Each year on World Password Day, I wonder whether this year's will be the last. After all, passwords are an insufficient means of protecting what's important to us. When you look at major breaches, they frequently involve bad guys using someone's username and password to get into a trusted account and do untrusted things.
It's time for passwords to fade away as our primary means of authentication – I believe that the idea of using passwords to access your accounts will soon seem as antiquated as waiting in line at the bank to withdraw cash from a teller. After all, passwords are static – they only change when either the user or the online provider decides they need to be changed. We need something more dynamic, that can adapt to the risk in a given situation.
To get to this better future requires some work and changes in habits, of course. The answer is to move away from password authentication to a model of frictionless, multi-factor authentication.
There are a few challenges, and most of them relate to the user experience. First, passwords are familiar and convenient to many users. Second, multi-factor authentication is sometimes portrayed as complicated or confusing to the average user. That doesn't have to be the case.
When I talk about multi-factor authentication, I'm not talking about texting you a code to prove your identity. I'm talking about dynamic multi-factor authentication (MFA), which uses context to determine how much you (or the person or device trying to access your account) can be trusted. For example, dynamic MFA can (invisibly) perform dynamic measurement of what you're doing, how you're doing it, where you are, and so forth and use that context to reduce, or even eliminate, the amount of “in your face” authentication that is required.
From a business perspective, this approach of dynamic multi-factor authentication makes a lot of sense because it helps make the right things easy, and the wrong things difficult. Dynamic MFA increases trust between you and your users, while minimising the amount of effort required. From a user perspective, this approach gets closer to the “it just works” model they want, and doesn't lead to the frustration of overly complex password policies (or the risk of using “password123” on every account because anything else seem too complicated).
We need to celebrate World Authentication Day instead – I've got it on my calendar for next year. Do you?
Contributed by Dwayne Melancon, VP of product, iovation
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.