Proving you are "you" has always been tricky. In the past, when personal information was not generally put online, asking a few personal questions was enough. Where did you live when you were 10 years old? What was the amount of your last mortgage payment?
Anyone could answer these questions and get access to sensitive information about another person.
Unfortunately, last year's breach of credit-information firm Equifax resulted in sensitive information on more than half of all U.S. adults being exposed, further undermining the utility of static information as a security measure.
"Those days of providing static information to establish identity have been over for a long time, but we, as an industry, have been in denial," said Robert Capps, vice president and authentication strategist for NuData Security.
"It used to be that we would look at Social Security number and mother's maiden name, and then it was more detailed, such as what color your first car was or your mortgage payment. Now all that information is the in hands of fraudsters."
Because many of these questions are also used in account recovery, finding better ways to confirm that a user is authorized has become a critical area of research.
While the use of sensitive personal information—and by extension, passwords—for user authentication has resisted elimination by other technologies, security companies and researchers are increasingly trying to make reliance on such information unnecessary.
1. Using devices as keys
The first technology is not new, but has become much more popular as Apple Watch and other wearables become widespread. From using the device as a method of payment to automatically logging onto sites, a second device is increasingly the way that services secure against fraud.
Turning a device into a key can be as simple as using push technology to send a security message to the user. While using SMS text messaging as the second channel is increasingly considered insecure, other push technology has become popular.
"You are authenticating to the device, which is performing the cryptographic authentication, or just using the phone as the second factor itself," said Rich Smith, director of research and development for authentication-provider Duo Security. "No one is really pushing the idea of a stronger more complex password anymore."
2. Telltale user activity tells a story
While the way you type and the way you use your mouse are not enough to identify you uniquely, bringing together a variety of different telltales of how a user browses the Web or uses their computer does create a strong digital fingerprint, Nu Data's Capps said.
Using different aspects of behavior—such as keystroke rate, navigational habits, whether the user uses the mouse or the tab key and the speed at which a user reads the page—algorithms can decide whether the user is likely the authorized individual, a robot or an imposter.
"Those sorts of data points are all brought together to give you a pretty good approximation of whether it is the consumer or not," Capps said. "And once you have made that determination, you can do some really cool things like step up the authentication mechanism for that user … you have the ability to challenge them a little bit more, making it more difficult to bypass the authentication."
3. Enabling the browser
A world without passwords may not be too far away, at least for signing onto your favorite web services. The FIDO Alliance, a group of vendors establishing standards for authentication on the web, has created a new standard known as Web Authn. The specification is less about determining whether a user is who they say they are and more about establishing a way for devices to pass on authentication information.
When a user logs into a web site, for example, they can put in their user name, and then the web site can request an out-of-band authentication—for example, through their phone. Web Authn, along with integration on the part of the developer, makes the handoff happen seamlessly in the background.
"Passwords are not the greatest way to authenticate," said Duo Security's Smith. "Web Authn is taking the next step forward and asking—if there was no password—can we actually build a situation where we don't have to ask for a password anymore?"
4. Facial recognition with a twist
Soon after Apple announced latest phone, Apple X, attackers broke its Face ID facial recognition technology with a $200 3D printed mask
, makeup and specially structured areas. While Face ID looks for movement, the attack showed the danger in relying on a fairly static image for identifying the user.
A group of researchers from the Georgia Institute of Technology have created an improved technology—called real-time CAPTCHA—that adds a random challenge to the process. The authentication mechanism asks the user to take some action, such as smile or say hello, and gives them a short time window to complete the action.
The researchers found that the fastest computer took upwards of 10 seconds to translate the command and modify a computer-generated image, while humans responded in about a second.
"If a system uses a static face, that is not good—the challenge has to be random," said Wenke Lee, professor of computer science for Georgia Tech. "Humans are naturally better than machines at doing this, and that’s what you want—a challenge where the user is always better than the machine.”
5. Better authentication information using blockchain?
It seems every trend in technology now has a blockchain component and authentication is no different. Companies are looking at blockchain, the cryptographic data storage technology, as a way to secure authentication information for public-facing systems.
"I think that we will see blockchain technology, because there are some real attractive attributes of blockchain that lends itself to identity and authentication," said Will Gragido, director of advanced threat protection for Digital Guardian. "It is distributed from a database perspective. It utilizes peer-to-peer communications, so there is never a single point of failure. It has transparency and pseudo anonymity and is irreversible so transactions cannot be deleted once they are there."
These sorts of attributes are all assets in authentication.
While few of these trends are significant departures from what we have today, authenticating users has always been about small steps. Passwords—the original way to authenticate a user—continues to be the most popular authentication mechanism.
Yet, the future may finally kill off passwords, replacing them with a more comprehensive combination of attributes to identify the user.