acm-header
Sign In

Communications of the ACM

BLOG@CACM

Beyond Passwords: The Path to Stronger Authentication Mechanisms


View as: Print Mobile App Share:

Password protection remains a widely used method for safeguarding computer and web systems. This technology has undergone extensive development over the years, incorporating various enhancements and being user-friendly. However, it is important to acknowledge that passwords have long been identified as one of the weakest elements in the security chain. According to Hive Systems, even eight-digit passwords can be cracked in less than an hour. One might wonder if passwords will continue to have a role in the future and how soon we can expect passwordless authentication to replace them.

Recognizing the risks and vulnerabilities of passwords

The inherent risks associated with passwords stem from their very nature. The need for passwords to be user-friendly and easy to remember often leads to potential compromises. While long and complex passwords can provide high levels of security, the majority of users do not use them.

Significant efforts have been made in recent years to enhance password protection. Various Multi-Factor Authentication (MFA) methods have been introduced, resulting in a substantial increase in the level of protection for individual users. However, in the corporate sector, these advancements have brought about organizational challenges, particularly when dealing with a large number of users, often reaching the thousands. It has been discovered that many users resort to reusing passwords, which poses a significant security risk of data breaches.

The persistent risk of password compromise poses more than just the threat of unauthorized access to corporate systems. Companies face significant reputational and financial consequences, even in cases where only one password is compromised.

Enhancements and challenges in password protection

The development of password protection continues to evolve. One effective measure to enhance its security level has been the implementation of Multi-Factor Authentication (MFA) technology. Despite Microsoft's report indicating that only 22% of its Azure clients currently utilize this tool, the proliferation of control features has notably contributed to the improvement of reliability and security in the authentication process.

To understand the essence of MFA technology, it is important to differentiate between the various types of factors it employs. These factors can be categorized into several groups.

The first group pertains to the knowledge factor, which comprises secret information that is known solely to the user. This can include passwords, PIN codes, code words, secret questions, and their corresponding answers.

The second group is associated with utilizing the ownership factor, which involves verifying whether the user possesses a specific physical device. This can be a hardware token, a smart card, or a smartphone. These devices generate One-Time Passwords (OTP) or access codes, which function as a "second password" when entered during the authentication process.

Lastly, we have the third group, which encompasses the factors of personal inalienability. This includes a wide range of biometric data, such as fingerprints, retinas, face or voice recognition, as well as verification of features that are challenging to falsify, like typing speed or the dynamics of finger movements across a screen.

Finally, there is a third group, which covers the factors of personal inalienability. This is a variety of biometric data, from fingerprints, retinas, face or voice recognition to verification of features that are difficult to falsify, such as typing speed or the dynamics of moving a finger across the screen.

Biometrics should be approached carefully. One of the biggest problems of biometric authentication is the inability to change biometric traits if compromised, making it a significant concern. Once a biometric characteristic is compromised, individuals cannot replace or update it like they can with passwords or PINs.

The introduction of supplementary security mechanisms has resulted in additional expenses for companies. They are now required to invest in supporting tools. Password management processes have become notably more complex, particularly for organizations with a geographically dispersed structure operating both in the cloud and locally.

2FA vs. MFA

Two-factor authentication has long been used, for example, in electronic systems. Its name reflects the fact that the data provided must belong to two different groups. For instance, it can be entering a password and entering a code received via SMS.

Multi-factor authentication covers a broader set of features. Most often, these features are associated with biometric technologies, including fingerprint scanning, face recognition, biometric sensors that read data from smart devices, and the analysis of unique tactile features of individuals, such as keystroke rhythm, mouse movement dynamics, screen swipe gestures, and more.

New technologies

Recently, new authentication technologies have emerged, including the growing popularity of OneSpan's visual cryptographic authentication code. This code resembles a QR code with a distinct color structure. Users simply need to scan it using the camera on their pre-registered smartphone. The automated verification process considers the device's internal features, ensuring better security.

Google Authenticator and similar tools are also gaining traction in the authentication landscape. These applications generate one-time login PINs with a brief lifespan, typically lasting no longer than 60 seconds. The PIN is continually updated and remains "sensitive" to a specific online portal. Importantly, this token cannot be automatically read by the system but can only be visually observed by the user.

Passwordless authentication

The shift toward a hybrid work model has led to the emergence of passwordless authentication. This transition was prompted by the challenges of managing password security with widespread remote access to corporate systems.

Traditional Multi-Factor Authentication systems still rely on passwords in the authentication process, and the vulnerability of passwords does increase during remote work scenarios. In this situation, the only viable solution is to eliminate the reliance on passwords completely. Microsoft, in particular, has reached this conclusion. The rapid expansion of the shadow market for trading compromised passwords during the "pandemic era" has further fueled this decision.

Furthermore, the widespread adoption of Trusted Platform Modules (TPM) has provided an additional impetus for the advancement of passwordless authentication. With the collaboration of hardware vendors and support from Microsoft, TPM modules have become the de facto standard for completing Windows laptops and computers. The demand for TPMs is increasing. This chip is no longer limited to authentication purposes alone; it is now utilized as a module for diagnostic certification to assess the device's readiness for operation.

Final thoughts

Passwordless security technology represents an evolutionary step in Multi-Factor Authentication, eliminating the need for passwords. This advancement liberates companies from the responsibility of managing password and hash databases, as well as the need to oversee proper password processing procedures.

One of the key advantages of passwordless authentication systems is that they do not store data that, if stolen, could grant attackers access to corporate systems. This significantly reduces the risk of hacking incidents. Additionally, passwordless authentication systems are often praised for their simplicity and user-friendliness, making the authentication process more straightforward and convenient.

 

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis and strong malware removal skills.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account