Future of Authentication

Overview

Most of us directly relate authentication with passwords. And this is rightfully so, since most of our interactions for authentication are based on a password. Passwords came into existence around 1961 at Massachusetts Institute of Technology [MIT] for use with the Compatible Time Sharing System (CTSS). CTSS allowed multiple users to work with the system simultaneously. It allowed simple passwords which were easily stored (not protected). The system was hacked next year wherein someone managed to print a list of passwords for all accounts on the system. This allowed the user to infringe on the time-share of other users. So much for password based security right from the early days.

Current state

We have come a long way since then. Fast forward 50+ years, we are now equipped with sophisticated authentication technologies like: Multi-factor authentication (MFA), Risk-Based Authentication (RBA), Context-aware authentication, One-Time Passwords (OTP), Password complexity rules, history, etc. Also, along the way lot of related aspects around cryptography (especially hashing and encryption) have gotten much better. However, the friction in terms of user experience around authentication has not gone away. Though newer techniques like MFA provide higher level of security, these also result in more friction (read as “bad user experience”). Subsequently MFA has been coupled with RBA to limit the friction to high risk scenarios.

What’s next

It is important to note that along this journey, authentication has mainly remained an “explicit interaction” affair i.e. the user needs to consciously / explicitly authenticate to the system. Over the years, we have seen the need for the user to be re-authenticated periodically. For example – after some period of user inactivity in the system, the user is prompted to re-authenticate. This is typically called as “Idle Session Timeout”. In this scenario the user needs to explicitly authenticate after the session times out.

When the user authenticates initially, then the confidence of authentication is quite high. However, as the duration of the session increases, so does the decay in authentication increases. For example, user may step away from the desktop briefly and someone else can take over the session.

In the future, this need to explicitly re-authenticate will largely go away. This type of authentication is called Continuous Authentication or Non-intrusive Authentication. Continuous authentication is centered on unique human behaviors. Different patterns can be tracked like keystroke dynamics, touch and mouse motion, etc. These are compared with similar patterns earlier from the same user to identify the user.

Continuous authentication systems employ Machine Learning to allow learning the users’ behavior and leverage these learnings to ascertain the users’ identity. If the pattern deviates, then the system will prompt for traditional authentication (like PIN, face, fingerprint, etc.). However, if the pattern is consistent with earlier learnings, then the system does not prompt for authentication again.

Mobile devices have proliferated to a very large extent. Most devices today contain a bunch of sensors like touch screens with sensors, cameras, microphone, built in accelerometer & gyroscope, etc. The data from each of these sensors can be utilized and patterns can be inferred. For example, gait dynamics can be learned using the built-in accelerometer & gyroscope. Similarly the touch sensors can be used to determine swipe patterns and force patterns on the screen. These patterns can be learned and are unique to individuals. Apply behaviour learnings from data from multiple sensors and a Unique Behavior-based Profile can be created for a user. If the users’ actions deviate from the unique behaviour-based profile, then the system will request for explicit authentication.

Most of these systems are fairly new and in research. However, as the precision in building the Unique Behavior-based profile increases, continuous authentication will see adoption in the enterprise in the near future.

Comments 1

Preetam

May 25, 2017

Excellent article Paresh. Continuous authentication will prove to be important feature for evolving IoT world.