Your login credentials have been compromised. Your passwords have been hacked no matter how complex you’ve made them. Two-factor security is temporal, causes high friction and can be easily intercepted during transmission. Current multi-factor authentication (MFA) security lacks context and relies on too few attributes. Your biometrics are binary, and regardless of how safe a fingerprint or retina scan appears to be, it can be spoofed and cannot be reset. And, there are few, if any, solutions that continuously validate your identity post-authentication.
WOW! Is it no wonder Chief Information Security Officers (CISOs) and IT Security professionals are confused when it comes to identity authentication? So, understanding how we got to where we are with authentication solutions may give a glimpse into what is to come.
Passwords Started It All
The use of passwords dates back to ancient times when sentries would challenge those wanting to enter an area or approaching it to supply a password or watchword and would only allow a person or group to pass if they knew the password. So, it stands to reason that as computer applications were developed, the concept of a login and password was the only way to authenticate individual users.
According to Wikipedia:
“Passwords have been used with computers since the earliest days of computing. MIT’s CTSS, one of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy. In the early 1970s, Robert Morris developed a system of storing login passwords in a hashed form as part of the Unix operating system. The system was based on a simulated Hagelin rotor crypto machine, and first appeared in 6th Edition Unix in 1974. A later version of his algorithm, known as crypt, used a 12-bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of pre-computed dictionary attacks.”
As you can guess based on all of the news and reports to show the true effectiveness of passwords, they really aren’t that secure a method of authentication. According to the 2018 Verizon Data Breach report:
“Web application attacks, most often using stolen credentials, are a major issue. Employee error is also having an impact—typically due to misconfigured databases or publishing errors. But perhaps the biggest threat you face is from denial of service attacks—they account for 56% of the incidents witnessed in 2017.
Since a single form of authentication based on a password was clearly not strong enough to ensure prevention of credential impersonation or even credential stuffing, the addition of multiple forms of authentication was introduced.
Multi-Factor Authentication Extended Security
Multi-factor authentication is just what is sounds like. According to TechTarget
“Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.”
Unfortunately, multi-factor authentication solutions impose significant friction through a variety of temporal (e.g., OTP, captchas, reset links) and binary (e.g., fingerprint) controls that have all still proven ineffective safeguards against credential stuffing and identity spoofing.
As stated earlier, MFA and passwords have inherent flaws that are highly leveraged by cyber criminals. There has to be a better way to authenticate based on individual characteristics that cannot be easily imitated.
Biobehavioral Is Immutable
Acceptto is built on the premise that your credentials today, and those that you’ve yet to create, have already been compromised. Your identity cannot simply be based on a password or a one-time token or only your biometrics. Your immutable identity is a combination of your physical behaviors, attributes and digital DNA. We call it Cognitive Authentication. You can eliminate preventable harm with our Biobehavioral AIML technology that enables frictionless authentication, prevents credentials stuffing instantaneously, ensures your true immutable identity continuously, and dramatically reduces risk, likelihood of fraud and cost of helpdesk operations without the guesswork or latency.
See for yourself what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy. Register for a free trial today.