Mobile Devices Driving the Future of Authentication

Background

 

One of the critical elements of the Internet economy is the act of validation or authenticating users.  Whether it is to log in to your banking, email, social media or other services, you are required to authenticate to the system or device. A username and password pair is by far the most common form of user authentication, however as many breaches and leaks have proven, it is not entirely secure and immune from attack and compromise.

Rise of Two-Factor Authentication

Authentication can be divided into three categories, what you know, what you have and what you are.  Passwords fall into the “What you know” category; whereas two-factor authentication adds a second dimension such as what you are or what you have. Traditional two-factor auth typically adds the ‘what you have’ factor to the mix - your smartphone being something you would have. One example of two-factor authentication is to send a unique code to your smartphone via SMS that you are required to input alongside your username and password pair.  This combines your knowledge of password with the possession of your smartphone to be two-factors of authentication and is considered to be more secure than just a password alone.  If an attacker compromised your password they would also require access to your SMS messages to gain access to the service.  There are other two-factor authentication services that perform similar functions such as Google Authenticator or RSA Token.

High-security applications such as Department of Defence (DoD) have leveraged separate physical devices, namely the Common-Access-Cards (CaCs) for two-factor authentication.  Not only is the password required, the physical CaC is required as part of the authentication process.

Enter Biometrics

As we shift to using devices for more authentication, biometrics are playing an increasingly important role.  Fingerprint detection has been a common method to authenticate to your mobile device.  Recently face-detection has been making waves as well. Unlocking your phone or mobile applications with your face or fingerprint provides a measure of convenience that passwords cannot match.  However these systems are not completely un-spoofable; while miles ahead of a weak password (which most people unfortunately use) they can be fooled with some advanced (and not-so advanced) techniques that have been written about.

The Future - Advanced Biometrics

Fingerprints and facial scanning are just starting to scratch the surface on what can be detected and measured that is unique to you.  Smartphones contain many sensors that can be used to derive biometric information beyond just fingerprints or facial recognition. Fingerprint and facial recognition also have usability limitations, such as use with dirty hands, gloves or goggles and face masks.  DISA is currently researching how to improve security of authentication and usability by combining up to seven different authentication factors to identify and validate a given person’s identity.  Tipping into the ‘what you have’ category, DISA is looking to use measures such as your walking gait - the unique pattern of walking tempo and rise and fall of your steps when combined with other factors can add another layer of security that is difficult to copy and difficult to replicate.  As we move into 2018 and really look forward I think we will see the evolution of authentication shift from a combination of username/password and two-factor extra codes to multi-factor authentication that reads uniquely identifying biometric data potentially without even requiring user input; the devices will just know that you are in fact - you.