Application Security Cybersecurity Data Security Endpoint Identity & Access Network Security Security Boulevard (Original) 

The Fall of Passwords and the Rise of Analytics

Avatar photo by Paul Trulove on August 8, 2022

Every year, millions of organizations and internet users suffer from credential theft and scams perpetrated online. Phishing remains the most common method used by threat actors; stolen passwords and session cookies allow them to hijack people’s accounts. From there, they are able to access users’ mailboxes, obtain additional information and perform business email compromise (BEC) campaigns against other targets. 

While multi-factor authentication (MFA) provides an added layer of security, phishing and password theft remain a growing problem. According to the 2021 Microsoft Digital Defense Report, reports of phishing attacks doubled in 2020, while more recent data shows that more than 10,000 organizations were targeted from September to July 2021. 

Luckily, the growing nature of this problem is also fostering creative solutions, including zero-trust security environments, and industry leaders are listening. 

Earlier this year, three major tech companies—Apple, Google and Microsoft—announced that they were making a historic decision. In short, they declared their support for a common passwordless sign-in standard created by the Fast IDentity Online (FIDO) Alliance and the World Wide Web Consortium (WWWC).

Per this new standard, passwords will be stored on devices or the cloud-sync service used by the operating system. A personal device becomes a single point of access where identity is authenticated through a PIN, a fingerprint or a facial scan. This decision will speed the transition to a zero-trust security posture and help companies to provide users with a seamless online experience while maintaining the highest security standards. 

It also demonstrates that enterprises are moving away from password lists and other legacy security approaches that are proving to be less effective over time.

In recent decades, the process for authentication has evolved to include four primary elements: 

  • What you know (a password or security questions)
  • What you have (security key, RFID card, push notifications, etc.)
  • What you are (biometric data, a thumbprint, facial recognition)
  • What you do (behavioral analytics, online activity, spending habits, etc.)

Of these four elements, passwords are the most widely-used form of authentication and the most vulnerable. Part of this stems from the amount of personal information people share online today. In 2018, internet users worldwide had an average of 8.5 social media accounts, and the number of devices and connections in North America alone reached an average of 8.2 per person (5.6 in Western Europe). By 2023, the latter is projected to reach 13.4 and 9.5, respectively. 

This trend is reflected in the growth of worldwide internet use, which went from 36.3% of the global population in 2013 to more than half by 2019. This growth is projected to increase and encompass 90% of the world by the middle of the century. Every account, device and connection—most of which are secured using password protection—constitutes a potential breach point for threat actors. From there, these actors can access more personal information, spread malware and further compromise individual accounts or entire networks. 

The question for organizations and cybersecurity specialists is simple: “How can we deliver an optimal user experience while still ensuring security?” The new standard recommended by FIDO and the WWWC is a good start. By reducing reliance on passwords and giving users a way of keeping their credentials close at hand, users can easily move from device to device and between operating systems and platforms. However, this practice can be vulnerable because it exchanges multiple points of entry for a single, full-access point.

The next step is to take the fourth element of the authentication regimen (what you do) and strengthen it using advanced analytics and machine learning. In so doing, user behavior can be placed in an environmental context and analyzed to establish what is normal for them. To ensure that sufficient authentication is provided to ensure the user is who they claim to be, we must consider the following questions:

  • Are they using a public or private network?
  • Do we recognize the device they are using?
  • Where are they? (And where were they previously?)
  • Can we confirm they are in an expected location?
  • Are they on a known risky IP address?
  • Has there been a SIM card swap (or are their credentials available on the dark web)?

Leveraging behavioral analytics and an environmental context policy have the added benefit of simplifying policies. By having a starting point where security authenticators can define what constitutes normal behavioral patterns for the user (or someone like them), fewer context or threat checks need to be defined. After initial authentication, these measures will be used on a continuous basis to reevaluate the user’s behavior to determine if there has been enough change (or new context) to warrant a reauthentication request.

Reauthentication also could be required if a user engages in higher-risk tasks. For example, a person can shop online all day but must authenticate their identity once they purchase any of the items in their shopping cart. In a workforce scenario, an employee could be called upon to reauthenticate if something changes in their behavior (i.e., they suddenly leave the building with their phone, laptop or other personal devices).

There are also numerous indicators that the time is right to go passwordless. For one, stronger authentication options are readily available today that are cheaper and more accessible than in the past. This includes phone and laptop-based biometric authentication, which is becoming ubiquitous for phones (thumbprints and facial recognition) and increasingly common for laptops. The growing use of multiple devices and operating systems across several platforms is another.

Above all else, the goal is to reduce the number of steps and interactions people are forced to go through to maximize their user experience without compromising security. Put simply, dropping passwords and relying on context policy and analytics has the potential to deliver the right user the right access to the right resources at the right time for the right reasons.

 

Recent Articles By Author
Avatar photo More from Paul Trulove
Paul Trulove , , , ,
Avatar photo

Paul Trulove

As CEO of SecureAuth, Paul sets the vision and strategy for company. Paul has over 15 years of experience in senior leadership roles in identity and access management. Most recently, Paul was the Chief Product Officer at SailPoint Technologies. Paul joined SailPoint in 2007 as head of product, driving the product strategy, roadmap and messaging for SailPoint’s market leading identity management portfolio. He played a key role in taking SailPoint from its early days as a pioneer in identity to its successful IPO in 2017. Before joining SailPoint, Paul gained extensive experience in formulating innovative product strategies, launching new products in early-stage ventures, and growing products into category leaders at a variety of technology companies including Newgistics, Sabre, Inc. and Pervasive Software.

paul-trulove has 2 posts and counting.See all posts by paul-trulove