Page 26 - EngineerIt April 2021
P. 26
CYBER SECURITY
When will we get rid of passwords?
By Shuman Ghosemajumder, global head of AI at F5
asswords are inconvenient and create numerous security vulnerabilities, so why
can’t we just replace them?
PThe short answer is that there’s no better method. Yet. Companies are beholden to
their users, and while most users claim to value security over convenience, their actions
speak otherwise. As a case in point, research conducted by Google suggested that even
when users have experienced their accounts being taken over, fewer than 10% will adopt
multi-factor authentication (MFA) because of the associated complexity and friction.
All authentication is a balance of usability, security, and deployability. To replace
passwords, a new solution must equal passwords on all three fronts and exceed them
on at least one. Trading off one set of advantages for another will not be enough to
incentivise both organisations and users to switch. So, what can we do today to ease the
password-driven bottlenecks and edge ever closer to friction-free nirvana?
Shuman Ghosemajumder
A better MFA
A hypothetical solution to our maximisation problem is invisible multi-factor authentication iMFA could be implemented with a
(iMFA). Unlike the MFA solutions of today, which typically rely on a password combined combination of tools like WebAuthn and
with an SMS or one-time password via email or a physical token, iMFA would rely on behavioural signals. The credential
factors that are invisible to the user. Specifically, it would collect and process the maximum storage and user verification can be
number of effort-free signals. Let’s break that down: securely provided by WebAuthn and
• Maximum number: Web authentication is converging on a non-binary authentication the continuous authorisation can be
model where all available information is considered for each transaction on a best- augmented with behavioural signals.
effort basis. All of the context of a user’s interaction with a website can be used to The traditional MFA factors - ‘something
grant the best visibility into a user’s risk profile. you know,’ ‘have,’ and ‘are’ - come
• Effort-free signal collection and processing: Security should be provided on the from WebAuthn, and the newest
backend, so it doesn’t impede customers. By providing security without customer factor, ‘something you do,’ comes from
impact, companies can mitigate threats at minimal cost without introducing friction behavioural signals, including new
and upsetting users. For example, types of biometrics. Further, generating
most email providers have settled this variety of signals requires just a
for approaches that classify mail single gesture from the user, which is
based on known patterns of attacker far less effort than entering a password.
behavior. These defenses are not free By combining these methods, and
or easy to implement, with large web constantly recomputing trust through
operators often devoting significant machine learning, we can achieve
resources towards keeping pace the rare simultaneous outcome of
with abuse as it evolves. Yet, this increased security with decreased
cost is typically far less than any user friction.
approach requiring
users to change An interim solution
behavior. But iMFA cannot replace passwords
overnight. Change-resistant users will
need a gradual transition. Websites
will still have to incorporate a solution
like WebAuthn into their authentication
protocols. Without pressing urgency
from a specific security threat, many
sites will likely take their time adopting
this standard. Furthermore, the
integration process for a behemoth
like Amazon could be extremely
complicated, which is likely why there
has been initial support from browser
companies but not from e-commerce
companies or social media sites.
EngineerIT | April 2021 | 24
