More Than Words

⬑ New security authentication will make passwords obsolete

Illustration by Thomas Hedger

Once upon a time, internet users were told that the key to security was using a complicated password with special characters that nobody could guess. Those passwords served as the first line of cyber defense for everything from email to online shopping and bank accounts; they were the primary way to authenticate users and keep online data from falling into the wrong hands, and they remain one of the go-to methods today.

But it turns out that passwords are not fail-safe.

By now, more than half of American adults have had their personal information compromised by a data breach. The targets of such hacks include credit-reporting agencies and ride-hailing apps—and even 21.5 million people who submitted to a government background check.

“At least in the U.S., we have to assume that essentially all of our information is available,” says Ravi Srinivasan, vice president of product management at IBM Security, “from our social security numbers to our usernames and passwords.”

For businesses and consumers, the need for user authentication systems that go beyond passwords is urgent. In fact, a recent study from IBM found that consumers ranked security as a top priority over convenience when it came to logging into the majority of the apps they use regularly for activities like banking, shopping, and emailing.

And while there are many new techniques already in use—like two-factor authentication and facial recognition—IBM security experts and others are working on creative, even unexpected methods that are not only more secure than today’s password-based models but easier to use, too.

Balancing Security and Convenience ⬎

Current security systems tend to rely on a now-familiar, password-plus heuristic for making sure that users are genuine: They ask for something you know, like a password or a security question; something you have, which could be a two-factor authentication code or a certificate from your mobile device; and something you are, such as biometric information like a fingerprint or a face scan.

“They literally had 10 different types of authentication mechanisms strung together because they kept adding and adding.”
Sridhar Muppidi, chief technology officer for Cloud Security, Identity, and Access Management at IBM Security

Although each successive approach has proven more secure than the last, they all have flaws. Passwords are easy to steal, and most people don’t take basic precautions such as using different passwords for each account. As for two-factor authentication, hackers can do online research to learn enough about a target that they can use social engineering to fool telecom providers into switching the target’s mobile account to another device, thus receiving two-factor codes via SMS text messages.

And though fingerprints and other biometric sensors provide a technological hurdle casual hackers cannot overcome, a hacking club in Germany proved a popular phone’s fingerprint sensors were vulnerable by capturing a user’s fingerprint elsewhere and reproducing it for use on the device.

Current authentication systems are also inconvenient to end users. Most bank websites and other hyper-secure institutions don’t depend on just one of these methods. Instead, they use a slew of authentication protocols, which often asks too much of their customers.

Sridhar Muppidi, chief technology officer for Cloud Security, Identity, and Access Management at IBM Security, recently met with a large bank about its online security protocol. “They literally had 10 different types of authentication mechanisms strung together because they kept adding and adding,” he says. So not only did users have to type in their username and password, but also they had to complete two or more other measures that included verifying a predetermined photo, responding to a push notification on their mobile device, and offering fingerprint confirmation.

Though security is reportedly becoming a greater priority for consumers, IBM’s study found that many people would still be willing to trade security for convenience if it would save them even a few seconds. Young adults are particularly likely to demand a more convenient experience, with nearly half of those under the age of 35 saying they would use a less secure method if it would save them between 1 and 10 seconds.

As a result, many customers are “probably going to say this is way too hard after one or two steps,” says Muppidi.

Contextual Authentication ⬎

Fortunately, we won’t always have to choose between unsafe and unusable. As mobile devices get more advanced and machine learning more powerful, robust security screenings will be smarter, more effective, and conducted in ways that are almost imperceptible.

For example, what if a device could evaluate not only your password but the way you type it—to ensure that you are, in fact, you?

It sounds a bit like science fiction, but Muppidi explains that it might one day be reality. “I tend to use my thumb in a certain way for a space, right?” he says. “My wife uses it in a different way. And I tend to use the left shift key more than somebody else may.

Instead of a password, users one day might be asked to present a passphrase.

“So, these patterns—the time we’ve been depressing [the key], the number of times you make a mistake by typing ahead and backspacing—all of those are factored in”—that is, factored into the algorithm of a future authentication system, which then would generate a score about how likely it is that you are the one typing your password.

Muppidi and his team also are exploring authentication approaches that evaluate the way you hold your phone and move your mouse. Just by studying how you play a game of solitaire, they can learn enough about the way you interact with a computer to uniquely identify you as a user. “Even if you had access to my laptop and moved the deck of cards,” Muppidi says, “it’ll know that it’s not me.”

Tomorrow’s passwords might also function very differently thanks to blockchain, a record-keeping system originally designed for Bitcoin but widely believed to have applications far beyond digital currency. Instead of a password, users one day might be asked to present a passphrase, for which each of the 10 words is stored across 10 servers. At any given log-in, a user might have to present 5 of those 10 words. So, the customer’s risk is minimized, even if one of those servers is compromised.

Muppidi predicts that digital security will increasingly work like a big funnel that collects all the context of your log-in attempt. Who are you? Where are you? What website are you trying to access and why? What kind of transaction are you trying to complete? Are you coming in from a mobile device that is more likely to have malware on it—or from a laptop, which tends to be more secure?

Based on all of this information, an algorithm will decide the likelihood that you are truly you. If you just want to check your bank account balance, it won’t have to be very sure of your identity. A lower score will do. But if you want to transfer money, the algorithm will go through every check without you even noticing.

In the future, secure authentication will hinge on understanding that there’s far more to users than their passwords and the names of their favorite pets.