INDUSTRY OPINION
When will we get rid of passwords? Passwords are inconvenient and create numerous security vulnerabilities, so why can’t we just replace them? By Shuman Ghosemajumder, Global Head of AI at F5
T
he short answer is that there is no better method. Yet. Companies are beholden to their users, and while most users claim to value security over convenience, their actions speak otherwise. As a case in point, research conducted by Google suggested that even when users have experienced their accounts being taken over, fewer than 10% will adopt multifactor authentication (MFA) because of the associated complexity and friction.1 All authentication is a balance of usability, security, and deployability. To replace passwords, a new solution must equal passwords on all three fronts and exceed them on at least one. Trading off one set of advantages for another will not be enough to incentivise both organisations and users to switch. So, what could we do today to ease the password-driven bottlenecks and edge ever closer to friction-free nirvana?
28
SECURITY FOCUS AFRICA MAY 2021
A Better MFA A hypothetical solution to our maximisation problem is invisible multifactor authentication (iMFA). Unlike the MFA solutions of today, which typically rely on a password combined with an SMS or a one-time password via email or a physical token, iMFA would rely on factors that are invisible to the user. Specifically, it would collect and process the maximum number of effort-free signals. Let’s break that down: • Maximum number. Web authentication is converging on a non-binary authentication model where all available information is considered for each transaction on a best-effort basis. All of the context of a user’s interaction with a website may be used to grant the best visibility into a user’s risk profile. • Effort-free signal collection and processing. Security should be provided on the backend, so it doesn’t impede
customers. By providing security without customer impact, companies may mitigate threats at minimal cost without introducing friction and upsetting users. For example, most email providers have settled for approaches that classify mail based on known patterns of attacker behavior. These defenses are not free or easy to implement, with large web operators often devoting significant resources towards keeping pace with abuse as it evolves. Yet, this cost is typically far less than any approach requiring users to change behavior.3 iMFA could be implemented with a combination of tools like WebAuthn and behavioural signals.4 The credential storage and user verification may be securely provided by WebAuthn, and the
securityfocusafrica.com
