close
Share with your friends

Nearly every online interaction we have today involves having to accurately prove that we are essentially who we say we are; this can broadly be done by providing one or more of the following three bits of information:

  1. Something you know like a password, passphrase or PIN 
  2. Something you have such as a soft token (Google Authenticator) or a hard token (Yubikey)
  3. Something you are which is essential your fingerprint or some other biometric data

The importance of authentication

Given the important role authentication plays in driving user experience that could directly impact privacy, security as well as revenue, it’s worthwhile knowing what the future holds.

While passwords have traditionally been the most popular primary authentication mechanism, it understandably has its own limitations – a key one being that the onus falls on the user to remember and update them regularly. According to a 2020 report by Verizon, 37% of data breaches stem from stolen credentials, errors or social attacks. During the COVID-19 pandemic, this number jumped to 80%. It is nearly impossible to ensure that these passwords do not fall into the wrong hands and we generally have to rely on public disclosures of data breaches to find out if our passwords have been hijacked for malicious means.

Multifactor authentication

Multifactor authentication mechanisms such as Short Message Service (SMS), tokens as well as biometric authentication are a fantastic step up to protect accounts but it’s important to acknowledge that these are not foolproof. It doesn’t take a sophisticated hacker to hijack text messages and while hard tokens like Yubikeys offer a secure method of authentication, they tend to be expensive, can be misplaced and can be hard to maintain for IT departments. With more sophisticated mechanisms like biometric authentication, there exists a non-zero chance of false negatives and these tend to disproportionately affect vulnerable communities and minorities. Moreover, a breach of biometric data could potentially have significant impacts not limited to the falsification of important legal documents like drivers’ licenses and passports.

Acknowledging these limitations, let’s look at the future of authentication.

Passwordless authentication

Passwordless authentication has emerged as a leading trend. Without getting into the weeds here, they generally rely on protocols such as FIDO2, Public Key/Private Key cryptography and WebAuthN. These standards are designed to replace passwords with devices that people already use and have on their person like security cards and smart phones or smart watches.

Imagine walking up to your computer terminal and it instantly logs you in because it recognises either your face, fingerprint, your mobile device, smart watch or even, your organisation’s security pass, or better yet – a combination of two or more of these factors. Passwordless authentication can provide an actual frictionless experience without compromising on security and you, as the end user can do away with those pesky passwords. Organisations generally tend to see a decrease in total cost of ownership because passwords can be expensive to maintain.

There are a couple of considerations, however:

  • Selecting the right technology is important and how an organisation deals with scalability and stolen devices should be key concerns that drive these decisions.
  • Moving away from passwords is a cultural change no matter how you slice it – consider training and winning hearts and minds.

User and Entity behaviour analytics

Rapid digitisation, increased customer expectations and regulatory requirements have driven the adoption of biometrics for many of us. It is now commonplace to authenticate to our devices using biometrics and then seamlessly purchase goods. The next evolution, user and entity behaviour analysis offers further opportunity to authenticate uses in a low friction manner, but address some of the risks that have become commonplace in digital environments such as fraud and identity theft.

We can think of this type of authentication as being largely invisible to the user, it builds a profile of normal user behaviour, capturing some of the unique characteristics of the person associated as being normal usage using technologies such as machine learning. These normal patterns may be keystrokes and device handling, but then stepping up to a stronger authentication method when something perceived as being suspicious occurs, like time travel.

This method of authentication offers the consumers the possibility of almost invisible security, the possibilities around combatting fraud are clear, however, the privacy aspects may need to be considered.

Are passwords a thing of the past?

It’s clear that passwords should be a thing of the past – while it has certainly served its purpose, it has proven to be cumbersome to manage and easy to exploit. Transitioning away from passwords to alternate mechanisms requires a change in mindset and now is the right time to start – users are already used to their personal mobile devices providing biometric features like fingerprint and FaceID. Businesses and organisations will potentially benefit from increased interaction with their customers and workforce – a seamless and secure digital experience awaits.

Contact our specialist for more information

Henrik Smit
Senior Manager, Identity and Access Management lead
E: smit.henrik@kpmg.nl

Related content