Recognising the real you. Security with strong identity

“We’re sending you a one-time passcode to complete your login” pops up on your screen as you try to access a service on your phone. It’s frustrating – it’s delaying your user journey, but what’s taking place within these few seconds is vital. It’s a ramped-up security measure, an example of multifactor authentication and we can expect to see a lot more of it.

Multifactor authentication (MFA) is a security approach whereby a user is required to authenticate their identity in at least two ways – sometimes more. This provides an additional level of protection and, in turn, an additional barrier for anyone looking to steal the user’s personal data. The deployment of MFA is growing, particularly in the financial services sector, and Eddie Lamb, Cyber Education and Advisory at Hiscox, whose 20-year career in ethical hacking includes time with British Intelligence, believes it won’t be long before the requirement of MFA becomes mandatory.

Passwords are old news

“A password in isolation is valueless unless you know the username it goes with,” says Eddie. But the way credentials are stored means it’s become increasingly easy to get hold of this information. Eddie cites the 2014 hack of Yahoo, where 500 million users’ credentials, including usernames and passwords, were obtained: “Somebody downloaded the entirety of the user password database, only to find that none of the passwords were encrypted – they got all of the plain text passwords. That was one of the first storage problems we faced.”

But users are as much to blame. A poll by LogMeIn shows that despite 91% of people knowing password recycling (using the same password across multiple accounts) poses huge security risks, 59% still do it. Then again, having hundreds of different passwords doesn’t tend to work either. Each click of that ‘forgotten password’ link lends itself to what Eddie calls “a forgotten user journey”, where a hacker can easily jump in unnoticed.

“I don’t like fear, uncertainty and doubt,” says Eddie. “I like fact, and we’ve definitely got enough facts to realise that a password in isolation causes a problem.”

Making the chain

The most common approach of MFA is the use of a one-time passcode (OTP), where the user is issued with an out-of-band code that’s only usable for that login session, breaking the chain of communication. It’s not mandatory – yet – but most vendors offer it.

The likes of Microsoft and Google currently offer OTPs through software as the price point of their devices doesn’t justify the development of MFA into the hardware. However, with the price of the new iPhone 11 Pro starting at £1,049, Apple offers OTPs between devices. And by now, Apple users will also be used to biometric forms of MFA such as facial and fingerprint scanning.

What’s more, these companies are starting to launch as identity providers (IDPs) – Google’s been one for some time and Apple has just launched as one, bringing with it the ability to use biometrics as a form of MFA. It’s what happens when a website asks if you want to login using, for example, your Google account. “The website takes you off to Google, and Google does all of the authentication, using MFA if required, and confirms to the website that you are who you say you are,” Eddie explains, adding that the method is becoming increasingly popular because it requires fewer passwords.

Authentic behaviour

The identity and access management framework (or IAM) has caused a philosophical debate in the security sector. While MFA can confirm that you are who you say you are, this authentication is just based on an initial assertion by the user of who they are. We’ll soon see security models that draw in data  about a user’s behaviour in order to determine authenticity.

“It’s working out, yes, that person claims to be Bob, but Bob’s never been in China and he’s never online at 3am,” says Eddie, believing that the next step for MFA will therefore be in securely sharing data between devices, guaranteeing we have the most accurate picture of Bob, and therefore the best chance of verifying his identity. Until then, Eddie says we’ve still got a pretty good solution: “MFA’s the best option we have: it’s a no-brainer.”