Strong Authentication in Consumer World – The Time Is Now

Strong Authentication in Consumer World – The Time Is Now

Written By: Piyush Bhatnagar

TREMENDOUS GROWTH

Last 20 years have seen a tremendous growth in technology and computing. What used to be experimental technology for the selected few to try and admire, is now mainstream. Most people today have Internet access and have online accounts to multiple service providers. Many have more than one email account and access online bank accounts. Today existing worldwide emails exceed 3.5 billion in number with over 150 Billion email messages sent across each day. This unprecedented growth of the Internet has spurred demand for secure, convenient, and private access to the Internet, both for consumers as well as corporate entities.  The ubiquitous access to online resources has also led to identity theft and billions of dollars of loss to consumers and corporations.

Image

According to Symantec, over 70% of these emails are spam and according to Dr Dobbs, about 500 million of these emails per day are phishing attempts. Last year alone there were 11.1 million Americans who were victims of identity theft leading to more than $54 billion dollar in losses, which was an increase of 34% from the previous year. A large part of this increase is due to online fraud. Besides the monetary loss, consumers lose confidence and are less likely to conduct online transactions.

There is an increasing threat of ID theft and various forms of cyber attacks, which lead to loss of billions of dollars and loss in consumer confidence. Businesses are losing money due to fraud.

SIMPLE PASSWORDS NOT SAFE ANYMORE

Password based authentication is used to verify user identity prior to granting access to specific computer, network, or Internet services and has been the primary means of authentication mechanism since the beginning of the internet. Passwords are very convenient to use, but in today’s world they give a false sense of security and they no longer provide adequate protection from hackers. Passwords can be compromised. Since most people pick passwords that are easy to remember, they are easy to guess as well. Even if the user has picked a complex enough password, programs like keystroke loggers, stealthily installed on user machines by Hackers have been used to steal/break passwords. In addition, users often write passwords down in a notebook or save them into files on their computers on in the cloud, making them vulnerable. Many users also have a tendency to use the same password for as many accounts as possible so that they don’t have to remember many passwords. In such cases, if one account is hacked/breached, all accounts become vulnerable.

Off late a number of password management solutions have come up. A password manager is software that helps users manage their user ids and passwords for various accounts. Most password managers though are glorified form fillers. They manage your accounts in separate application that works with browsers and fills up the login/password automatically or on demand. Portability of the accounts can be an issue as well. Some work with cloud technology and store password in the cloud, which exposes it to potential security breaches as well. Although the password managers make password management easier, they still do not enhance the security of online accounts.

STRONG AUTHENTICATION

Multi-factor authentication requires the use of two ore more of the following three authentication factors:

  • Something you know (examples: password, PIN, pattern, gesture)
  • Something you have (examples: smart card, mobile phone)
  • Something you are (examples: biometric characteristics such as fingerprint, voice match, face match).

To mitigate the risk of ever increasing thefts and breaches, corporate world has adopted strong authentication and almost all enterprises use some form of multi-factor authentication. These mechanisms are inherently more secure but are prone to high Total Cost of Ownership and are limited to enterprises in use.

Despite many attempts to bring strong authentication to mass market, it has failed to capture the imagination of the users. Companies like Google, Yahoo and Facebook have introduced soft tokens and SMS based OTP delivery mechanisms, but these techniques are vulnerable to man-in-the-middle and man-in-the-browser attacks as well have more complex usage models thereby slowing down the adoption rate. Due to a more complex use model, for now, the use of MFA is restricted to password resets and periodic verification only.

The biggest stumbling block for mass adoption of multi factor authentication in consumer space is the ease of use and most sites today continue to rely on simple password based authentication.

CONCLUSION

For any authentication solution to be acceptable by the masses it must be easy to use as well as easy to deploy, how so ever strong and secure it may be.  In addition the solution should be flexible enough to work with multiple online service in a seamless manner without a forklift upgrade or major rework on each of the online services. If any solution increases the complexity of the user experience; it will not get a wide enough adoption for it to be economically viable.

With increasing complexity, maturity and sophistication of attack tools and methods available to the hacker, as well as growing adoption of cloud services necessitate the need for use of strong authentication as the mechanism for user authentication in consumer space.  The time is now.

This article appeared in print and online versions of September 2013 issue of Silicon India

About the Author

Piyush Bhatnagar

Piyush is the Chief Technology Officer and Founder at Authomate. Piyush founded the company in 2012 to simplify online security and bring strong authentication to every aspect of life without any added complexity. His responsibilities as CTO include leading innovation, developing product vision and product development.

Piyush is a seasoned technology executive, entrepreneur and consultant with experience in technology development and management. During his 25 year career prior to starting Authomate, he worked for defense, information technology, and network security companies, where he built an extensive resume managing global software teams and executing product strategy.

View all posts by Piyush Bhatnagar

Leave a Reply