For decades the simple username/password combination has been the de facto standard for user authentication. With the exception of banking applications and some corporate VPNs, multi factor authentication has never gained serious traction. In a moment I’ll examine why this is the case but first I want to quickly run through the pitfalls associated with simple password based authentication
The problem with passwords
I could talk about the merits of various password policies (complexity, change frequency etc) but the fundamental problem is not the password, it’s the user. Moore’s law dictates that computers become more powerful every year and therefore the ability to “crack” passwords becomes easier year on year. Unfortunately Moore’s law does not apply to the human brain and recent research from Ian Robertson, professor of psychology at the Institute of Neuroscience and School of Psychology at Trinity College in Dublin shows that our ability to remember key information is actually declining . How many of us can remember our friends phone numbers? We don’t need to because we have all the numbers we need on our smartphones. Likewise we don’t need to remember important dates: our iPhones will tell us when we have a dentist’s appointment and Facebook ensures we’ll never miss a friend’s birthday. Memory retention is especially poor in the under 30 age group. Unfortunately we’ve now reached a situation that can be best summarized as “the only secure password is the one you can’t remember”
Why has multi factor authentication not gained traction?
Multi factor authentication seems like a silver bullet, humans may not be able to remember a 1024 bit secret but a microchip can. Why is two factor authentication not the de facto standard? Biometric technology is still not mature enough to be cost effective and robust for most organizations which leaves only one time passwords. To date one time password technology has been proprietary and expensive. Tokens such as RSA SecureID have been on the market for over a decade but come with high unit and implementation costs. Physical tokens also introduce a logistics burden – what happens when your VP of Sales loses his token whilst on a business trip to another continent?
Standards lead to adoption, and lower costs
A relatively recent open standard for two factor authentication has emerged. Known as OATH, the standard includes specifications for time and event based tokens. Manufacturers are now producing tokens such as Feitian’s C100/C200 in the sub $25 range. Crucially it’s no longer necessary to buy tokens in volume to get a fair price; the market is opening up to small and mid size businesses.
Soft tokens are replacing physical ones
Another significant development is the emergence of software based tokens. Most token manufacturers are now offering soft tokens alongside traditional devices and recent studies suggest soft tokens are overtaking physical devices in terms of adoption. This further reduces implementation costs and significantly reduces the logistical overhead associated with traditional tokens. The emergence of cloud based technologies has further simplified the deployment of soft tokens – our own Cloudpass token requires no installation on either the client or the server. Smartphones have also evolved to the point where they can be used as multi factor authentication tokens and the concept fits with trends in modern lifestyles: if we now rely on our smartphone’s to manage our phone numbers, dates, shopping lists etc why not use them to manage our passwords. We see smartphone based authentication as a very important tool in our security arsenal which is why we’re implementing Google authenticator on our platform alongside the other token technologies.
A word of caution
Two factor authentication is not quite the silver bullet. Tokens can be lost, stolen or damaged; malware could steal the underlying secret used by soft tokens and users need to carry their physical tokens along with their phone, car keys, wallet etc etc. It’s possible to mitigate many of these risks – most importantly tokens should be used alongside traditional passwords, remember we’re talking about two factor authentication. If you adopt soft tokens (including smartphones) be careful to ensure that you have appropriate security policies in place to guard against malware.
We’ve reached the limits of what can be achieved with simple password policies. The sad reality is that computers are now better at cracking passwords than we are at remembering them. The emergence of low cost one time password devices along with cloud based authentication platforms means that two factor authentication is now feasible for even the smallest organizations. So long as you are aware of the risks associated with tokens and take basic steps to mitigate them you should be able to significantly increase your security. The days of simple passwords are numbered.
Two factor authentication is a key component of our SaaS based authentication and single sign on platform; it’s available on all plans which are completely free for up to 10 users. Find out more …