Authentication is a sensitive subject that always seems to imply walking a fine line between security and convenience. On one hand, companies require the security that strong authentication mechanisms provide. On the other hand, end-users require the convenience of being able to seamlessly access services without spending any considerable time or effort.
Over the past 50 years, the password has done a great job of walking this line. But lately, with users having hundreds of different passwords, for both personal and professional accounts, the weaknesses of passwords have emerged, and they are scary.
The Password Problem
The problem with passwords is not in the way they work, but in the way they're used. It's considered a fact today that people tend to use the same passwords or weak variations of the same passwords across the board. This practice amplifies the impact of data breaches and puts end-users and enterprises at constant risk of major attacks.
MSPs are the first ones to suffer from the password problem. Password reset requests are a hassle, provisioning access to users is becoming more and more complicated for MSPs that sell SaaS, and data breaches are catastrophic due to the lack of immediate visibility and auditability.
A common mitigation approach is the use of Single Sign-On, which relies on password-less mechanisms to pass authorization data to service providers.
One example of this is SAML2. This approach involves authenticating a user once to an Identity Provider, and then asking the Identity Provider to vouch for a user's identity with Service Providers.
At first, this approach seems to solve the password problem, until you remember that users still need to authenticate to an Identity Provider, and that is usually done with a username and password. Not only does this approach not solve the problem, but it amplifies it, since the password now becomes a single point of failure.
SSO is widely used today, as it's considered easier to manage one problem instead of having to deal with authentication as a separate module across a multitude of services.
So, while SSO solves the problem of having to deal with dozens upon dozens of enterprise authentication services, it doesn't address the issues associated with authentication, a.k.a. passwords, as a user can still forget his SSO password or give it away to a hacker by filling a malicious form, for example.
The Next Wave
Authentication is such a crucial concern that major players from around the globe have been heavily invested in researching new methods of authentication able to walk the line between convenience and security.
The future of authentication seems to be leaning towards using asymmetrical encryption and digital signature to verify a user's identity. The Web Authentication Standard or WebAuthn, which is endorsed by Google, Mozilla, Microsoft and other big stakeholders, aims to remove or complement the password.
Web Authentication can either be implemented as an additional authentication factor to complement the password or can be implemented as a standalone authentication mechanism.
Both approaches rely on an authenticator, which can be an app on your smartphone, a USB stick, or even your smartwatch. In order to register to a new service or authenticate, the user must unlock the authenticator by either using their biometrics, a pin code or just a touch of the finger.
For a user trying to log in to a service, the process involves them navigating to the website on their computer and then receiving a login request on their smartphone, that they must approve with a fingerprint or Face ID, after which they are automatically logged in. This method may seem like magic at first, but it does have its challenges.
Problems with Web Authentication
Although web authentication solves many of the problems associated with user-based flaws in the way passwords work, it comes with its own set of challenges, namely:
- Sharing access to accounts and collaboration in general becomes a more difficult issue. Ex: How do you share access to your company's Twitter account with your external PR firm?
- Losing your authenticator would be a major inconvenience, as the user would get locked out and need to confirm their identity using an alternative authentication method.
Additional design challenges have also started to appear, like vendor lockdown, where a service provider restricts a user to its own ecosystem. For example, Microsoft forcing you to authenticate using their Microsoft Authenticator app, or Google forcing you to set up non-TOTP-based 2FA using the Google Prompt, which can only be received on a Google-issued application.
These challenges may seem minor at first compared to the major authentication problem we are currently facing, but in fact they are extremely critical matters.
For a new authentication standard to be able to completely replace passwords, it would need to improve upon their security without affecting their usability, because the marketing cost of teaching the world to use a new method of authentication is far greater than any short term benefit that the new approach could provide.
The Password is Here to Stay, For Now
Despite the fact that we're starting to see some successful implementations of password alternatives in specific industries, a global adoption of a password-less authentication protocol across all users and service providers is unrealistic in the short term. But with the advent of wearable technology, that can be on our person at every moment of the day, and the miniaturization of computers powerful enough to execute cryptographic operations rapidly, we might not have to wait long.
Microsoft has already started offering its web authentication-based password-less authentication feature to Azure AD accounts, and Google and Facebook are ready to follow suit, which will no doubt push early adopters to migrate to these new standards. This will act as an initial feedback loop that will allow identity providers to keep tweaking the password-less approach until the world is ready for a global adoption.
But even then, you can count on vendors like Apple, Google, and Microsoft to implement their own incompatible protocols and limit your ability to exit their ecosystems by restricting authenticators.
We're not ready for a password-less future just yet, but we're getting there. All we can do in the meantime is educate users on the challenges of passwords, and encourage them to start using a password manager to limit the exposure of companies and end-users.
About the Author: Antoine is the Co-Founder & CEO of Myki where he's working on building the tools to help users regain control of their digital identity. The Myki Password Manager & Authenticator for Consumers, Enterprises and MSPs was named one of the best password managers of 2018 by PCMag and Apple. Follow Antoine Vincent Jebara on Twitter or LinkedIn