Why Are Companies Transitioning To Password-Less Authentication?

“Are you just one weak password away from a devastating security breach?”

Data security is intrinsic to software development, though it is often understated till the time it is compromised. Since the advent of computers, we equate data security with passwords. However, with the increase in cyber threats, the emergence of new technologies and meager budgets for security, most businesses are the perfect targets for internet frauds. With half of the world’s internet users using the same password across different applications, the risk of identities being stolen is compounded. According to Cisco’s 2017 Annual Cyber Security report, security breaches can cost businesses up to 20% of their business turnover.

Let us understand why passwords are inadequate to ensure data security. Let’s discuss this with help of a scenario – John has developed a cloud-based app to grow his business, increase online presence and widen his customer reach. The web app looks great and works well too. All of John’s business and customer related data is encrypted and stored in the cloud. John has also taken care to secure his app by hosting it on a HTTPS server, authenticating each user based on a username/password combo and granting access only to authorized users.

John is happy as he’s getting plenty of orders and that his business is functioning smoothly. One fine day, in spite of all the precautions, John’s app gets hacked from an open port and all his critical data gets exposed. To make matters worse, the miscreant is successful in decrypting all the passwords and gaining access to John’s customer accounts. The trust, which took John years to build with various stakeholders, is lost within minutes. John has no idea what went wrong? He had secured his app using passwords.

In today’s world, this is a fairly common scenario. Is there a way to prevent this? Ever wondered what if there were no passwords to be hacked? Just like we install an extra safety door in our homes to restrict access to strangers, adding multiple factors to user authentication is the only way to strengthen an application’s security. This technique is called multi-factor authentication (MFA) wherein the user identity is confirmed by using a combination of factors – a knowledge factor (username/password), a possession factor (smartphone app) and an inherence factor (fingerprints) to approve authentication requests. Let us look at some ways to authenticate users in conjunction with passwords.

Authentication with an OTP via SMS:

The user is authenticated based on a unique one-time password (OTP) which is sent to the user’s registered mobile number/email address. A mobile number/email address being a user’s personal communication channel is accessible only to the intended recipient thus ensuring security. Click here to read more about OTP-based authentication.

Authentication with push notifications:

Authentication with push notifications is a mechanism wherein an app sends information to a registered user’s mobile phone (via an alert, or pop up message) even when the app is in offline mode. It offers convenience and strengthens information security by adding more factors to authentication via unique ID (combo of app and user device) which is generated by the user’s own mobile device OSPNS (Operating System Push Notification Service).

Authentication with biometrics:

Authenticating users based on biometrics is implemented using FIDO UAF (Fast Identity Online Universal Authentication Framework) standards. The key aspect of FIDO standard is that the user is authenticated locally using biometrics (fingerprint scan or face recognition, or an audio message) which never leave the user’s personal device thus protecting applications from phishing, man-in-the-middle and replay attacks.

Authentication with a hardware:

In this approach, the user is authenticated based on a combination of a hardware token and a physical wearable device (Google one ring) or a smartphone/tablet. While the hardware token provides the user’s credentials to access an online service, the ring/phone validates the user’s identity with a simple tap. The unique cryptographic key generated in the process is stored locally on the device and thus protects user identity.

Conclusion

Taking MFA to another level, modern businesses are implementing risk-based authentication (RBA) techniques wherein the authentication factors keep changing as per user’s geographical location, time of login, device etc. which makes them impossible to crack. Enterprises have also started implementing stringent trust elevation mechanisms by granting access only to trusted devices and users in order to mitigate risks of false identity assertion. Apart from enhanced security, password-less authentication provides greater user experience as users no longer need to remember passwords and can quickly gain access to the required information.