For many years, the issues with password-based authentication have been riddling the cybersecurity industry. Passwords are being stolen, bruteforced and circumvented in a myriad of ways by hackers that are seeking to find their way into the accounts of their unfortunate victims. The main mechanism to counter this problem has historically been known as two-factor and multifactor authentication (2FA/MFA).
Basically, two-factor authentication involve the combination of something you know (the password) and something you have (physical token, fingerprint, retina scan, voice recognition…) in order to authenticate users.
But the problem is that 2FA/MFA have had their own set of complexities in implementation and integration, to say nothing of the vulnerabilities. For instance, in older days, the implementation of fingerprint scanners and authentication was an arduous and costly process, requiring expensive hardware and complex SDKs and APIs. And aside from that, fingerprint scans can easily be stolen off databases or picked up from physical locations touched by the user, and later used to circumvent second factor authentication.
Physical tokens also have their own flaws. They can be lost or stolen, and they’re an extra burden, something that the user has to carefully look after, and since they are tailored for a very specific purpose, users are prone to forget about them, leave them on their office desk and only remember them once they get home and try to access their account only to find that they don’t have the key on them.
All of these challenges and complexities have become major hurdles in the implementation of 2FA/MFA.
But that is gradually changing as advances in mobile technology are providing many new opportunities for strengthening security in online accounts. For one thing, smartphones are devices that are extremely personal, and they’ve become inherent parts of our lives, a digital extension of the self that is never detached from the person and is seldom forgotten on counters and desks. And their connectivity makes them the perfect device to identify us on the internet.
As has been proven in recent debates that have pitted tech companies against law enforcement, the recent generations of mobile devices are also extremely secure, which makes them perfectly suitable as a physical second token to confirm authentication.
In fact a number of companies, including Google, are exploring the efficiency of using mobile devices as the main medium for login and authentication. Instead of entering a passcode, users receive notifications on their phone, to which they can respond in order to grant access to the account. Naturally, only the person with the phone’s secure entry code will be able to confirm the notification. Therefore, by just remembering a simple 4- or 6-digit PIN code, users will be able to control all of their accounts and won’t need to remember multiple sets of complex passwords for each of their mobile-authenticated accounts.
But the progress of mobile goes well beyond enabling simple physical token access. The features that are embedded in today’s phones make them perfect for many other scenarios and forms of authentication. For instance, the fingerprint scanners on most new phones are enabling service providers to implement fingerprint authentication more easily. Puerto Rican startup company Qondado LLC has launched an easy-to-implement service called KodeKey, which enables developers to integrate fingerprint authentication into their web apps in a few easy steps. The platform is also available as a WordPress plugin, which users only need to install and register on their website.
Instead of using passwords, KodeKey sends a fingerprint scan request to the target user’s phone when they try to log in their account. No fingerprint scans are sent over the internet and the authentication takes place inside the secure confines of the phone, and only the result of the challenge is sent back to the service provider which enables it to authenticate the user.
Beyond fingerprint scans, smartphones offer a plethora of other goodies that can all be used for MFA. Hi-res cameras can actually help in retina scan and facial recognition. High quality microphones can be used for voice recognition. GPS can be used for geolocation- and geofencing-based authentication. And all of them can be blended together in order to improve security and prevent identity theft. LaunchKey offers a decentralized authentication platform that enables developers to leverage the full power of mobile devices to set-up multifactor authentication for their services without the use of passwords. The platform takes full advantage of all features available on mobile devices and enables users to secure their accounts with different rules that will require one or more authentication process based on the sensitivity of the account or that of the type of action being taken.
Passwords are far from dead, but mobile is surely changing the way we interact with our internet profiles. As internet usage moves more and more toward the mobile, there might come a day where passwords become history.