Kevin Curran

Kevin Curran is a Professor of Cyber Security, Executive Co-Director of the Legal innovation Centre and group leader of the Ambient Intelligence & Virtual Worlds Research Group at Ulster University. He is a regular technology contributor to TV, radio, trade and consumer IT magazines.

Have we finally reached the end of the road for passwords?

Microsoft this month announced at its Ignite conference that it now supports password-less logins via its Microsoft Authenticator app. It works for hundreds of thousands of Azure Active Directory-connected apps. It is not entirely a new avenue for them as for some time with Windows Hello, it offers a version of this for Windows 10 users. For Azure Active Directory, the Windows Authenticator app basically copies Windows Hello functionality and it allows users to use their fingerprint, PIN or face to log in to enterprise applications.

The idea is to provide two factors of authentication: something you are (your fingerprint or face) and something you own (your phone). What this does indicate is a move towards eradicating the password as the de facto authentication method.

It is now considered best practice to use methods like Google Authenticator or an RSA token which can also prove possession. These do not involve a communication which can be as easily eavesdropped upon nor a sim-card that can be replaced.  Attacks are now a reality on the mobile phone networks which exploit the underlying SS7 signalling protocol to spoof a change to a user’s phone number, intercepting their calls or text messages.

Another attack form is to exploit a typical weakness in security – which is the human factor to trick IT support staff into assigning accounts to ‘dummy sim cards’ thus completely rendering this form of two-factor authentication useless. The solution here if case is to train staff but the reality is that humans will always circumvent their training if faced with a persistent crafty adversary.

For some time, best practice in protecting unauthorized access to accounts is to enable two-factor (or multi-factor) authentication when offered it. The premise is that two-factor authentication does not allow anyone to login to an associated account without access to a phone which is registered to that account.

This should in theory prevent any third party from hijacking that account (as they do not have in their physical possession, the registered phone which gives them an ephemeral code to login. Of course, this has been used to date as a supplement to the password. However, now there is a move to phase out the traditional password.

There are also additional authentication methods in addition to authentication app & hardware tokens. For instance, biometrics-based authentication can validate identity of users by measuring unique physiological and behavioural characteristics of individuals. Such a measure maximizes between-person random variations while at the same time minimizes within-person variability. In contrast with passwords and pins, a biometric identifier cannot be lost, forgotten or shared.

One can choose from a large list that includes finger, face, retinal scan, iris, gait, vein infrared thermogram, hand geometry and palm print or from a combination of all these identifiers termed multimodal-biometrics.

The biggest change in the future might be the rise of the mobile device as the device of choice for biometric reading as mobile devices are increasingly the mainstay of a person’s online activities. Most of the market dominating smartphones now have biometric readers or sensors already incorporated into the hardware.

Biometric Authentication

It is feasible that biometric authentication becomes the de facto form of providing credentials in the future (although it should be combined with multi-factor methods). Many smartphones have biometric readers or sensors incorporated into the hardware.

Deployment of proper biometric solutions should significantly reduce identity thefts with great benefits for the economy by eliminating passwords from the equation in place of more reliable solutions. There are numerous biometric solutions. None are a silver bullet and one size does not fit all.

The accuracy of facial recognition varies greatly due to factors such as lighting, angle & camera sensitivity and more. Facial techniques can also be thrown off by facial characteristic changes or a person wearing glasses, or sunglasses. The colour of the ambient light can also confuse these systems.  Fingerprint readers likewise are affected by temperature and other factors. Fingerprint scanners in phones common such as Apples Touch ID. They have of course been on laptops for years but hardly used.

The Touch ID system from Apple is quite impressive from a security perspective. Fingerprint scanners are not the solution however as we simply leave fingerprints on every surface we touch. Also, fingerprints taken when the finger is flat will be different when misaligned, wet, dirty or practically frozen. There have been many examples of Apples’ Touch ID been bypassed using scanners, latex and patience.

Face ID does seem to work quite well. It works by projecting around 30,000 infrared dots on a face to produce a 3D mesh. This resultant facial recognition information is stored locally in a secure enclave on the Apple Bionic chip. That is like Touch ID. They also claim the probability of someone else unlocking a phone is 1 in 1,000,000. That is impressive.

The infra-red sensor on front is crucial for sensing depth. Earlier facial recognition features (even from Samsung last year) were too easily fooled by face masks and 2D photos. Apple claim their Face ID will not succumb to these methods.

Behavioural biometric based authentication methods on mobile platforms is another step in the right direction. They are more than just a one-off identification process, as they allow for on-going monitoring of a person’s behaviour, detecting things from the way someone types to the angle at which they hold their phone.

Keystroke dynamics is where keystroke logging can be analysed. The time to get to and depress a key, and the time the key is held-down can be very specific to a person, regardless of how fast they are going overall.

Most people have specific letters that take them longer to find or get to than their average seek-time over all letters, but which letters those are may vary dramatically but consistently for different people. Right-handed people may be statistically faster in getting to keys they hit with their right-hand fingers than they are with their left-hand fingers. Index fingers may be characteristically faster than other fingers to a degree that is consistent for a person day-to-day regardless of their overall speed that day.

Normally, all that is retained when logging a typing session is the sequence of characters corresponding to the order in which keys were pressed and timing information is discarded. Keystroke dynamic information which is normally discarded, can be used to verify or even try to determine the identity of the person who is producing those keystrokes.

There are several home software and commercial software products which claim to use keystroke dynamics to authenticate a user such as BioTracker, ID Control, TypeWATCH, Authenware and KeyTrac.

Barriers to adoption

There is also voice as well as a biometric technique. Voice however must be measured against both the ambient background such as when speaking in a bar, a train, on a street or at a sports arena.  There really has not been much movement in trying to implement voice authentication but it does play a part in some multi factor systems.

The main barrier to any widespread adoption has been the problem of aural eavesdropping. This is where casual or malicious bystanders may overhear private information spoken by screen readers or users. There are some niche areas where it is adopted such as individuals who are blind having difficulties with processes of authentication such as Captcha which then cuts them off from bank accounts and other online access points because they must visualise and input meaningless character sequences.

These sources of potential error create two measuring levels that biometrics algorithms build in to their calculations which are false acceptance and false rejection. If this is not measured properly, it can lead to a bad user experience which has been a problem with commercialisation of such technologies in the past decade as they seek to achieve the elusive 100% accuracy rate.

The objective of biometric identity authentication is to establish a bond of trust between a system and the user who is requesting system access. More specifically, identity authentication ascertains a level of trust regarding who the user claims to be. It follows that the more accurate any chosen authentication method the user can present to prove their identity, then the stronger this bond of trust becomes.

Hardware devices do offer another authentication avenue but often the problem is the need to carry such a device on the person. Hence the move towards making our mobile phones the de facto hardware device. Google recently launched its own hardware security keys for two-factor authentication called Titan Security Keys.

These are like the popular Yubico hardware key. Google’s FIDO-compatible Titan keys come in two flavours. One has Bluetooth support for mobile devices and the other plugs directly into a computer’s USB port. Hardware security tokens however involve additional costs for the device as well as requiring users to carry the token with them.

Biometric, authenticator apps or hardware token solutions may not provide us with the complete authentication solution we need right now to more fully secure our accounts and systems, but they will play an increasingly important role in the days ahead. They are a step in the right direction. Now where did I put that post-it note with my password?