Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:45 AM
Rajiv Dholakia
Rajiv Dholakia
Connect Directly
E-Mail vvv

Beyond Passwords: Why Your Company Should Rethink Authentication

Scaling security infrastructure requires scaling trust of users, devices, and methods of authentication. Here's how to get started.

Many simply call it "the problem of the password." But those five words summarize one of the most enduring challenges in the history of technology: From both a user experience (UX) and security standpoint, passwords and authentication protocols are as dangerously problematic as they are ubiquitous.

They're certainly the bane of most end users — and have been for some time. One survey famously found nearly four out of ten people would rather clean their bathroom than change a password. But this cognitive burden is dwarfed by the growing extent of the security threat. Indeed, weak or stolen passwords account for up to 81% of all data breaches and have the potential to create threats to our civil and national infrastructure, according to the 2017 Verizon Data Breach Investigations Report. 

Standardizing Authentication
Fortunately, we're seeing momentum behind standards for stronger, open, and scalable authentication that is both interoperable and non-phishable and secures the authentication process. The more we understand these efforts and the challenges that drive them, the more we can embrace solutions and put them to work in our industries.

You can see some of that momentum in what the FIDO (Fast Identity Online) Alliance has done to develop ubiquitous, technology-agnostic security standards for authentication. FIDO released a set of standards aimed primarily at mobile authentication shortly after its founding in 2012 by a half-dozen companies — including Nok Nok Labs, Lenovo, and PayPal. 

Since then, the nonprofit industry consortium has grown to hundreds of members — including the biggest names in technology, banking, telecommunications, consumer electronics, and many other sectors. This past April marked the release of the FIDO2 standard — supported by Google, Microsoft, and Mozilla — to expand stronger, phishing-resistant authentication to web browsers.

The Achilles' Heel of Authentication at Scale
The Holy Grail for authentication is to unify standards not just around all kinds of devices but also around all modes of authentication — passwords, biometrics, smart cards, security tokens, and even new methods that haven't been invented yet. This is the kind of ubiquity needed to scale security infrastructure — to literally "scale trust."

If this sounds like a stretch, look no further than the OPM and Yahoo breaches, or any other attack aimed at databases that aggregate many passwords or any kind of secrets together. The threat levels have grown despite the advent of more complex password requirements and other new forms of authentication; and databases that aggregate many credential secrets together remain the most coveted breach targets in cyberspace.

Indeed, in a 2016 study of 900 phishing attacks, Verizon found nine of out ten were in search of user credentials. Unfortunately, this context shows how the lack of a standardized, secure authentication ecosystem is the Achilles' heel of operating at enterprise scale — creating serious vulnerabilities in the computing infrastructure that powers our daily lives.

Putting Better Authentication Standards to Work
For your own company, the key to standardizing authentication is proper integration. For instance, FIDO standards — including the most recent FIDO2 enhancement — are not about any specific method of authentication. They're about creating a flexible infrastructure in which you can use any method of authentication that's right for the business application. And it's about doing that with a single developer API and a single back end that can power authentication regardless of whether you're using a mobile device, PC browser, kiosk, set-top box, or some other device. 

This highly technical work should be guided by the same principle behind a fairly accessible analogy: Think of the average household kitchen and imagine if — every time you bought a dishwasher, microwave, toaster, or some other appliance — you had to bust open the wall and install new custom wiring all the way back to the electricity pole! Thankfully, unified electrical standards save us from that fate, keep us safe, and allow us ease of use.

Your IT solution should achieve the same things with authentication, and your efforts should be guided by three key questions:

Question 1: What is the experience you want to create for the end user?
Answer: It should be frictionless. For consumers or business users, remembering passwords is a big point of friction. If you can eliminate passwords and replace them with strong, flexible cryptographic security and open standards, you can provide a better experience for your users and you'll see fewer abandoned transactions and reduced call center costs. However, you must remember that different users require individualized experiences. For example, office workers who sit at desks may require a different experience compared with first responders who are mobile in the field and work with different equipment through their shifts.

Question 2: What risks and security problems are you trying to retire or prevent?
Answer: With 81% of today's data breaches attributed to scalable phishing attacks against passwords (according to the 10th edition of the Verizon Data Breach Investigations Report in 2018) and the ever-increasing specter of consumer fraud, it is important to focus on mitigating the risk across all channels and devices, including web, mobile, Internet of Things, etc. Some security problems are universal, such as phishing. Solutions that rely on end users making distinctions between good and bad requests are doomed to fail — many legacy authentication mechanisms like SMS OTP fall into this category. Some security problems are also specific. For example, a defense contractor has to worry about determined adversaries, such as nation-states, that may conduct targeted attacks on its high-level employees. The defense contractor may require strong authentication solutions that need something you have, something you are, and something you know to be required to raise the level of security.

Question 3: What are the economic considerations or profitability measures that affect how you build and fund your solution?
A business that makes $2/user/year may not be able to afford to distribute $10 tokens to its customers. A defense contractor, on the other hand, may spend upward of $100/user/year to adequately protect its employees. Ask yourself questions that will affect your top line and bottom line, such as: How do I increase my customer revenue and employee productivity with better experience and engagement? How do I reduce costs? (Think of the cost of password resets, cost of hardware tokens, expensive vendor lock-ins with a proprietary solution, and cost of integration and development of a new application.) You want to build a solution that is simple, secure, and scalable.

Finally, remember to embrace agile development processes. Find a business sponsor internally who wishes to transform customer experience, lower friction in engagement, or meet a regulatory hurdle. Run a small proof of concept and embrace fail-fast iterations to learn and improve on your solution. As confidence and success stories grow within the organization, create a multiyear road map for which authentication systems you'll employ — and how you plan to integrate them. The result will be a much more solid and secure foundation as you scale the business.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Rajiv Dholakia is the vice president of products at Nok Nok Labs and is responsible for strategy and the development of the company's products and solutions. He has more than 30 years of global operating experience in private and public companies spanning security, ecommerce, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...