information to make judgments on whether the user really is who they say they are.”
According to the National Institute of Standards and Technology (NIST), biometrics, like passwords, is not strong enough to stand on its own. Its final draft on secure authentication, says that biometrics “shall be used with another authentication factor.” Biometric characteristics, said NIST, “do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (eg, facial images) with or without their knowledge, lifted from through objects someone touches (eg, latent fingerprints), or captured with high resolution images (eg, iris patterns).” Add to that, other risks such as environmental factors, and the possible misuse of biometric data by authorities, biometrics doesn't look like such a panacea. Users will need to be educated on the proper way to use biometrics, and legislation to protect the use of sensitive biometric information might be necessary.
The end of SMS in two-factor authentication: To make single-factor authentication work, users need to do a lot of work – like coming up with long, complicated passwords and changing them frequently. That's difficult for most people, and the alternative that many companies, including Google and Facebook, have come to rely upon – a two-factor authentication system with text messages as the second authenticator – is far from safe, NIST says. In its draft proposal, NIST recommends moving away from SMS as an authentication method, because they were too easy to hack. SMS “doesn't have the strength of device authentication mechanisms inherent in the other authenticators allowable” in NIST standards, according to the agency. For more information, just ask DeRay Mckesson – the Black Lives Matter activist who, thanks to the security faults in 2FA, ended up “endorsing” Donald Trump for President, much to his chagrin.
Instead, industry experts predict that authentication is headed towards push notifications. According to a recent Gartner report, 50 percent of enterprises using mobile authentication will by 2020 adopt OOB mobile push as a mainstay of authentication, compared to just the 10 percent who are using it today. NIST confirms this saying that the push authentication was amongst the most secure methods of authentication available today.
The mobile device will become the first, not second factor authenticator: If passwords won't do the trick, what will? Since human users will always make security mistakes, I believe we will start to involve the users in the authentication process. When the mobile authenticator becomes resilient enough and begins to offer a superior user experience, passwords will stop being a necessity. “Invisible” authentication - in which credentials are protected by biometrics or encrypted methods - can provide users with additional protections that would be virtually impossible for hackers to break through, especially since there are no more credentials for them to capture.
One thing companies need to take into consideration is how to implement strong authentication. For users who are used to relying on passwords, complex authentication factors could be confusing, and self-defeating; they might try to figure out ways around the extra authentication, “automating” the authorisation process like they do with passwords.
Users, of course, will need to be educated about the advantages of seamless and strong authentication, but I believe that such education could be successful; after all, users have gone through a lot of changes in recent years, from the move of software to the cloud to the ubiquity of social media. This would be just one more. If passwords are the Achilles' heel of authentication, agile and strong authentication should make things a lot safer. Once that happens, we'll be able to watch “Who's on First” again and laugh about it - instead of worrying about how just a word or phrase stands between us and cyber-disaster.
If passwords as they are used today are the "finger in the dike" holding back hordes of hackers, that dike is set to get reinforced. And if it happens this year, 2017 will go down as a year where it was the hackers, not the rest of us, who have something to worry about.
Contributed by Raz Rafaeli, CEO and co-founder, Secret Double Octopus
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.