The Future of Authentication: Cloudy with a Chance of Compromised Credentials
We live in an era in which customers no longer need to ask whether their credentials or sensitive data have been involved in a data breach or not. We are all victims now, and forward-thinking security leaders are responsible for leading the inquiry, “How at-risk are my users and my organization?”
Our digital landscape is fragile, and the odds increase daily that future data breaches will place business valuations, human lives and even democracy itself in harm’s way. Governments, businesses and users are not as secure as they can be, and as security leaders, we must do all that we can to change that.
As an industry, we’ve attempted to solve this problem in many ways. From requiring more complex passwords and one-time passcodes on a key fob or authenticator app, to user behavior analytics and password-less biometric authentication. It’s no surprise that money is pouring into the cybersecurity sector: more than 64 percent of Americans have experienced a data breach. Yet, despite the flow of dollars into the industry, billions of credentials continue to be stolen every year. And the trend shows no signs of slowing down.
The “trust but verify” philosophy hasn’t served organizations well in years past. There’s always been a struggle between usability and security. Too much security, and users won’t use the service. Not enough security, and users won’t trust the service. It’s a catch-22 situation.
Similarly, organizations have always struggled with managing and maintaining their systems, and they’ve too easily caved to business pressures and accepted a “good enough” mindset. An overwhelming majority of data breaches in recent years were preventable. So, it’s easy to see that “good enough”…well, usually isn’t.
The definition of insanity is doing the same thing over and over and expecting a different result. Today, businesses can use two-factor authentication (2FA) with contextual authentication telemetry (e.g., device trust, IP reputation, geo-location, etc.) as part of an authentication flow. A study was conducted last year that reported the adoption rate of 2FA as being in the low single digits, even after a user account was compromised. The mandate of deploying 2FA or multi-factor authentication (MFA) solutions everywhere is easier said than done. And as security leaders, we must accept the limitations of the current technology. And even as we develop better methods, we must also find ways of protecting users, businesses and governments in situations that 2FA/MFA solutions can’t—and may never—reach.
Another generic solution that’s widely adopted is to check a user’s password against a database of weak or commonly breached passwords. Some popular web services even offer this capability for free. But it only begins to help address the issue of weak passwords. It doesn’t help to answer to the problem, “Has MY password been found in a data breach or reused from other online services?” VeriClouds has found that using a blunt instrument like this results in alerting users 2-6 times more than necessary to a hypothetical risk—as opposed to a real and verifiable risk—and results in a poor balance between user experience and security. In a way, it reinforces bad user training that we need complicated and unmemorable passwords to be more secure online.
The most popular solutions on the market today aren’t and can’t be deployed at a large enough scale to have any meaningful effect on the massive threat of data breaches, credential stuffing attacks and account takeovers. They’re incomplete solutions and often ineffective when they’re not managed properly by professionals.
The future of authentication isn’t based on a utopian vision of a world without passwords and behavior-based continuous authentication. As an industry, we need to move towards more seamless and user-friendly ways to authenticate users. However, passwords will remain a simple and cost-effective way to provide access to data, which must be managed appropriately. A study conducted last year by Dashlane indicated that the number of online accounts we use doubles every five years, compounding the risk to users and to sensitive data. The future of authentication must account for the continued use of passwords, and as such must provide improved basic governance of passwords alongside the modern authentication protocols emerging on the landscape today.
This year at Identiverse, you’ll have the chance to see intelligent authentication and risk-informed IAM in action. The ideal identity threat management and proofing solutions will combine big data security analytics, data masking and encryption, artificial intelligence and integrations using RESTful APIs, all built with privacy-by-design. Many of the sponsors at Identiverse offer such solutions today. I hope you enjoy hearing everything you can about the future of authentication from the visionaries and experts at Identiverse, but I challenge you to balance idealism with a healthy dose of reality surrounding the complexities of managing authentication in legacy, multi-cloud and heterogenous environments.
If you are attending Identiverse this year, I invite you to join me and my all-star panel of experts from ADP, VMware, StealthBITS and Home Depot on Wednesday, June 27 at 4:30 pm to get your questions answered at Risk Informed IAM, Compromised Credentials and the Future of Authentication.
By Steve Tout
About Steve @stevetout
Steve is CEO at VeriClouds, an identity threat management company in Seattle, WA. He’s an entrepreneur with over 15 years of experience in enterprise IT focusing on IAM program leadership, systems architecture, implementation and operations for the world’s largest companies in telecommunications, financial services, high tech and Big 4 consulting. Steve writes a blog called The Security of Identity at CSO Online and served on the advisory board of Palerra, a pioneer in the CASB space, which was acquired by Oracle in October of 2016.