Five or six years ago authentication was mostly passwords. Fast forward to today and we’re seeing more authentication options and technologies across the board. The FIDO Alliance has seen tremendous global growth with over 680 certified products in 2019 including top consumer brands and nearly every biometric vendor.
There are many authentication options in the market today divided into various categories. Some of them look more promising than others in terms of security effectiveness and user experience. The market moves fast and many technological changes are expected in the months and years ahead. These are the top 5 categories that we believe enterprise organizations should pay close attention to.
Authentication is the process of determining if someone is, in fact who they say they are. Authentication technology provides access control for systems by checking to see if a user’s credentials match those within a database.
Usually, users are identified by a user id plus a knowledge authentication factor like a password. However, since passwords are inherently insecure authentication has moved and evolved to the following technologies:
Device biometrics refers to biometric technologies embedded in the endpoint device itself. Today this mainly consists of face recognition cameras and fingerprint scanners available in mobile devices, laptops and desktops. These authentication technologies, despite being relatively secure, reliable and mature are still not perfect. Nearly everyone has experienced face recognition or fingerprint failures on their devices due to various conditions resulting in falling back to a passcode or other way of authentication. Despite these security flaws, device biometrics seems to be the leading password replacement option going forward. Enterprise security and IT professionals should pay close attention to the various changes in APIs and technologies released by each vendor, especially Apple on iOS and MacOS, Microsoft and Google.
Voice biometrics is showing interesting potential especially in voice-first channels such as the call center and voice assistance services. There are various algorithms for detecting and authenticating voice depending on the channel and usage. Attempts to expand voice biometrics to online channels haven’t had much success thus far, however it does have many important advantages over device biometrics. One example of this is voice authentication using a centralized voice print. As this and other voice biometric technologies become more mature, they will open up new opportunities for organizations to secure their users across multiple devices and channels.
Security keys refer to a hardware device that can be used as “something you have” to authenticate the user to various online services. This hardware can be dedicated such as solutions from YubiKey and Google Titan, or could simply be the user’s mobile device itself. Depending on the technology the hardware can connect using USB, BLE, NFC, WiFi or time-based one-time-codes (TOTPs) that the user copies from the device. We’re seeing some interesting developments around security keys with the introduction of the FIDO2 CTAP protocols that standardize the connection between security keys and other devices such as desktops and laptops. We’re also noting significant progress in having mobile devices becoming secure global authenticators.
The way you interact with a device from the way it’s held to how you type or move a mouse has been an important area of research for many years. With more sensors available on end devices combined with the progress in profiling and machine learning algorithms, these authentication technologies are becoming more and more accurate. While they’re still not capable of fully authenticating a user with a high degree of accuracy, they can be used to detect suspicious events and behavior that require special attention from the security teams. We expect this technology to continue and improve in the future to enable more use cases.
Every device has a set of characteristics and identifiers that can be used to uniquely identify it without any user interaction. If a device is known to be associated with a user previously, it can’t guarantee the validity of the user, however it can be leveraged as a trusted element for multi-factor authentication when combined with something such as a face or fingerprint scan.
Device identity technologies rely on elements exposed by device manufacturers and web browser application vendors. These can change for many reasons due to regulatory requirements and advances in endpoint device technologies. Mobile network operators also provide information that can be combined to provide additional layers of identification that further enhances device and ultimately user trust.