International. Successfully logging in using a password no longer guarantees legitimate access to a sensitive system and accounts. This is why Appgate, a company specialized in cybersecurity, explained the importance of implementing secure authentications to protect against digital threats.
The number of exposed credentials has increased by 300% since 2018, according to data from Security Magazine, and that growth has exposed that user keys and passwords are an ineffective method as secure authentication. However, the vast majority of organizations continue to bet on this model.
The first thing to be clear about is that each authentication factor has a place within one of these three categories:
Knowledge: This category refers to something that is known. The simplest example is a user's password. However, because it is easy to manipulate these credentials, the knowledge category is the least effective at implementing secure authentication.
Possession: It relates to something that is possessed and is considered a category of strong authentication because it is more difficult to manipulate. That the user must have something physically with them adds a challenge, but it is still not an infallible measure.
Inherent: This is the strongest category of authentication. It's much harder for scammers to replicate human characteristics, so this inherent category becomes a less affordable target for cybercriminals.
"None of these three categories is enough to successfully apply secure authentication, so it is necessary to use at least two models that belong to different categories. Something that the user knows (knowledge) combined with something that is (inherent), protects more efficiently," explains David López, vice president of sales for Latin America at Appgate.
Each authentication factor has its advantages and disadvantages. Appgate then presents an overview of the evolution of authentication.
● The first password-based system was created in the early 60s at MIT, which means that the password is more than five decades old and even back then, it was also not secure. Although they are easy to install and are cost-effective, they end up being a weak authentication factor and easy to breach.
● Hard tokens were first patented in the late 80s. They provided a one-time password and displayed a random number that changed periodically. Although the unique numerical code changes with frequency and makes it difficult to manipulate, it is an outdated system that has been replaced by much more accessible smart devices.
● Device recognition: Cookies were created in the late 90s and became commonplace in the early 2000s. They were the first example of large-scale device recognition. This technology has evolved and improved by incorporating various methods that are constantly updated, however, fraudulent actors can access a device remotely using a Remote Access Trojan (RAT).
● SMS: They were widely used in the early 2000s and marked the beginning of the distribution of passwords to phones in general. It's a simple way to implement a secure authentication system. However, it turns out to be an inconvenience for users who have lost their device, or who no longer have access to the registered phone number.
● Push: Blackberry was the first to use push notifications, but Google and Apple took it upon themselves to generalize them in 2009 and 2010. This factor presents a pop-up message on a mobile device allowing the user to accept or reject a transaction or login attempt. It is a very secure method as it is reinforced at the device level, but it depends on the user having access to the device originally registered in the account.
● Fingerprint biometrics: Apple's touch ID popularized fingerprint biometrics in 2013. This method simply requires the thumbprint of the registered user to confirm their identity, which makes it difficult for a scammer to replicate.
● QR authentication: The WhatsApp website launched QR authentication in 2015. QR codes offer a secure way of authentication, providing each user with a unique code. It is a fast, convenient and very secure form of authentication, but it can only be used in out-of-band processes.
● Facial Biometrics: Apple's Face ID was one of the first examples of facial biometrics for authenticating users. Among the disadvantages is that it depends on the lighting and the angle of the user's face and can also be intercepted by a photo or video of the user.
"It will be interesting to see how the various authentication systems continue to evolve. Biometrics is likely to be the way of the future and will eliminate passwords altogether. Data and context analysis based on the user's usual behavior provide a broader view, so they are a challenge for the user without causing problems," says López.
Although many authentication models provide some level of protection, no model is effective enough on its own. That's why it's important to ensure that organizations implement secure authentications using multiple models within different categories.
