Cloud Security • 10 MIN READ
Beyond Passwords: Exploring Advanced Authentication Methods
by Tim Chambers • Feb 2024
Why New Authentication Methods are Needed
Password manager, NordPass, has reported that an average person has around 100 passwords for their online and offline technology. Today, everything about someone’s life can be considered protected by a password.
In the last 10-15 years, the use of Two Factor Authentication (2FA), has become more common, originally using RSA tokens, and later using SMS OTPs (One-Time Password), and mobile authentication applications. 2FA authentication in theory prevents the discovery of a password, allowing access to sensitive information, by having a second factor of authentication to prevent unauthorised access. Whilst this is effective, there are flaws, with SMS OTPs being susceptible to interception, and man-in-the-middle (MITM) attacks.
To enhance password protection, new methods of authentication have been formed. In this article, observe how an over-reliance of traditional password protocols has led to the birth of advanced authentication methods.
Token-Based Authentication & Passwordless Authentication
Hardware Tokens are small devices that look like USB drives. RSA SecurID commanded over 70% of the two-factor market in 2003 and was seen as the ultimate step in hardening authentication. Tokens became commonplace in the finance and defence sectors. This cornering of the market created a leviathan out of RSA, until March 2011, when the company fell victim to a targeted phishing attack, leveraging a malicious excel file, which in turn exploited a vulnerability in Adobe Flash, leading to the use of the Poison Ivy RAT (Remote Access Trojan) to gain access. This supply chain breach impacted multiple seemingly secure businesses in the process.
After, the rise of software tokens, and authentication apps came to the foreground. The rise of smart phones, and faster mobile data, meant that a 60-second software key using a smartphone app, was now considered the modernised ‘something you have’ factor, in MFA.
Great work has been done by the FIDO Alliance, creating FIDO2 which enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. Pivoting to a decentralised, possession-based credentialing system, meant that there was/is no central store of authentication secrets. In the process, the leveraging of biometrics moved away from vulnerable SMS OTPs, and Active Directory’s gold mines of password hashes located in Ntds.dit.
The rise of software tokens, alongside biometrics such as fingerprints, led to the development of the concept of passwordless authentication, which makes use of MFA, without the factor of a password.
Challenges and Considerations & Steps for the Future
‘Logging in’ to a computer, a practice that has existed for over 60 years, is now at a crossroads, as password protocols must get smarter to stay secure. What this boils down to is comprehensive user training, with a new employee being onboarded not with a new password, but with a fingerprint scan, a mobile phone, and even a hardware token. Readers who have spent time on the helpdesk can already see the inevitable concerns and questions that will arise from such practices and be expected to answer why a new employee can’t log in with the name of their dog accompanied by the year they were born.
Looking forward, continuous development and innovation in the industry will eventually see the humble password become obsolete. Whether iris scans replace this, or using hardware tokens will be the preferred options, remains to be seen. One thing is certain, that the service desk will still be inundated with authentication issues, and this time, they will find themselves tracking down lost hardware tokens, and re-installing authenticator apps in the process.
To learn more about Password Protocols read this blog.