by Brendan O'Donohoe
What if you didn't have to prove who you are to access sites that require your identity? The old TV show Cheers said it right: “Sometimes you want to go where everybody knows your name.” We think the internet should work like Cheers, and mobile device authentication is taking that idea from sitcom to reality.
Today, login controls are onerous, time consuming, and risky. Passwords are broken as a security measure. It's estimated that 81% of hacks involve stolen passwords. Why then, was identity authentication built this way if it clearly doesn’t work?
The Modern Password Is Born
The reason is pretty simple. Usernames and passwords were the original first and second factors used for identity authentication to give users access to online accounts, applications, devices, and websites. The people who designed the internet deliberated whether identity should be a core feature of the internet. Allowing usernames that were created by users themselves preserved anonymity. Thus, identity didn’t have to be tied to the real world.
In August 2017, Gizmodo reported that the “guy who created those annoying password rules now regrets wasting your time.” That guy is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST), who, back in 2003, wrote the guide on what he thought was secure password creation.
“This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal,” Gizmodo explained. “All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.”
You might be shocked to learn this: “Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.”
The Troubling Case of Passwords for Identity Authentication
Simple math shows that a shorter password with unusual characters is much easier to crack than a long string of easy-to-remember words. A classic XKCD comic shows how four simple words form a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days.
When you look closely, the costs of relying on passwords are everywhere. Online retail is a relatable example. It’s something everyone can understand and is a good proxy for what consumers would do if unconstrained by IT. Here are some eye-opening statistics:
- The average consumer has 90 retail accounts that require passwords.
- "About a third of online purchases are abandoned at checkout because consumers cannot remember their passwords," a study conducted jointly by MasterCard and the University of Oxford found.
- 51% of people use similar passwords over and over, the same study found.
- These passwords are variations of passwords consumers have used for many years. They may change the number (at the end) of the password from 1 to 2 to 3 to 4, or move through different special characters, according to Ryan Wilk, vice president of customer success at NuData Security.
- "21% of users forget passwords after 2 weeks, and 25% forget one password at least once a day," according to NuData Security.
- After 1-2 minutes of trying to enter a password, consumers will then hit the reset password and usually receive an email. This is generally what a social engineer or fraudster wants, because that’s their gate in. So, the solution to the problem we created is the vulnerability that the attacker exploits.
And here’s the kicker: 81% of hacks involve stolen passwords, according to a report by Verizon.
Today, the password conundrum has gotten even worse. Now system administrators can set password changes by fiat. Some systems, like Salesforce.com, support up to 1 per month. This has created a cottage industry of solutions to this self-created problem: the password manager.
The password manager uses the one password you never change, and allows you to deal with all the other password headaches out there. Password managers can be embedded in browsers themselves, like Chrome and Safari, or come as standalone products, like LastPass, Duo, or Dashlane.
You may be wondering: Why do we still have these relics? Hasn’t anyone asked whether we still need login names and passwords?
Mobile Device Authentication Is Bringing About a Password-Free Future
At Averon, we believe that logging in to any site, be it the newspaper you read in the morning, the article that your friend sends you in the afternoon, the business application that you review while drinking your coffee, the ride-share that you take to a meeting, or the ecommerce site that you look at over lunch, should be as easy as opening your phone and making a call.
Can things be that easy, or are we dreaming too big?
We live in a world where we can secure our phones with a biometric and a passcode, a defense so tough that the FBI had to go to a foreign government to crack it. If we can reduce the threat vector to one person and one phone, billions of dollars in fraud go away.
Riding on top of the cellular networks’ ability to bill mobile users accurately for the minutes they use, we can identify exactly when customers are trying to login to an application, website, or system from their phone. Coupled with digital certificate technology, we can broaden that to any computer at all — all without asking users to download another application.
Here’s how it works: Averon uses a proprietary mix of input from the user’s internet carrier and our own secret sauce to positively confirm, in real-time, that a transaction was initiated on the user’s authentic device. This technique is impervious to credential reuse, second factor code intercept, and all device-based intercept schemes. Further, and more important, it is tied to the identity that the mobile user established when they created their phone account. A user’s identity has already been corroborated by showing a license or utility bill at a carrier’s retail location and through a credit check.
So, imagine a world where everybody knows your name (that is, only those people you want to know you, of course!). No more usernames, no more passwords. Best yet, you will be more secure than you ever were before.
It’s not a fantasy, it’s reality. And it's now.