123456, qwerty, password, iloveyou, princess, dragon... The 2019 list of the Worst Passwords reminds us that many internet users are still dangerously unimaginative and underestimate cybersecurity issues. Fortunately for them, passwords may well become increasingly rare. Let’s take a look at the perspective future of authentication, with futuristic gadgets and confidentiality issues.
Social networks, e-commerce sites, banking applications... On the Web, the number of passwords required has become mind-boggling, to the point where managing combinations of numbers and letters (moreover, preferably complicated to boot!) has become a real headache. “The greatest weakness of the password has to do with the ever-increasing number of digital identities. Each average user has 100 accounts that require [passwords]”, notes Xavier Plattard, Head of Web Access Management at Atos. “The easy solution is to use the same password everywhere... but, then, just one leak in one place means that many accounts will be compromised”, adds Franck Veysset, participant in the CLUSIF (Club de la sécurité de l'information français, the French Information Security Club), citing the recent case of Disney+, where thousands of accounts were hacked using identical passwords already present on the dark web.
Biometric authentication, which appeared on some smartphones a few years ago, is already making things a little easier. With Apple Face ID and Touch ID, Windows Hello or Samsung Iris Scan, unlocking your phone without a code has become the norm. Enough to imagine a 100% “passwordless future” where our eyes, fingers, faces and even voices could be used to identify ourselves everywhere, effortlessly? Not so fast! “At Atos, we don’t see passwords disappearing completely any time in the near future. We can, however, already significantly reduce password usage; this has advantages both in terms of security and user experience”, explains Xavier Plattard, with reference to Evidian, the single sign-on (SSO) authentication solution developed by the company.
The underlying principle: a unique and strong authentication, possibly coupled with biometrics or a security key, which gives access to the protected applications without having to enter a username and password each time. “In other words, there is still a password, but it is now managed by a Password Manager; this handy utility generates strong passwords and renews them regularly and transparently. In addition, the Identity Federation mechanisms provides a central point of identification for all the applications that a user wants to access. Having fewer accounts means having fewer attack surfaces”, he explains.
To limit the risk of hacking, it’s better to increase the layers of security. “Strong authentication is a combination of factors, stresses Xavier Plattard. The password remains a valid factor, provided it is not used alone.» The same goes for biometrics, which also has its flaws: hacker Jan Krissler of the Chaos Computer Club proved this clearly in 2014 by recreating the fingerprint of the President of the European Commission, Ursula Von der Leyen, using HD pictures of her thumb taken at a press conference. “A fingerprint is very easy to copy from a trace left somewhere, especially for low-end sensors. But there are more sophisticated technologies that take into account factors such as the temperature and oxygenation of the finger”, moderates Franck Veysset.
A so-called "multi-factor" authentication combines at least two of the following elements: a knowledge factor (password), a possession factor ("push" notification on a smartphone to authorise an authentication, Yubikey type security key, etc.), and an inherent factor (biometrics). This is the case, for example, with the Nymi bracelet, which uses biometrics and heart rate detection, combined with the Evidian Enterprise Access Management solution. “This continuous biometric authentication offers a flexible solution that is particularly useful in certain cases, such as when employees wear apparel such as gloves or masks. There is also a proximity factor since the bracelet is detected using Bluetooth technology by the device with which you want to connect,” explains Xavier Plattard assuring that the method is “very reliable” although expensive. "This type of device could become widespread, since we're not that far from it: just combine it with an activity tracker bracelet.”
Another parameter expected to become increasingly important is user behaviour. “Authentication is increasingly taking into account the surfing habits of internet users thanks to deep learning algorithms: the time and place where they connect, the sites they visit most regularly, their posting frequency on social networks... All these elements also constitute proof of identity, explains Xavier Plattard. We're not there yet, but studies are also trying to identify users based on their typing speed and typing errors”. Whenever we have a case of accessing sensitive or unusual resources (e.g., making a bank transfer to a new payee), authentication can be enhanced (a process called “step-up authentication”).
The increased usage of biometric data, which are particularly sensitive, nevertheless calls for vigilance. “They are (relatively) unique and permanent: you can change your password, but you can't change your face...”, says Félicien Vallet, an engineer at the CNIL technological expertise department. With biometrics, our physiological and anatomical characteristics have become a mode of authentication in their own right, which no longer require any intermediary. Security technology specialist Ayse Ceyhan notes in article, the body itself is “an article, objectified, reduced to computer and natural parameters”, “transformed into a digital code”. “From a personal point of view, I don't find it shocking: people have always been recognised by their voice, their gait or their face,” says Bernadette Forizzi, director of research at Télécom SudParis. What bothers me more is having absolute confidence in algorithms; they too can make mistakes. It is essential to have counter powers and regulatory bodies working on these issues.”
As Félicien Vallet points out, “unlike facial recognition deployed in the public arena, which requires the implementation of biometric databases, biometric authentication - replacing or supplementing passwords - involves storing the data locally on a smartphone, allowing the user to retain control over them”. At least in theory. The reality is often somewhat shadier: in 2015, an Apple patent divulged the possibility of “synchronising digital biometric data via the cloud”.
What if the challenge of tomorrow's authentication is not so much its security as its transparency?