Pick a number, any number, or any combination of numbers, letters and special characters, except for 12345678, password, or admin. Most of us have multiple passwords that we need to remember to get through an average day yet any of them are easily deduced or are for sale on the black market.
The way we’ve been managing passwords just isn’t working, and the United States National Institute of Standards and Technology (NIST) has made some recommendations for best practices for user password management to try to address the situation.
NIST Makes Some Changes
The new recommendations include removing periodic password change requirements, which many people currently address by creating a rotating set of passwords so they can keep track of them all.
Requiring all passwords to have both upper and lower case letters, numbers, and symbols is also going by the wayside, as most people choose ever-simpler passwords to try to minimize their own confusion. NIST also recommends requiring the screening of new passwords against lists of commonly used or compromised passwords, an easy task anyone can perform via search engine.
To strengthen security, though, most applications require more than passwords. Just logging into a news website requires both a username and password. For more secure sites, a username, password, and additional identifying code is required. With the ever-increasing usage of our mobile devices, multifactor authentication – which is becoming mandated by regulations across industries – takes authentication a step further.
Out With The Old...
Multifactor authentication is a combination of something you know, something you have, and something you are. Something you know – username, password, identifying code – is “easy.” Something you have usually comes in a form of a token or an SMS sent to your mobile device by which you can receive one-time usage codes.
Something you are may require additional hardware, such as a fingerprint reader, or leverage existing hardware, like the camera or touchscreen.
The complexity of authentication is becoming such a hassle that many people give up before they get to the point of performing a transaction. Not only that, but most authentications deliver only a one-time authentication, which means an app can be hijacked immediately after a login by malware that lies in wait, leading to fraud or data theft.
Passwords and one-time multifactor authentication ultimately aren’t going to cut it – they can all be hacked and hijacked. They also are massively cumbersome and interfere with the user experience.
...In With the New
A solution does exist: behavioral biometrics. While behavioral biometrics is a subset of “what you are” in multifactor authentication, it adds an additional layer of security because it ensures continuous authentication from initial login to the final transaction.
Behavioral biometrics works behind the scenes, analyzing exactly how you interact with your devices, such as the pressure of your finger on the screen, how quickly you type, the angle at which you hold the phone, and many other parameters that leverage the existing technology on your phone. The combination of these behaviors is used to provide a trust score, allowing the transaction “owner” to automatically assign the level of transactions you can perform during that specific interaction. If the trust score is low, it’s probably not you initiating the transaction. If the score is high, then you’ll be eligible for the full rights and privileges you have earned as a customer, because the “owner” reduced their own risk by knowing it’s you.
Meanwhile, the consumer has no idea that it’s going on behind the scenes, so the app provider doesn’t need to educate or bother the customer about how to interact with new security requirements nor do they need their customers to sign up for anything.
Behavioral biometrics activities cannot be hacked or duplicated, as no one can imitate exactly how another person uses their phone. As an additional benefit, automated bots are even easier to detect and stop because they have no characteristics that identify them as human. Behavioral biometrics eliminates the need to register individual users on a shared device, as each profile can be linked to a specific user simply based on their physical interaction with the devices.
In certain circumstances and locations passwords might still be part and parcel of the experience. But as we increase our interactions with mobile devices and IoT grows to a point where we all have smart cars and appliances, those devices too will recognize us by our touch, not our username, password, and additional security codes.