For the last 50 years, the fundamental and largely unchanged model for identifying and authenticating users has been based on the combination of a username and password, sometimes augmented with “second factor” techniques.
While this approach has mostly served financial and other high-security industries well, it’s increasingly shown to suffer from five drawbacks:
1. Complex usernames and passwords are not user-friendly, which leads to inherent tension between what’s best for user experience (UX) and what’s best for security. For example, it’s well known that “passphrases” are more secure than “passwords.” But with advent of mobile apps, user preferences have shifted to make these the most frequently-used access modes, making passphrases more impractical.
2. Given the tendency to reuse passwords or use federated sign-on services, such as those provided by Facebook and Google, a social engineering attack on one service could lead to attacks on many.
3. Even when services enforce their own complex password requirements, “forgotten username and password” reset mechanisms often fall back to less secure personal email accounts as the primary identity verification point.
4. Confidence in password-based authentication may be high at the beginning of a process but can change rapidly over time. For example, an unattended laptop or misplaced mobile phone may provide a malicious user with a window of opportunity to access services the victim has already signed into.
5. Usernames and passwords are “context unaware,” meaning they cannot adjust their strength to the service the user is accessing or a particular transaction that the user is trying to perform.
Fortunately, there is an emergent approach that can address these concerns by shifting emphasis from asking “do we recognize the user’s username and password?” as the sole authentication and authorization criterion to “do we recognize the user?” This technique is based on applying artificial intelligence techniques to learn and model how legitimate users interact and transact with apps and services. This allows cybersecurity professionals to detect when malicious users or malware attempts to access services in a non-legitimate way.
While there are many individual techniques that work in concert with the user recognition approach, they generally fall into one of two main categories:
Continuous authentication – Unlike active, password-based authentication and related 2FA techniques, continuous authentication employs passive techniques to compare the user’s behavior throughout each session to learned models of past behavior. Continuous authentication also looks for anomalies that could indicate the session has been taken over by a malicious actor. These techniques typically include both “biometric” (e.g., typing speed, mouse/touch movements) and “transactional” behaviors (e.g., transaction types, sizes, amounts).
Contextual awareness – This approach is based on understanding the context of a given session or transaction within a session and then tailoring the security policy to each situation. The security policy will either “step up” or “step down” the controls applied based on the context. This typically includes both the “physical” (e.g., device/network being used, time of day, geolocation, etc.) and “transactional” context (e.g., withdraw, transfer, etc.)
From the users’ standpoint, a major benefit of Continuous Authentication and Contextual Awareness is that they do not have to do anything special to authenticate themselves during a session. They enable automatic and ongoing authentication that can adjust to the user’s context while the user focuses on the task at hand. For example, for lower-risk and routine transactions such as balance inquiry, scoring criteria may not be as stringent as when a large withdrawal or transfer is requested.
In theory, the application of these techniques can lead to an experience where the user is rarely required to enter a password and would only be “challenged” when risk scores are high relative to the transactional context. They can certainly increase overall security and transactional integrity because it’s impossible for a compromised password on its own to enable a malicious actor unfettered access to services or the ability to execute high-risk transactions.
The bar for malicious actors is raised significantly because they have to navigate multiple layers of behavioral and contextual risk assessment and do so on an ongoing basis with increasing levels of scrutiny as transactional risk grows.
That’s not to say the application of these user authentication processes will come without challenges. One of these will involve users trusting technology and service providers to not misuse biometric or other behavioral data that’s collected to support model building. Reputation will be as important as the performance of underlying technology.
Other challenges will involve the changes to apps and services that would need to be made to incorporate these new techniques. It’s inherently more complex than building a simple login page that collects passwords and sends email or SMS verification messages. This challenge can be eased, however, by employing a platform-based approach vs. one-off building into individual apps or services.
Although strong usernames and passwords have been thought to be one of the best lines of financial defense, they are simply too vulnerable on their own—especially when it comes to securing the data this industry holds. However, with the help of artificial intelligence, cybersecurity professionals are working to develop more legitimate authentication techniques that are tailored to each individual user. By focusing on user authentication through recognized behaviors instead of login credential recognition, users can feel more confident in that their data and finances remain secure.