Authentication is the act of confirming the veracity or credentials of an entity, and it is a critical component of eBusiness. In an online world where privacy and security are paramount, the authentication technology has to be complex, individual and virtually flawless.
Online security and authentication is growing as an industry and it is no longer a product-focused industry, and according to researches such as Gartner, SaaS (Security as a Service) is expected to grow exponentially with many companies emerging. IDG News reports that cloud services have a bright future, Gartner valued the industry in 2013 to 2,1 billion USD and are expecting a growth to 3,1 billion USD by 2015. But this billion-dollar industry is still being based upon the humble idea of: only the right user should be able to access that user’s information. But as with most things in life the most simply ideas and problems are made complex by us humans. Internet security and authentication is no different, and on top of being complex; it’s old.
The World Wide Web just turned 25 years on March 12th, and password security is just as old online (and much older in real life). Passwords do offer a minor level of security, and 20 years ago it was a good alternative. But times have changed, and with only one update worth mention to solve the problem (the launch of hardware token 19 years ago in 1995), the main way of authenticate and secure a user is still passwords.
So why are not more online services using the tokens? Probably several reasons such as: cost (no one would invest 100M to mitigate a security flaw with on-going costs of only 20 million), logistics (if you don’t know who your user is you can’t send them a token), administration (you need to teach users how to use the new technology) and user experience (non flexible and initiative).
Then, why can’t we just use the passwords? First of all they have limitations in dealing with technology threats such as Man-in-the-Middle etc., but their largest problem is the human behaviour. People don’t do as they are taught, and when people reuse usernames and passwords it is an open door to their online identity. By using the same password on several sites it could result in problems, every site will probably not be hold to the same level of security and if the passwords gets leaked it can be used on the sites with a higher level.
7 of 10 online users are careless with their passwords reports PC for all, according to a study they made in January 2014 60% say that they change their passwords less then once a year and alarmingly 68,7% reuse their passwords on several online services. Adobe, Twitter, Ubisoft and a Chinese mega bank’s mobile banking service were hacked because of this behaviour. We can’t place the entire responsibility on users; the companies whose services are effective as the mentioned bank, which lost 50 million RMB (approximately 8 million USD) from victim’s accounts, need to address the issue. Especially now when technology and authentication has evolved along with human behaviour to span over more platforms then ever before with the mobile platforms, which due to quick development and focus on intuitive user experience has left security a little behind.
“Mobile fraud is very much like Internet banking fraud 10 years ago” - (SecurityWeek, 24 July 2013).
That statement describes the problem very well, the technology has rushed ahead, enjoying the ride but how to secure this evolvement is dated and has known flaws. We have a need of finding a way to securely BYOD (Bring Your Own Device) since mobile platforms are now more popular than desktop platforms.
One attempt is the FIDO Alliance that is trying to solve a secure way to reuse passwords but the focus is still on holding the user responsible to have knowledge of the problem and actively seek a way to handle it. Most users will probably never give this the time and energy it is needed, and therefore the problem of reusing will continue being a problem.
The simplicity of the idea, the problems with the established solutions such as passwords and tokens, and the complexity of new technology has been a great foundation for innovation and creativity, and a totally new playground for IT security vendors. From 2FA token products with cryptology to today's intuitive multi-factor solutions; everything from biometrics where Fingerprint-based biological cryptography technology, image recognition, geological fencing, device identification etc., are examples of how far the idea has taken us.
During the RSA Conference in San Francisco this market trend became clearer; two years ago hardware tokens had a greater grip of the market and each year you can see the notices of change in all from the topics discussed, to exhibitor and the solution launched. 2014 was a year when software, flexibility and cost effectiveness was of focus.
Another observation that indicated this trend is the need for the industry to grow, as the new platforms and eBusiness keep gaining momentum, so will fraud and eBusiness being hurt by fraud. 1400 financial institutes were targeted during 2013, and millions of computers were during the same time compromised and used in fraudulent behaviour according to the Hacker News (Dec 5th 2013), and the main targets are U.S. banks with a percentage of 71.5% of all analysed Trojans.
Financial institutes have been fighting the fight against malware for over 10 years so they know very well the hurt that fraud brings. During these 10 years the threats has evolved with the attempts to mitigate them, and they are unfortunately often a step ahead of the good guys. An example is JP Morgan Chase who was hacked and had 465 000 users data stolen (the Hacker News Dec 5th).
The conclusion is that we need something more than password to handle technology needs, which will be a smaller investment than tokens but still intuitive enough to satisfy our human behaviour.