Why passwords must be replaced as the core of the user authentication process

By Jeff Carpenter | 21 June 2017

The volume of system end points continues to multiply as digitisation overhauls financial services’ processes. Increasing volumes of data, coupled with a growing need for more users to have access to data without time or location restrictions, has forced firms to rethink their authentication services. 

Increased end points and more valuable information (as firms continue to digitise, more sensitive data than ever before is being placed in accessible data storage) inevitably leads to greater pressure being applied to user authentication systems. The emergence of omnichannel entry options and greater incentives for unauthorised users to attempt to gain access through illegal bypassing of authentication protocols (a much larger perimeter fence, and a more precious commodity to protect) has led to greater stress, and consequently scrutiny, on passwords; still the cornerstone of the authentication process.

An inspection of the password authentication system reveals that what was once recognised as an appropriate level of security can no longer be considered fit for purpose. Passwords are weak, and can be easily stolen, shared, or guessed. As a password system reveals nothing more about a person attempting to gain access other than that they know a single piece of information, protecting data with nothing more than a password can never be counted on as reliable.

The question yet to be answered sufficiently, however, is what should replace the antiquated password authentication system as it continues to be fazed out?

In the past few years we have seen first Two-Factor, and subsequently Multi-Factor authentication replace password-only authentication, with middling success. A second or third authentication point does strengthen confidence that the user attempting to gain system access is authorised to do so, but practically the improvements in security have been marginal, as human response elements are still core components of the authentication process.

This is because human-selected passwords that can be guessed or stolen remain central to Multi-Factor authentication. Even authentication systems that force users to change their password regularly offer little more in the way of security, as research indicates that in this circumstance most often users opt to add a single digit or letter to an existing password, rather than reset the password entirely. This predictable behaviour makes for easy fodder for cybercriminals attempting to steal passwords and gain entry to a system.

One reason that users fall into this pattern of behaviour is that current Multi Factor authentication systems are making the authentication process increasingly onerous on users. In addition to compelling users to create, memorise, and repeatedly change passwords or pins, a token-based authentication factor adds friction into the process by compounding the human input required to authenticate a user.

Adding friction to the authentication process by constantly asking users to change passwords also makes it more likely that these users will forget those passwords that they have set, which in turn will drain more resources as a greater support network is needed to prop up the password dominated system.

The digital fork in the road

With the lack of a viable long-term solution clear yet, it is time for the financial services industry to review its approach to authentication. The digitisation of financial services will continue at pace moving forward, augmenting the issue if it is not correctly addressed in good time.

The industry is at a digital fork in the road, with a decision needing to be made on whether to pursue development that builds on top of current Multi Factor models, or to continue to evolve into a better system that takes into account new modalities of cloud, mobile, biometrics and context-based authentication. What this alternative system might look like is yet to be determined, but for forward thinking CTOs and CIOs this must become a priority in the near future.

To my mind it is clear that the second of these two options is the road in the fork that should be taken. The next generation of user authentication needs to remove human-generated passwords entirely from the process, and in its place rely on a core foundation of computer-analysed data points.

A new model for authentication

Although this new model for authentication is to be fully determined, we can begin to picture how an alternative to current Multi Factor authentication should differ from the market standard. This can be done by formulating a solution to the major pain point of the existing process, namely the reliance on human input to maintain the system.

With the volume of data now available to collect from users, financial services and authentication software providers should be taking advantage of the additional information at their fingertips. Harnessing these data points to build a profile of a user requesting access to a system, instead of attempting to do the same through a password request, is not only a more secure as there are more authentication factors considered, but also removes the human element from the authentication process and consequently virtually all of its human-generated friction. This is the core concept of composite authentication.

The data points that could be used to build the authentication profile of users might include measurable factors such as location of user, device recognition, and time of access request. None of these factors are reliant on human input that is both vulnerable to cybercriminals and creates the aforementioned friction in the authentication process.

And these are just some of the hundreds of potential data points that could be analysed to continue building the authentication profile without compromising the friction reduction. Authentication software providers are already developing systems that rely on this non-human dependent data, and can intelligently analyse this to block suspicious authentication requests without disrupting authentic users. 

Although the new model authentication landscape is yet to be fully designed, what is already clear is that the appetite for change in this area should be an urgent priority for financial services. Across all aspects of a financial services system the password is now obsolete as an effective security tool, and its primary characteristic is the degree of friction it injects into authentication.

Phasing passwords out and replacing them with a combination of non-human reliant composite authentication data points combats both of these faults. With the data now available to build more reliable user profiles, the evolution away from passwords is an obvious and logical progression.