Appgate presented the different models of secure authentication to prevent the widespread theft of passwords. He also presented a timeline of the evolution of this system.
Successfully logging in with a password no longer guarantees legitimate access to a system and sensitive accounts. This is why Appgate, a secure access company and world leader in cybersecurity, explains the importance of implementing secure authentication to protect against digital threats.
The number of exposed credentials has increased 300% since 2018, and that growth has exposed that user keys and passwords are an ineffective method as secure authentication. However, the vast majority of organizations continue to rely on this model.
The first thing to be clear about is that each authentication factor falls into one of three categories:
- Knowledge: This category refers to something that is known. The simplest example is a user’s password. However, since it is easy to manipulate these credentials, the knowledge category is the least effective in implementing secure authentication.
- Possession: This relates to something that is owned and is considered a strong authentication category because it is more difficult to manipulate. That the user must physically have something with them adds a challenge, but still does not prove to be a foolproof measure.
- Inherent: This is the strongest category of authentication. It is much more difficult for fraudsters to replicate human characteristics, so this inherent category becomes less of a target for cybercriminals.
Each authentication factor has its advantages and disadvantages. Below, Appgate presents an overview of the evolution of authentication.
- The first password: The based system was created in the early 1960s at MIT, which means that the password is more than five decades old and even back then, it was not secure either. Despite being easy to install and cost-effective, they end up being a weak authentication factor and easy to crack.
- Hard tokens were first patented in the late 1980s: They provided a one-time password and displayed a random number that changed periodically. Although the unique numeric code changes with frequency and makes it difficult to manipulate, it is an obsolete system that has been replaced by much more accessible smart devices.
- Device recognition: Cookies were created in the late 1990s and became commonplace in the early 2000s. They were the first example of large-scale device recognition. This technology has evolved and improved incorporating various methods that are constantly being updated, however, fraudulent actors can access a device remotely using a Remote Access Trojan (RAT).
- SMS: These were widely used in the early 2000s and marked the beginning of the distribution of passwords to phones in general. It is a simple way to implement a secure authentication system. However, it proves to be inconvenient for users who have lost their device, or no longer have access to the registered phone number.
- Push: Blackberry was the first to use push notifications, but Google and Apple took it mainstream in 2009 and 2010. This factor presents a pop-up message on a mobile device allowing the user to accept or decline a transaction or login attempt. It is a very secure method as it is enforced at the device level, but relies on the user having access to the device originally registered to the account.
- Fingerprint biometrics: Apple’s Touch ID popularized fingerprint biometrics in 2013. This method simply requires the registered user’s fingerprint to confirm their identity, making it difficult for a fraudster to replicate.
- QR authentication: The WhatsApp website launched QR authentication in 2015. QR codes offer a secure way of authentication, providing each user with a unique code. It is a fast, convenient, and very secure form of authentication, but can only be used in out-of-band processes.
- Facial Biometrics: Apple’s Face ID was one of the first examples of facial biometrics to authenticate users. Disadvantages include that it is dependent on lighting and the angle of the user’s face and can also be intercepted by a photo or video of the user.
While many authentication models provide some level of protection, no single model is effective enough on its own. Therefore, it is important to ensure that organizations implement secure authentication using multiple models within different categories.