Are passwords obsolete?
We’ve all been there – tearing our hair out because we just can’t remember our password. And with these becoming ever more complex series of alpha-numeric digits, the process has become even more frustrating. But thanks to AI-driven machine learning, there may finally be some light at the end of the tunnel for jaded computer users.
The upsurge in cybercrime in recent years has seen identity and access management (IAM) become ever more complex – no sooner had the password-email combo been upstaged by multifactor authentication (MFA) than biometric scanning came into play. And yet throughout, the password has remained a stubborn fixture in cybersecurity, often with other methods of authentication simply piled on top for good measure.
But now it looks as though even biometric verification may find itself surpassed in the near future – and purveyors of its replacement are confident that it will consign those annoying passwords to the scrapheap of history, without compromising security.
Paul Trulove of IAM company SecureAuth is one of them. “Username and password is – we can all probably agree – becoming a very frustrating way for people to gain access to things,” he says. “But then I'm going to make you do something else where it's not just two factors, it could be three, four, five, seven things that I look at before I let you in. That's where the state of the art of the industry is right now.”
Trulove believes his company has found a solution to the problem, in the form of Arculix: an AI machine-learning system that assesses a user’s authenticity by tracking things like their online behavioral patterns and location.
“One of the key ways that you reduce friction [for the end user] and actually improve security is by eliminating passwords from the authentication event itself,” he says. “Biometrics is one of the most common, but we can also look at other things like usage patterns. Are you logging in at a normal time of day for you? Are you logging in from a normal geographic location? Are you not logging in from a normal IP [internet protocol] range? Is it a browser that we already validated and stored a token on?”
The key to making this a seamless process for the end user is that this kind of data is already available to the party that needs to assess whether an attempt to log in is valid – in this case the AI-based system.
“I don't have to ask you what time of day it is, where you are,” says Trulove. “I can pick all of that up dynamically in the transaction, and just validate it within the risk engine that we have on a real-time basis. And then that risk engine gets smarter over time.”
In this way, Trulove hopes to offer users the best of both worlds – a relatively pain-free method of account access that also guarantees protection from threat actors.
“I travel a lot back and forth between here and my office, so that dynamic risk engine should learn that I don't only log in to SecureAuth applications from my home, I also log in from the office a lot,” he explains. “And if I'm on the right domains, it should just let me through with very basic authentication requirements. It's trying to get that frictionless experience for the user, but also improve security on the back end.”
Trulove believes this technology will make life much harder for cybercriminals, who will have to cover a multitude of sins to have a chance of fooling their way past a given system – so no more brute-force attacks that guess the password.
“To spoof a system that has the dynamic pattern recognition in it, you have to be able to spoof a lot of factors,” he says. “I don't just have to have your basic credentials, I potentially have to fake your location [and] time of day. If I’m trying to hack in from another part of the world in another time zone, I have to know a lot about you and your patterns to fool the system.”
Too good to be true?
That said, Trulove does see some obstacles to wider uptake of passwordless IAM. For one thing, consumers – whether they are workers for big firms with complex login systems, or customers of retail websites operating something similar – will have to overcome the old pessimistic adage that if something seems too good to be true, it probably is.
“Think about yourself as a consumer,” he says. “The first time you log into your bank with no password at all, it's a little bit concerning: ‘Wait a minute, I'm so used to being prompted for my username and password and then a second factor – and it just lets me in! Holy cow, is that secure?’ I think we have to reprogram people to a certain degree to feel comfortable that they didn't jump through 19 hoops to get logged in – because all of that work is happening in the background.”
The technology certainly sounds appealing, and doubtless many hapless computer users would dearly love to kiss the dreaded passwords goodbye – but doesn’t Trulove worry about privacy issues?
“It's a complex policy decision, ultimately,” he concedes. “But we don't actually store all of that data. I'm not tracking where you are, because that data comes from somewhere else – think of it in the context of if you've got a financial banking application on your mobile device, all of that data sits with the device carrier and the bank. We're just using that information in real-time during the authentication transaction. I don't store it and compare it – I'm enabling that to happen, but I don't become another place that could potentially expose that from a data-breach perspective.”
But this doesn’t mean all of us can look forward to frictionless access to our work computers or favorite shopping websites just yet: initially, the new technology will be marketed to larger corporations, with at least a thousand employees.
But Trulove is confident that, in time, it will be adopted by SMEs as well, rendering passwords a thing of the past.
Well, not quite. In some cases it may still be necessary to double down on the old faithful – if a threat actor tries to compromise an account being used by the legitimate user, for example. However, passwords will be used only in the last resort.
“On the workforce side, people have to recognize that if you start with username-password and then you're adding authentication after that you're not really changing the experience,” says Trulove. “You have to flip the mindset: if I create a better user experience, I actually have the ability to improve security in that process. Eliminate passwords every time by using the other factors first – and then username and password becomes the final factor if I'm still not happy with the risk profile for that user.”
This ties into another feature, what Trulove calls “making authentication a more continuous journey” allowing for re-evaluation of a user should circumstances suddenly change and become suspicious – something he claims has been missing from conventional forms of IAM.
“Typically authentication happens at the time of login,” he says. “You hit the site, you put in your credentials and the authentication mechanism decides whether to let you in or not. If you get in, it's in perpetuity until the session ends. One of the other use cases that we will be delivering is that authentication becomes a continuous re-evaluation. If all of a sudden we recognize that somebody else using the same credentials has logged in from another region, we log everybody out and make you reauthenticate, and step up the factors that we're using to try to block that account takeover.”
But surely this constitutes friction for the end user? “We're trying to balance – it'll never be perfect,” he admits. “But hopefully over the course of the next several years we'll all be moving into an environment where passwords are not the primary thing that we use to authenticate.”
Trulove even believes this will help bigger companies recruit staff who have had bad IAM experiences in previous jobs. “I had a customer tell me this week one of the reasons they are looking at this type of technology is they believe it creates a competitive recruiting advantage,” he says. “The experience in most financial services organizations is really bad, because they jump you through so many hoops. They can talk to their traders and banking employees when they're recruiting about using leading-edge technology that makes their work day better. We didn't have those conversations a couple of years ago. People just put more security in place and said: ‘If you want a job here, deal with it.’
“I think people have come to the conclusion that passwords have ultimately lived well beyond their usefulness – how many times a week do you deal with a password situation? Yesterday morning [my daughter] was running off to school and I was trying to get some stuff done before I started my day. She was asking about returning textbooks and I said: ‘Log in to your account and figure out what you're supposed to return.’ We tried to and she couldn't remember her password, and we're going through the whole rigmarole – again. And I'm like: ‘This is why I'm at SecureAuth! I want to be part of solving that problem.’”
More from Cybernews:
Subscribe to our newsletter