The last few years have seen a number of breaches that call into question the traditional password. In no small part due to high profile security compromises like the Ashley Madison and VTech attacks, companies have learned that password-only policies can leave personal information vulnerable. According to our recent Wakefield survey on budgets, passwords and multi-factor authentication, 66% of companies polled have moved beyond a “passwords only” approach.
As businesses call into question the traditional way of doing things, they are also opening the door to previously unchartered authentication territory. Once thought exotic, the use of biometrics to verify identity is becoming mainstream. More and more mobile devices now utilize biometrics, which is also making its way onto prominent consumer products. In fact, our survey participants found biometrics (like facial scans, voice recognition and two-factor authentication) to be the safest authentication offering.
Will businesses continue to shift in the multi-factor direction in 2016? Below, our executives share their opinions about where they see the authentication space headed:
1. The Password
Attitudes towards passwords have changed over time. This assessment is backed up by our survey results, with 91% of cybersecurity professionals stating traditional passwords will not exist in ten years. While we can’t say for sure where the industry will land in ten years, CEO Craig Lund, CTO Keith Graham and Chief Security Architect Stephen Cox do have thoughts on 2016:
We’ll hear more about the ‘death of the password’, and although we’re taking steps in research and innovation to move us away from our love of the password, it’s here to stay throughout 2016. There will be a rise in the use of password managers (think not just secure password storage, but strong password generation) and not just in the enterprise, but for consumers whom may have not considered using such a tool. While single sign-on (fronted with adaptive authentication) provides a good balance of risk reduction and usability, we will see a continued rise in password manager adoption as a way of bridging stronger security to those legacy, non-federated enabled apps. – SecureAuth CTO, Keith Graham.
Eliminating passwords is the right thing to do but it’ll be hard to accomplish. There are several good methods to authenticate users today that are secure and cost effective, so over time passwords will go away. It’s already starting to happen. In the meantime, people will start layering additional methods with users’ passwords. – SecureAuth CEO, Craig Lund.
As we saw with some of the high profile breaches in 2015, it is simply too easy for an attacker to compromise credentials and use them to their advantage. However, we should be careful of simply exchanging one single-factor solution for another single-factor solution. We are striving as an industry to support multi-factor solutions that take care not to disrupt user experience. – SecureAuth Chief Security Architect, Stephen Cox.
2. Behavioral Biometrics
Companies wishing to move beyond single-factor authentication have a wealth of alternatives at their disposal. Below, our executives expand on of the more promising technologies: behavioral biometrics.
In the years to come, biometrics is here to stay. The ease of use of using fingerprint readers on phones is enabling the technology to propel biometrics into the consumer space. Open standards friendly to biometric privacy, such as FIDO, will help adoption. – CEO Craig Lund.
The ability to analyze keystroke dynamics, mouse movements and touch-based interactions with devices will become a technically viable and valuable way to verify the true ownership of credentials. It is also a way of determining a legitimate user who is a threat (vs. an external bad actor who has compromised legitimate credentials). – CTO Keith Graham
In some ways the leakage of biometric data is worse than other credentials. A password can be changed whereas biometrics are generally immutable and do not change. OPM serves as a stark reminder that we must always use multiple factors of identity to verify users. Technologies that keep biometric profiles “on device” and not in a centralized database will increase in demand. – Chief security architect Stephen Cox
These comments illustrate the considerable benefits of biometrics. We like to think CEOs, CTOs and CISOs are paying attention, especially since recent breaches have highlighted the scale at which data can be compromised. With this in mind, we’re erring on the side of optimism. After all, a combination of tools – with a strong focus on biometrics and multi-factor authentication—can transform the face of security.
In 2016, we see the security landscape trending in the right direction. Executives, realizing the grave repercussions of breaches, will re-strategize budget and priorities to take a proactive approach towards access control. Our CEO puts it best: Security has become a board level discussion. Five years ago it was a nice to have. Today it’s a must have.
Check out our survey results and dive into industry attitudes towards authentication clicking here.