The next evolution of authentication

Contents

FPO1. The evolution of authentication2. If passwords are dead,

why do we use them? 3. It’s not about educating

users anymore4. How did we get here? 5. The next evolution of authentication6. The power of behavioral authentication layers

We’ve heard the refrain “passwords are dead,” but are they?

Before we can answer that, we need to take a deeper dive into the history of human identity verification, know what passwords were originally designed for, and the role they play in authentication today. We’ll investigate how humans have failed to apply their experience in verifying users in the physical world to solving the problem of digital identity authentication and verification.

From the beginning of time, humans have had a primal need to recognize each other to determine safety and alliances. One of the earliest forms of identification, the simple “eyeball test,” evolved to secret passwords and codes; for example, soldiers provided a verbal password when entering armed camps at night. Authentication continued to evolve through many variations of paper IDs to the latest in online authentication technology. The fundamental need to determine who is safe and who is not hasn’t changed, but the way we go about it has gotten a lot more sophisticated.

Understanding the traits and differences of authentication techniques in use today will provide insight into their benefits and help you decide which are appropriate for your organization.

1The evolution of authentication

THE NEXT EVOLUTION OF AUTHENTICATION

1 Eyeball TestFamiliarity - “I know you”

2 Basic Paper IDSign “X,” stamps, signature cards, driver’s licenses, photo IDs

3 Username-and-Password“Secret” string of characters

42FA, Challenge & TokensSecond-level questions, physical/software tokens

5 Physical/Active Biometrics Fingerprints, facial/iris scans, selfies, voice

6Passive BehavioralAuthenticationReal-time passive biometrics and behavioral analytics verifies good and bad users through behavior even with valid stolen credentials

No challengeNo enrollmentNo friction

Passive biometrics & behavioral analytics

Many security experts are declaring the death of passwords. The mere thought that passwords could still be considered the only legitimate form of identity verification is naive. Each year, catastrophic breach events spill billions of valid consumer records into the criminal underground in a never-ending cycle of fraud leaving us in a state of cyber insecurity. Regardless, passwords remain the most widely used method of unlocking online accounts, making them the primary targets for thieves and the first prong of attack in a broad array of identity crimes.

Which returns us to the question: is it time to do away with passwords? Perhaps, but when used in the right way, passwords may still have a purpose. They just can’t be relied upon as the sole gatekeeper.

If passwords are dead, why do we still use them?

2

The security industry has been hammering home that using passwords across multiple sites increases your risk of being compromised or hacked, yet over half of all users continue to use the same password everywhere they go online. So, why do warnings like “never use the same password,” or “don’t share passwords” go unheeded? Quite simply, the problem is more complex than the industry expected and the password model has far exceeded the scope of its intended use.

Consumers shouldn’t be expected to be security experts, and often bear the brunt of a counter-intuitive user experience that relies on imperfect human memories. Even when users follow best practices, many attack vectors are so sophisticated that even the savviest of users can be fooled into clicking the wrong thing – and as the victims of the infamous Yahoo breach found out, it only needs to work once.

The rate of cybercrime increases year over year along with the devastating losses associated with it. Organizations of all sizes are racing to solve the authentication problem.

Cheap and easy automation tools readily available online make it easy for criminals to scale up volumetric attacks. Stolen, leaked or easily obtained consumer data become grist for the automation mills, making identity fraud one of the biggest disasters facing consumers and companies alike.

It’s not about educating users anymore.

3

Stolen Consumer Data Data breaches Leaks Social engineering Site scraping Hacking Phishing Malware

IT ’S NOT ABOUT EDUCATING USERS ANYMORE

Identity Fraud

Fuel

$

Automation engine drives global identity fraud

Automation Engine Server-side scripting GUI scripts JavaScript Command-line insertions (CLI) Cross-site (XSS) Remote access trojans (RATs) Brute force attacks

When first developing the internet, engineers were focused on ensuring the network was robust enough to withstand attacks from external threats. They never thought internet users might attack each other. A username-and-password system was considered sufficient security. Engineers couldn’t have anticipated the enormous volume of sensitive information we would store and share, nor could they predict the vast number of financial and eCommerce transactions users would make over their digital lives.

Criminals, of course, always follow the money and were quick to take advantage of systems that were never designed to keep them out. To protect end-users, system designers bolted on workarounds to the existing username-and-password framework to address impending security challenges.

We’ve now reached the point where a patched-together architecture isn’t meeting current security threats. The reality is, the username-and-password framework was originally intended as access management and was tasked with the identity verification function for too long – it was never designed to support everything we ask it to do.

So, with an eye to understanding where we are today, let’s explore where the different identity verification methods fit within our challenge to authenticate in non-face-to-face interactions.

How did we get here?

4

Before the advent of the internet, accessing your money at a bank or files at a company meant that you physically presented yourself at that place of business and the employees would come to recognize you.

As urban density increased and the chance of impersonation grew, additional documents were needed to “authenticate” you. In other words, prove you were who you said you were. Proof usually took the form of valid government-issued ID, such as a driver’s license, birth certificate, Social Security Number, or a combination of these documents, which had to be presented at a physical location.

Moving to the digital space, however, required new methods to overcome the technical challenges of verifying ID in real-time, and testing its authenticity, or reliably confirming the ID belonged to the presenting user.

It quickly became apparent that online identity authentication would have to work differently. Therefore, the username-and-password were tasked to do the job of establishing an online “entity” that identified the account holder. The password was designed to be the key to unlocking account access. The correlation between the legitimate account holder and the keys were assumed.

The most frequent form of verification used today is single-factor (or single-modal) authentication that relies on one point of data, usually a password. On the other hand, multi-factor (MFA) or multi-modal methods use any combination of two or more independent touch-points drawn from four basic principles.

The four principles of MFA digital authentication include: Something You Know, Something You Have, Something You Are, and Something You Do. The history of authentication shows we have used a variety of methods in the past, some in combination.

Let’s look at each principle...

The next evolution

5

Know

THE EVOLUTION OF AUTHENTICATION

Four principles of multi-factor user authentication

Have

Are

Do

Password, PIN, 2-Factor Challenge, Personal Data

Device, Token, One-Time Password, IP, Location

DeviceID, Geolocation

Knowledge Based (KBA)

Multi-factor authentication

Something you:

Fingerprint, Iris or Facial Scan, Selfie, Voiceprint

Natural Behavior,Habits, Interactions

Knowledge-based authentication (KBA) uses information that, in theory, the user knows. Usernames and passwords were the first forms of KBA. As the internet grew, more users meant more websites and more logins. It became standard practice for most users to reuse passwords across multiple sites. Criminals just starting out in this digital frontier realized just how easy it was to steal, guess, or crack usernames and passwords, and quickly got to work.

When it became apparent that passwords weren’t enough security, organizations sought additional ways to authenticate users online. Enter two-factor authentication, or 2FA, that was introduced as an attempt to augment and strengthen the username-and-password framework, but not replace it. 2FA enabled simple challenges in the form of questions that were easy to remember and that, in theory, only the legitimate user knew. However, information like the name of your first pet or where you went to high school, especially with the prevalence of social media, was not a difficult hurdle to overcome for hackers who quickly discovered how to subvert the process.

5.1

Something you know

VULNERABILITIES • Usernames and passwords are

often easy to guess with enough time, patience, or the right software.

• Crooks have become adept at scraping personal data from our social networks to use for ATO fraud.

• KBA data can be stolen from consumers through skimming, keylogging, malware and various other methods designed to fool users.

• Phishing, malware, and trojans are so sophisticated that even the savviest of users can be tricked.

• KBA data can be stolen from databases and repositories, resulting in brand damage, lost business and operational costs to the hosting companies.

• Consumers share passwords even to their most private accounts. Over half of us use the same password everywhere.

STATS• Breaches up 40% in 2016.• 9 Billion records stolen since 2013.• 1/3 of US consumers who share

passwords have shared their online bank account passwords.

• 55% of people use the same password everywhere.

• ATO estimated to rise 60% by 2018.

Data breaches are so frequent that the Dark Web has its pick of valid user credentials and KBA answers. Enter 2FA with tokenization.

Accounts with 2FA work by asking users who successfully pass the username-and-password challenge (and any KBAs) to further authorize with a further method, usually involving an email address, smartphone or physical token.

In this method, a token or code is sent to the email address or via SMS to the device. The user authenticates by typing this code into a website or by acknowledging the request on their phone.

The 2FA token can also be encoded on a physical device that the user enrolls independently. Physical tokens work by displaying an authentication code (usually a set of numbers) that the user inputs into the web page or authentication form.

5.2

Something you know+ something you have

VULNERABILITIES • Compromised endpoint devices

can impersonate the genuine user by accepting the token required for authentication.

• The enrollment process can be arduous for some users, introducing friction.

• Physical tokens can be lost and need to be ordered, then issued, causing a delay for the user.

• When challenged, some users forget their answers or do not understand what is required, leading to abandonment and frustration with the process.

12341234

While 2FA is an improvement over passwords, relying on user devices or tokens is a minor patch and not bulletproof. Worse, customers dislike the friction it causes. So, let’s consider the next step: what is unique about every user?

Just ten years ago, biometrics were the stuff of science fiction, but today we think nothing of inputting our fingerprints to unlock our phones. Physical biometrics, also called active biometrics, requires user participation and compliance. This includes pre-registering (enrolling) the biometric and may involve fingerprint scanning, facial recognition, iris scanning, or voice recording.

Just like 2FA methods, physical biometrics add another layer of security but shouldn’t be the sole means of authentication. Your fingerprint, for instance, can get you into a smartphone, a laptop, or a bank account. While your thumb is less likely to wander off than a password, that doesn’t mean it’s a foolproof marker of your identity.

Biometric data can be as vulnerable to mimicry, spoofing and impersonation as passwords. Fingerprints can be lifted, spoofed and copied. Iris and facial biometrics of Angela Merkel, good enough to fool authentication software, were stolen from publicly available HD photos and video in a live demonstration. As of yet, there still can be no absolute certainty that the presenter of the biometric is the owner.

But the most important thing to consider is that biometrics are permanent and unique features of our bodies that resist alteration. The unchangeable nature of biometrics presents a permanent lifetime consumer risk if biometric data is stolen. Consumers are dependent on the vendor or provider for adequate protection of this data; therefore, great care must be taken with any biometric storage, and the mere storage of this data can make organizations attractive targets.

5.3

Something you have+ something you are

VULNERABILITIES OF PHYSICAL BIOMETRICS • Biometric inputs are not always

socially or culturally appropriate and can be awkward in some situations, for example, a voiceprint during a business meeting.

• Consumer friction is a very real issue leading to customer loss, cart abandonment, or account termination. The novelty can wear off quickly and become intrusive when the consumer is repeatedly challenged.

• Physical biometric data can be stolen, either digitally during capture, at the endpoint device, or physically from our surroundings via fingerprints or high definition photos.

• Privacy and consent issues can arise.

• Some biometric tests don’t ensure the liveness of the data (e.g., detecting warmth in the fingerprint, movement, and blinking) and these tests have yet to be widely adopted.

• Physical biometric authentication could potentially result in real harm to the user in the rare case of abduction or amputation.

• Not all biometric identifiers remain constant. Pregnancy can alter the blood-vessel patterns in women’s retinas, for example, confusing retinal scanners.

Even with the additional layers added to the username-and-password framework, none prove to be infallible. Industry experts urge us to add an extra layer to the mix, one that can’t be spoofed or stolen: Passive Behavioral Biometrics. You can see passive biometrics at work in solutions like the NuDetect platform.

Unlike physical biometrics that a user must provide and register, passive (or behavioral) biometrics don’t require the user to do anything they aren’t already doing. By using the website as they normally do, data is analyzed to determine which is most relevant for identity validation. This data gets compiled into a digital identity profile based on historical interactions and current session data, creating a dynamic and unique profile analyzed in real-time. Results are then compared across a consortium (a network of behavioral intelligence data) to determine if the entity is behaving the way it’s behaved before. This comparison identifies how other good human users behave and searches for anomalies.

5.4

Something you doCONCERNSWhat if I lose my hand, break my arm, or have a stroke? Good question! This is one of the most common questions passive behavioral biometrics vendors face. With behavioral biometrics, several layers of technology are used to ensure that no single factor is the critical element in the identity verification process.

Physical biometricsSingle-factor touchpoints (static)

Multi-modal touchpoints (dynamic)

Passive behavioral biometrics

Angle the device is held Typing speed and cadence

Which hand the user holds the device in

Direction the user scrolls their mouse

Whether the user tends to use a trackpad or mouse to click/navigate

Real-time entity linking compares different user profiles

How hard the user pushes on the screen

Touch screen patterns Location

R/L what you doInvisible to users. No friction. Can’t be stolen, spoofed, or copied.

What you haveRequires user interaction. Visible to user. Can cause friction

Behavioral biometric solutions are highly accurate predictors of user behavior, allowing companies to make confident decisions during user sessions in real-time.

These behavior-based authentication methods are completely invisible to users, thereby reducing or eliminating friction. Behavioral solutions are dynamic and predictive, and not based on a single snapshot in time, They are resistant to theft, mimicry or spoofing, and provide continuous authentication across brands and sites. They typically function as an invisible yet complementary layer to more known security layers.

If users are unable to authenticate the way they normally would, they can still be identified through other means, like KBA, 2FA, or through a higher friction experience, if required.

With stolen credentials being so widely and cheaply available, systems that don’t have a passive behavioral biometric solution will be unable to protect their customers or their data, damaging their brand and suffering spiraling security costs for failing solutions. The only ones who win in this scenario are the criminals.

Once behavior-based authentication solutions are widely adopted, it won’t be profitable for hackers to take and use stolen identity information. Like stealing the key to a house that uses multiple security systems, stolen credentials won’t work because they aren’t the only tools used to unlock the doors.

5.4

VULNERABILITY • Late adoption

6The power of behavioral authentication layers

Device + Connection + LocationBuilds confidence with Enhanced DeviceID

Behavioral Analytics Continuously verifies the user is behaving as expected

Real-time Trust ConsortiumIdentifies risk and fraud through aggregate behaviors

Behavioral Biometric VerificationHundreds of measurable biometric patterns for good user verification

This brings us back to the question, “are passwords dead?”

The username-and-password framework isn’t going anywhere – it just isn’t the sole gatekeeper, thanks to consumer behavioral analytics.

NuDetect, a next-generation authentication solution, integrates behavioral biometrics and analytics with existing authentication technologies to identify users based on their online interactions, behavior that can’t be mimicked or replicated by a third party.

NuData Security believes good users deserve good online experiences and brands deserve protection against abuse and fraud.

Practically any online verification method in use today can be integrated with behavioral biometrics to gather more intelligence about the user and accurately verify identity.

We predict that authentication will evolve from a single challenge event (e.g., a password or a fingerprint) into a persistent identity evaluation. The combination of physical biometrics and the addition of behavioral biometrics will play an increasingly important role in establishing trust factors for authenticating consumers’ identity across every channel and for establishing persistent identity trust. Behavioral biometrics is rapidly gaining in both consumer trust and corporate confidence; 2017 will be the year it breaks into the mainstream.

6“ Adding behavioral biometrics is an increasingly important layer of defense.”

Julie Conroy, Research Director and Fraud Expert with Boston-based Aite Group

“ Continually monitor and analyze user behavior, as soon as a relationship with an individual begins until it ends.”

Gartner, Magic Quadrant for Web Fraud Detection, Avivah Litan & Peter Firstbrook

About NuData Security

NuData Security is an award-winning passive biometrics and behavioral analytics company. NuData Security helps companies identify users based on their online interactions. This analysis informs clients of the fraud risk.

Our flagship product, NuDetect, identifies authentic users from potential fraudsters based on their online, mobile app and smartphone interactions, flagging those that represent high risk. The technology assesses, scores and learns from hundreds of device, location, passive biometric and behavioral signals in online, native app or mobile transactions to enable merchants and issuers to make near real-time authorization decisions.

NuDetect analyzes 80 billion online events yearly and is trusted by some of the largest global brands in the world to verify users with their own natural behaviors while offering a great customer experience.

____________________________________________________

Questions? Call us: 1-604-343-2844

sales@nudatasecurity.com

Request a demo https://nudatasecurity.com/contact-us

http://download.nudatasecurity.com/demo/