Hard times have arrived. And I’m talking seriously now.
Let me introduce you to a simple game – try to count how many services that you use throughout the Internet require that you authenticate by inputting a password. Just begin looping them in your mind…my Facebook…and LinkedIn…the banking account…and the other online payment platform… this and that marketplace…the Google account…oh, these two old emails as well…the other online banking account…aaah and the MySpace account from 2008!
How many have you come up with? I know – really many. And I bet the number consists of two digits and is not really realistic, since there are other services which you have used only once and probably have forgotten to mention. But even if we exclude the used-once-and-never-to-be-used-again accounts, the calculations tot up to, averagely, 5 to 10 or a little bit more online services that most of us use regularly on a daily basis.
If we consider that we, as users, have the habit to register with the same username and or email (which we remember well) for each of these services, it is a fact that these services require we have a dozen passwords, each of them different, containing a random combination of special characters, numbers, voodoo magic symbols and letters. And here I want to ask another question – isn’t your daily routine busy enough to make such a great extra effort to remember all of these? Mine is and so is yours, don’t lie to yourself. That’s why I said – hard times have arrived.
I have been carrying the desire to discuss the topic about current online authentication methods inside me for a while, because we all suffer from the syndrome of not being able to recollect a given password for a given service at a given time. And there are moments when it is crucial that we can remember our credentials, we have already reached the technological point in our development as human beings at which we strongly depend on digital online services for day-to-day jobs. So, typing passwords full of sh**ty characters that are hard to remember is a real mess, although it is accepted and used by almost 100% of the online services. So, are there any alternatives then which can save us from colliding with troubles?
Kaboom! There are, of course, and you have probably already used or, at least, heard of them. So, let us cover the already developed solutions which we can make use of as opportunities for better, more comfortable and, most important of all, more secure online authentication. We have real statistics from a survey as well!
|Preferred by||29% of questioned|
We will begin by describing the nasty traditional passwords that we already mentioned. Since this authentication method is, as I said, used by almost all online services, there are general rules for the construction of the traditional passwords (not officially, but actually) accepted by many, if not most, of these services on the Internet. The password may not be the length of a book, but must be at least 8 characters long, must contain small and capital letters, must make use of at least one digit and one “special” character (I don’t know what makes * or # or % special, but anyway) and should not reflect anything obvious about you (name, birthday, home town or country, workplace, etc.). And if we consider the advice that, for any other online service, it has to be different (for better security), memorizing becomes an activity taken out of hell. If you stick to the policy of using the same word and just randomizing (as 71% of the survey’s participants) it for the different web services, we still remain in trouble, because, when we can’t exactly remember the password, we try different combinations using this or that special character. First time – no success. Second time – the same. Third time…oops, our account is temporarily suspended (94% of the people who filled the survey have confirmed having gone through such experience at least once in their live).
We have all gone through this. According to the performed survey, 29% of the questioned answered they still prefer traditional passwords. I can only explain this is because of the strong security level, which for sure is like so (although 82% of the questioned said they had never had an account hacked). This high security, however, comes at the cost of high implementation effort. So, we covered the problematic stuff, let’s continue to the other methods.
|Preferred by||12% of questioned|
The first opportunity which can bring more comfort for us when authenticating is the replacement of traditional passwords with the so-called passphrases. First mentioned in 2005, passphrases are a further step in the improvement and evolution of the traditional password. Generally said, a passphrase is a normal password where all of these hard-to-remember special signs and numbers are eradicated. In other words, the passphrase must be longer (this is a requirement), but can be a whole human-readable phrase which is easier to understand and keep in your mind than an encrypted word, thus removing the necessity of writing down on a piece of paper or using the same password everywhere. The goal of the passphrase is to make sense in a linguistic way and this, combined with the extended character length, makes it at least as secure as the traditional password, but much more usable. So, preserving traditional password complexity requirements while providing more usability again needs high implementation effort, but, to me personally, it is no greater than the effort necessary to implement regular password mechanism.
Users worldwide still believe that a short word with special characters is more secure against automatic guessing than a longer word without any of these. However, it is not and don’t forget that, for a machine that’s trying to hack us, our phrase does not mean anything rather than a longer combination of alpha characters (so, when this hacker machine meets less special characters, that won’t result in an easy guess of our long phrase consisting only of alpha characters). So, passphrase approach can easily replace traditional password if users begin to believe it is more secure, which, actually, it is.
Just for fun, you can have a look here and test yourself how strong a passphrase can be. I found out, for example, that while “zxcvbn” can be guessed in 35 minutes, “alexIsAHappyMan” needs, I quote here, “centuries” (if we assume there are 100 attacks per hour). So, do you still believe passphrases are weak? I know, you are now thinking “Okay, in a computational way the passphrase is hard to steal, I agree, but doesn’t a human-readable phrase compromise my security? Or, can “alexIsAHappyMan” be brute-forced and easily guessed by another human?” Well, once again, it is a really tough job, because if you consider lower- and uppercase characters in a mathematical way (as possible combinations) and we still take for granted the attacker knows the exact phrase, the statistical chance is ridiculously small. So, moving on!
|Usability level||Very good|
|Preferred by||6% of questioned|
Also referred to as third-party sign-in, the social sign-in is an authentication method which allows you to use, e.g., your Facebook, Twitter, LinkedIn, Google, etc. account to authenticate at third-party services. In other words, many (third-party) services integrate the available social media features which can then ease the user in the process of authentication. So, you log in once in your (let’s take) Facebook account and then, if the other service uses Facebook’s social sign-in features, you just click “log in with Facebook” and you are in! However, before entering the other service, Facebook will first kindly ask you to give permissions to the third party (such as retrieving your person information, photos and so on, which depends on the third-party service itself), This, however, is the point where all users feel scared and reject to use the social sign-in and this fact is backed up by our survey results, showing that just 6% of the questioned prefer this authentication method. However, if you use the social sign-in of a renowned service which has proved to be secure (e.g. Facebook or Google), even if you give all permissions to the third-party application, security is pretty fair (but, to me personally, not as good as when using traditional password or passphrase). I believe it is clear that usability is very good, but this, of course, requires a high level of effort for implementation (so that there are no security leaks).
|Preferred by||35% of questioned|
Wow! The two-factor authentication seems to be the choice having the biggest share among the people who took part in our survey. Also known as two-step auth, the two-factor authentication is selected by 35% of the questioned.
What is it in essence? Well, an extension to the traditional password. How do you perform a two-step authentication? First, you input a traditional password and, after it is successfully verified that the username/password combination is correct, you receive a unique code via email or sms (which has a short period of validity) that needs to be filled in to finish login. So, this method actually provides double security, as its name states. The only case of vulnerability has a really small chance to happen: someone has stolen your password and your phone. Probably this high level of security encourages people that this is the best authentication method. But what about usability? I don’t think it scores good points there, because of many factors, the main of which is that usually there is a delay from logging in with the password and actually receiving the code via email or sms. And it becomes worse, because sometimes the unique code may arrive so late that it is actually invalid (i.e. its validity has timed out). Then, you must require a new one and do the loop again. The “low” mark for implementation effort is not that fair as well. If we consider the two-factor authentication as a functionality to be additionally written to an already implemented traditional password authentication, then yes – it can be implemented relatively easy. But if you have to create the whole traditional password plus unique code authentication logic from scratch, then from a developer perspective the effort expands even more than for password-only solution.
|Preferred by||0% of questioned|
Yep, you see right – 0% votes for the password-free (or passwordless) authentication. Probably the parallel with “no security at all” which our brain makes after hearing the word “passwordless” discourages people not to like this auth method whatsoever. But let’s face the facts about this kind of authentication method.
Imagine the two-factor authentication, but without the first step. The person who wants to sign in only needs to remember their username and check their email or phone for a freshly received unique code, while never required to input a password. Isn’t that cool, huh?
This method can be further extended by removing the manual code input via deep linking – you receive a unique link and it redirects you straight to the service – no passwords, no typing, just a simple click or tap. Feeling unsafe about security? Don’t remember that links can have a really short expiration period, thus making authentication a really secure and easy process, giving you access without any issues and right in the moment you need it. Probable drawbacks are, again, the possible delay in receiving the link, as well as a potential phone theft. But anyway – this is a method which is, again, relatively simple to implement and really easy to use, completed with high security level. Maybe this is the future solution that will save us from the ridiculous character typing, so think twice when you hear the word “passwordless”.
|Implementation effort||Low / Medium / High|
|Preferred by||18% of questioned|
The coolest possible direction in which authentication can, already is and for sure is going to move is to begin making use of biometric data! Face recognition, fingerprint reading, retina scanning, voice recognition – biology will be the solution of our problems. All these activities for authenticating via biometric data rely on sensors, so with technology evolving more and more and at a faster and faster pace, this will, at some point, clear away all other authentication methods. It is a fact that many devices nowadays have abilities to work with biometric data – we are already accustomed to unlocking our phones via fingerprint or face recognition. With time passing, all sensors will be precisely tuned and the data they send and receive will be processed at much finer granulation, which will make security uncompromised. Desktop computers are still dragging this technology backwards, but probably monitors and other plug and play devices will have sensors built in, thus enabling desktops to make use of biometric authentication as well. Implementation effort here can depend on many factors – number, type and precision of sensors, underlying operating system, running platform, etc. I am really excited about this form of proving that the given user is the one that the system expects! Let’s hope it will destroy the traditional password authentication.
Connected device authentication
|Implementation effort||Low / Medium / High|
|Usability level||Very good|
|Preferred by||0% of questioned|
Another auth type – connected device authentication – is performed via a pre-established connection (network connection through any possible protocol – Bluetooth, ZigBee, wireless, etc.) from one device to another on which someone has already authenticated. For instance, there can be an application that lets you sign in to your computer with your phone’s fingerprint scanner – that’s one of the simplest examples. You can imagine the possible impact this authentication method can have, since the Internet of Things is engulfing more and more devices and is transforming them into connected ones that freely communicate with each other. If we want to clarify the great possibilities of this type of authentication, another example is the Bluetooth car key which authenticates you before the car’s board computer, thus unlocking the doors and letting you in. So, this method can become really helpful and it will evolve with the same speed as the biometric authentication. Furthermore, it is essential that both biometric and connected device authentication methods can be developed together as a single mighty auth methodology. If you ask a developer for the effort needed for implementing connected device authentication, all possible opinions will be present and this will be correct – the effort depends on the type of connected device, the environment on which it is running, the communication protocol, the complexity of each device’s communication API, etc. However, besides being pretty promising, none of the questioned volunteers voted for this method. Pity.
Let’s not forget to mention these fellows as well. Password managers are software products with which you have to only remember one password (master password) while the software keeps all your log-in information for every online service instead of you. There are many well-known solutions such as LastPass and KeePass, for example, and I believe these programs can really help us partially solve our authentication problems. There are drawbacks, however, because in the first place you need to properly set up all your accounts and their corresponding passwords in the password manager (which, to me personally, seems a bit boring). The other problem? With time passing and you using only the master password for the manager, you, for sure, will forget all the other separate passwords for the separate online services you use. What happens then if you somehow forget, lose or get the master password stolen? You don’t just lose one account, you lose all, as well as your personal data. That’s why I don’t think password managers will bring us any benefits in the future and we did not spend much time reviewing them.
Conclusion about the future of online authentication
So far we have been talking about authentication, passwords, connected devices, social media and so forth, but we forgot to mention one thing – why online authentication is so important to us and why it is vital that it becomes much easier for us to use in the future? Firstly, in the present day, there is almost no separation between the real person you are and the online personality you have created for yourself. What I mean is that, for example, your profile in the social media reflects your thoughts and opinions and shows your photos and videos. When buying something online, you get a real object delivered and, before that, you have paid with the money you have earned in reality. The examples can continue forever, but it is true – considerable part of your personality has already moved to live online and it is essential that you protect this online personality of yours sound and safe. That’s where authentication comes in place – it is destined to preserve your personal data, your online second me from being stolen. Authentication procedures actually prove your identity in the “eye” of this and that service, thus making sure the logged-in person is the one that has so far used the created profile. So, it is important that we become relaxed in the process of authenticating, which can only lead to better security and more comfort for us. As you saw, there are many possible directions for online authentication to follow, but in anyway, it’s going to become simpler to use and much more protective for our personal data. For the moment, though, you will still have to remember a dozen of nonsensical words so that you can successfully sign-in all the online services you use every day, but soon this will be history. Bright days are comming, pals!