Free Your Mind to Multifactor

Back to Blog
August 29, 2016
Stephen Cox

Yahoo recently unveiled a new product strategy for authentication to its suite of products. The scheme allows users to authenticate without a static password, using an “on-demand” password, sent to the users phone via SMS. In effect, Yahoo is parting ways with the standard password model.

Yahoo’s attention to the topic of authentication is commendable. The topic does not get nearly enough attention from the large internet firms. “Moving beyond the password” has been a desire of the security community for some time, and it’s good to keep the discussion going. However, Yahoo’s approach misses the mark.

The scheme does add some additional security over a static password, as the generated passwords are one time use. Thus, if the password is compromised, it will only provide an attacker a limited time window to take action on it. In addition, the scheme nullifies the tendency of users to employ the same password across multiple sites. However, it’s important to note that this scheme is still “single-factor” authentication. In other words, it is only relying on one element to decide whether or not to grant the user access. If the user’s device is stolen, the thief may be given full access to the account in question. 

“Moving beyond the password” does not necessitate doing away with it completely. A two-factor approach of a strong static password, something the user “knows”, and a personal device, something the user “has”, will always offer a much greater level of security. 

When many people think of two-factor authentication, they think of the preceding concept: a static password and a pin code sent to a phone. That doesn’t have to be the case. A factor is a malleable concept. A factor could be a biometric, something the user “is”, such as a fingerprint or facial structure. It can even be a behavior, such as the way they hold and move a personal device.

This week also brought another major announcement in the authentication space, with Microsoft announcing Windows Hello. Windows Hello will allow users to authenticate using the combination of a device and a biometric, declaring “system support for biometric authentication – using your face, iris, or fingerprint to unlock your devices.” Microsoft is also expressing the desire to move away from the standard password model, but in a way that is more understanding of the need for multiple factors.

Abandoning the use of simple passwords as the primary access control measure is imperative. The fact that Yahoo and Microsoft, two very powerful technology companies, are pushing the envelope is encouraging. However, we must innovate in a responsible way, in a way that is increasing overall security without significantly impacting productivity.

The extremely personal nature of the Apple iCloud breach made the general populace more accepting of the use of multiple factors for authentication. It’s important that we continue along that path and not the converse of simply trading one factor for another.

For more on the topic of innovation in the authentication space, check out the white paper “Preventing Attackers from Getting What They Want”, by SecureAuth CTO Keith Graham.

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact