David Orrell, application architect at OpenAthens, discussed what the future of authentication and use of passwords will be within the internet as the focus for one of our latest webinars.
The session was framed around the question of whether passwords are still appropriate as a means for authentication in 2020.
David began by citing that although online passwords have been mostly used in the last 20 years, the first computer password was believed to have appeared in 1961, in MIT’s Compatible Time-Sharing System (CTSS) due to work by Fernando Corbató.
Through the use of the quote by web comic XKCD – “through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess” – David noted the first flaw in the security of passwords as a means of authentication.
Strength in numbers?
Looking to how things have changed, David went on to describe the ways in which websites began to attempt to ensure strong passwords.
‘Poor to strong’ gauges and the requirement of a combination of letters, numbers and symbols are a few familiar techniques deployed by companies in this way.
On top of this, a requirement to change your password more regularly has become commonplace.
Acknowledging the complexity of the space, he went on to say that the security environment has had to keep pace with an increase in hacking attempts. This in turn has prompted a decrease in the quality of the end user experience.
Research from Oxford University has found the average number of accounts by active internet users is 90. This high number led to password re-use becoming the norm, making enforced strength or reset policies ineffective.
This began costing businesses a lot of time and money, in the form of helpdesk queries, password reset requests as well as the huge financial damage caused by data breaches.
Second factor authentication
Talk then moved to the steps companies such as banks began to take to ensure security online. When internet banking became mainstream, a system called second factor authentication was introduced (2FA) where another layer of identification was needed on top of passwords.
Ultimately, these mechanisms are just a different type of password. Although they are necessary to make access to money secure, they are just adding to the problem of multiple passwords.
Orrell concluded that 2FA is not a universal solution, as sending out small banking devices that generated security codes was expensive to deploy. The fiddly nature of the devices also made for a bad user experience and that in the end, they were still phishable.
A solution to these problems would be something that was:
- Easier for users than using passwords
- Resistant to phishing
- Standardized: Multi-vendor, multi-device, multi-platform
- Deployable easily… and everywhere
Looking for a solution
The webinar then looked at what has been done in the way of advancements and developments, to try and improve things.
2019 saw the conclusion of years’ worth of work in this area, with a collaboration between companies WebAthn with FIDO2 the sum of this effort.
WebAthn is a Web API that allows developers to easily add strong authentication to their websites and FIDO2 (Fast IDntity Online) being a universal means of strongly authenticate users.
Looking at how things are now, David claimed that the situation is looking better, with all of the major browsers supporting this partnership.
How it works
These new standards are now split into two main types of authentication: Platform Authenticators and Roaming/External Authenticators.
The first requires a high level of technology to be built into the platform or device that you are logging on to, for example, a fingerprint scanner or face id scanner.
Roaming Authenticators have been around for longer and take the shape of USB devices that can generate secure authentication tokens as soon as they are connected. This is a more suitable solution for when a device doesn’t have the technology for the previous method.
The scope of these standards is deliberately narrow and will not replace aspects such as federated access and single sign-on. These changes focus specifically on providing a stronger alternative to inputting usernames and passwords within authentication. I feel that a transition away from passwords, if it happens at all, will not be a rapid process. It will require user trust, particularly around biometrics, and for it to be adopted outside of businesses.
Catch up on OpenAthens webinars
If you would like to watch the recording of the webinar discussed within this blog and more, visit our YouTube channel.