We’ve got a lot of work ahead of us before we solve the issue of asserting a consumer’s true offline identity in online interactions.
Neither the current consumer identity framework (Government issued physical ID), nor the Internet, were built for the challenge of identifying people digitally and virtually across the globe. There is promising work being done within the Sovrin Alliance, and within organizations such as Mastercard. Consumers and organizations need a broadly available solution to verify consumer identity before retiring authentication systems that rely on username and password.
Security based on shared secrets
Today’s authentication framework was designed to require the correct exchange of multiple shared secrets (correct username and password), to prove identity and grant access to a remote system or organization. As the username quickly defaulted to the user’s own email address, this left one public data point and one seemingly private one (password) to derive consumer identity from. This worked… until it didn’t.
Most consumers, out of convenience, used the same passwords everywhere. Depending on the study you look at, between 50% and 80% of the population reuse their password on multiple accounts. When computer intrusion lead to mass data theft, it became quite clear that simple username and passwords were no longer sufficient for authentication.
At this point, most high value target organizations moved their user authentication to require additional data, such as data known to the consumer (out-of-wallet questions, or information about the consumer that wouldn’t be well known), single-use passwords created by an app, or sent via text message or email. These make it harder for a bad actor to access to, but not impossible.
Today there is a large menu of malware and Trojan software for sales that intercept SMS or emails with one-time codes. The reality remains that multi-factor authentication solutions are patches for an outdated authentication framework in dire need for replacement.
The problem: multiple weak links
People, process, and technology; all of these are issues. We’re working with an authentication framework, when we need an identity assertion framework. Due to a lack of ability for a consumer to assert their identity, we’ve reverted to easily-stolen and reused data points to probabilistically establish human identity and authorization.
Consumers have proven to be poor judges of security risk, and often trade security for convenience without understanding the repercussions of their actions (reusing passwords, using unsafe password managers, or installing unknown or unvetted applications on their devices). Even when they are doing the right thing, social engineering attacks like phishing can take advantage of the most security conscientious consumer.
The companies often have vulnerabilities exploited by remote attackers, leading to intrusion, data theft, and the deployment of malicious software on consumer devices, making any transaction from those compromised devices potentially unsafe.
Until we have a replacement for user authentication that allows them to assert their true identity, we’ll continue to use username and password-based solutions, albeit with more features tacked on, such as biometrics.
Passwords are not useless
It is important to keep in mind that the current authentication framework is not completely useless. The act of typing a username and a password, in itself, can generate rich information that can be used to strongly authenticate consumers without employing high friction and expensive multi-factor authentication systems. For example, passive biometrics technology leverages user interactions and behavior, such us how they type their username and password, to make a risk assessment.
This means that while the password itself is not a reliable indicator of the presence of the legitimate consumer in an interaction, the way it was entered can tell al lot about who’s behind the keyboard. The deployment of physical and passive biometrics, along with behavioral analytics, atop the existing authentication frameworks is showing real results in protecting consumer accounts and organizations relying on username and passwords-based systems. Layering technologies in this way, will help ease the dire need to replace the authentication framework, but a replacement is still required.
By Robert Capps, VP of Marketplace Innovation
Related to this post What is an account takeover?