A new approach to authentication beckons

Oct. 22, 2015
The power to secure tomorrow's connections is in your hands

As we go about our business in today’s hyper-connected world, it seems we need to use a key, entry code, or password every few minutes. Whether it’s a website, mobile app, laptop, car, hotel door lock, retail kiosk, ATM machine, or video game console, security is essential to all networked systems.

For most of us, finding our car keys in the morning is a daily challenge. How are we supposed to participate responsibly in a deeply connected, password-protected society without driving ourselves crazy?

In the end, most of us feel inconvenienced by multiple logins. According to a recent LaunchKey survey, 46 percent of respondents claim they manage more than 10 passwords. As a result, we aren’t very responsible about it at all—we reuse the same password for multiple accounts (68 percent admitted to doing this), share them (27 percent confessed) and forget them or write them down (77 percent do this). Each one of these entirely relatable workarounds essentially voids any protection offered by the password, and most of us do more than one of these things at a time.  

When virtual or physical access is improperly obtained via failed authentication, the resulting security gaps have tangible effects including stolen identities, fraudulent transactions, intellectual property theft, data manipulation, network attacks, and state-sponsored espionage. These consequences have the potential to cost companies millions of dollars, ruin the reputations of individuals and brands, and disrupt the course of business and service delivery.

Authentication in the Internet of Things Age

Traditional forms of authentication were never meant for the deeply networked landscape we live and work in today. Let’s be honest, a memorized password was never an elegant solution and human behavior compounds the issues, especially when we need to remember more than one.  The first passwords were adequate authentication solutions only because the systems they secured were isolated. Unfortunately, the methods we used in the early days of the personal computing revolution to secure isolated systems persisted and were used as the foundation for authentication in the Internet Age.

The Internet has been ingrained in global culture and commerce to such a profound degree that every day, the risks and impacts created by improper authentication increase. As the Internet of Everything— that is, the millions or billions of devices, sensors, and systems that will connect to the Internet —proliferates all around us, the need for secure authentication becomes exponentially more urgent. The landscape is changing under our feet, but we can’t afford to wait and see how it all plays out.

Security breaches directly related to stolen passwords and bypassed authentications continually increase in volume, frequency, and sophistication—and the consequences of data breaches are intensifying apace. Further compounding these issues, cybercriminals have learned to leverage data and techniques from past breaches, rendering subsequent attacks stealthier, more widespread, and more damaging.

A new approach to authentication and authorization is required to face a new generation of security challenges. 

Passwords are Part of the Problem

It’s not just that we use and manage passwords incorrectly, though we have certainly found that we cannot rely on users to keep our networks safe. The real problem is that passwords are fundamentally insecure and unsustainable, especially for device authentication in the future.

For decades, the primary form of user authentication in networked systems has been the username and password combination. More recently, the concept of strong authentication has become more popular; an additional method of authentication is used on top of the password layer for added assurance and defense. Unfortunately, neither passwords nor alternate authentication built on top of passwords are bulletproof enough for today’s security challenges.

As we begin to consider an Internet of Things (IoT)—a vast universe of connected devices—it’s easy to see how passwords are incompatible with the smart objects that will constitute our future networked world. The in-band, centralized nature of passwords requires that users enter credentials (i.e., username and password or token ID) into the requesting application. However, most devices, such as sensors, door locks, and wearables don’t include a mechanism for input, such as a keyboard. This means that authentication must happen out of band. Instead of the user supplying a device with credentials, that device must obtain authorization externally in a decentralized manner.

Time to Embrace a Better Approach

Password-based authentication is no longer capable of meeting the demands of modern security. Passwords are inherently flawed and their efficacy relies too heavily on end users, developers, system administrators, and applications—all of which are vulnerable to a wide variety of attack vectors currently being exploited by cyber criminals and hacktivists around the world.

 Traditional strong authentication methods built on top of passwords do not address the liability and risk of the insecure password layer, and their shared secret architecture (e.g. OTP) is cryptographically inferior. These outdated methods are vulnerable to many attack vectors and create a cumbersome experience that users dislike and often avoid. Most importantly, none of these methods are compatible with many of the devices and “things” that will require user authentication in the (near) future, but lack the requisite input mechanisms. The ubiquity of smartphones and connectivity combined with emerging biometrics technology provides opportunities to reinvent authentication, bringing control and convenience to our fingertips. 

There is overwhelming support for eliminating passwords completely—84 percent of our recent survey respondents say “good riddance”—and widespread willingness to adopt a safer, easier system. We all know what’s at stake and welcome better ways to fight cyber-crime and keep the Internet safe for business, fun, learning and connecting with each other.

About the Author: Geoff Sanders is CEO and co-founder of LaunchKey, a cyber-security company specializing in next generation authentication solutions. The third cybersecurity CEO in his family, Geoff’s a self-taught full stack developer and designer who has been leading product development and management for more than a decade. Prior to LaunchKey, Geoff ran his own web and application development consultancy after studying electrical engineering at the University of Texas at Austin. Follow Geoff on Twitter at @GeoffSanders. Follow LaunchKey on Twitter at @LaunchKey.