It was supposed to have died a long time ago, but, for a near-cadaver, the password has managed to hold onto its last breath for over two decades. Bill Gates declared passwords passé way back in 2004, but it was only late in April that the company he founded introduced a replacement for the outmoded authentication system.
For years, organizations have sought to educate employees about the importance of secure passwords and of resisting phishing attacks -- and both efforts have failed. A Verizon report indicates that 63 percent of confirmed data breaches involved leveraging weak/default/stolen passwords in 2016.
Meanwhile, a new report from Proofpoint says that phishing and similar attacks using e-mail were up 45 percent in the last quarter of that year. Clearly, the constant haranguing by security teams of employees to change their passwords and make them more complicated, as well as their pleas not to click on suspicious links/attachments, are falling on deaf ears.
Indeed, the only way passwords can be effective, according to NIST, the US National Institute for Standards and Technology, is by requiring users to come up with 16 character (preferably a mix of letters and digits, with some capital letters and/or alphanumeric symbols thrown in) standard passwords, allowing for as many as 64 characters, instead of the eight to 16 character range most organizations require for passwords today. We have enough trouble getting people to remember eight characters; can we really rely on peoples’ memories to remember 16, 20, or more?
In addition to all this, passwords have another major weakness: They are extremely inappropriate for mobile users. Already in 2015, mobile searches began outpacing desktop searches, and by the end of this year mobile e-commerce revenues are expected to match revenues from desktop/laptop engagements -- before sailing past to become the primary source of e-commerce revenues in 2018 and beyond.
For many people, using passwords on their mobile devices is just too much trouble; numerous surveys have consistently shown that about a third of Android device users don’t even bother to lock their screens with a password, considered one of the most basic security moves.
And even those who do aren’t guaranteed immunity from hackers or data thieves; a new UK study shows that malware can figure out a user’s device password just by “observing” (via sensors, gyroscopes, and accelerometers) the direction and position a device is held. For mobile, it’s clear that alternative -- non-character based -- authentication methods are the only method.
The replacement for passwords according to Microsoft is its new updated Microsoft Authenticator, a push authentication system that "shifts the security burden from your memory to your device." Instead of typing in a password, "which can be forgotten, phished, or compromised," users simply respond to a push notification when they try to access their Microsoft account. Besides being more secure than a password, push authentication "is easier than standard two-step verification" as well, says the company.
It’s not just Microsoft that is moving away from passwords. Google’s Project Abacus aims to replace passwords by identifying users based on how they interact with their mobile devices. Using criteria such as how users handle their device, scrolling speed and style, strength of contact, etc., Abacus authenticates a user based on who they are, biometrically. Apple is no laggard in this; in fact, it was the first to employ alternative authentication, allowing users to access their iOS devices with a thumbprint instead of a password.
Microsoft, Google, and Apple are highlighting the onset of the “mobile authenticator” as the best practice replacement for passwords. In order to access a device, a user has to supply correct answers to two out of three factors, which includes what you have, who are you, and what you know. In the Microsoft Authenticator example, “the mobile device is the first factor (something you have). The pin or fingerprint you create on the device is a second factor (something you know or are). Each sign-in session requires both of these,” according to Microsoft.
Besides fingerprints, factors that can be used for authentication can include security questions, location based authentication, voice print biometric, tokens (hardware or software), and others. Obviously, the more authentication factors used to verify the user, the better -- and many of these factors (i.e. geographic location) can be implemented transparently, reducing the burden on the user.
If the attraction of this system is apparent to Microsoft and company, it certainly is apparent to many other organizations, large and small -- especially in an era that has embraced BYOD, with all the risks inherent in allowing employees to copy sensitive documents and e-mail onto their tablets or smartphones. Thus, there is a wide-open market right now for companies that can provide enterprise-level, no-password mobile authentication for employees
A typical use case for mobile authentication in an enterprise setting would be accessing a network, database, or other resource via a pre- installed authentication app, with the user required to supply the requisite information or take the requisite action in order to be authenticated. The app is then authenticating the user via those and other (overt or transparent) methods.
If implemented correctly, this system is a lot more secure than the one that prevails now, where users login with their password, since there are now two or more factors that are being used to authenticate the user, rather than just a single factor which is the “something a user knows” (e.g. their password). Apple, Google, and Microsoft have set an industry trend in mobile authentication to replace passwords, blazing a path for enterprise -- and now enterprise is ready to follow in their footsteps.