Why the human factor must be taken out of the authentication process

By Jeff Carpenter | 25 April 2017

Today’s need for smarter cybersecurity in financial services is a self-evident one. As corporations embrace the digital age, increasing volumes of valuable data are stored online, and an increased number of users are granted access to that data through a variety of channels (and therefore become end points of the system). This development results in greater opportunities and rewards for the cybercrime community as the already target rich environment expands.

However, while developing a thorough defense system is imperative, concurrently it is equally vital that authentication systems do not become overbearing, confusing for the user, or weighed down by friction, as this results in low productivity or just generally non-conforming behaviour by end users.

Authentication systems that are heavily dependent on human input suffer from several problems. A password-centric, and even a two-factor authentication process involving a password, is ultimately reliant on human beings  to ensure its utility. This reliance makes the system vulnerable to breaches from bad actors who can replicate the human authentication input, while simultaneously preventing authorized users who are inadequately trained motivated, or equipped with the correct information from gaining access.

75% of all data breaches (a number which continues to rise) are currently being attributable to weak or stolen credentials; it is clear that the end points of password-dependent systems by nature present an easy and obvious target for criminals to attack. Replacing this method of authentication, or building other authentication factors to act as a safety net, removes the risk of bad actors gaining legitimate access to a system using lost or shared authentication credentials.

For a decade there has been a movement in the technology community advocating for the removal of human-supplied information i.e. passwords or some other form of credentials, from the authentication process in organizations. As humans are generally conditioned to cooperate and obey, phishing activity through channels such as email is remarkably successful, undermining any system with passwords at the heart of its security.

And in addition to phishing, password stealing, or social engineering, often proves fruitful to the cybercriminal. As cybercriminals continue to develop increasingly sophisticated techniques to breach systems through user-dependent end points, the predictability of humans becomes more and more evident as a flaw. The inability to match the cybercriminals’ development with equal levels of sophisticated credentials generation has led to a huge imbalance in the reliability of a password system as a form of defense, to the point that no single authentication or two factor authentication system based around passwords is a viable option for organizations needing to adequately protect valuable data.

Random passwords are stronger than user generated passwords from a security perspective, but this adds another layer of friction to the authentication system, is expensive for an organization to run from an administration perspective, and still does not prevent bad actors from breaching the system with or without the consent of an authorized user by acquiring the password. 

The solution is to remove passwords in their current form from the center of the authentication process by building multiple frictionless authentication layers into the system that are not reliant on human input. A varied inventory of authentication factors removes the impetus from the user to verify themselves as legitimate accessors to the system, solving both the issue of preventing users from accessing the system through lack of compliance, and unauthorized users having the capability to impersonate authorized users and gain access.

For many organizations legacy security systems rely on passwords as the primary method of authentication, and there would be a substantial amount of time and cost involved in removing these systems entirely. In these circumstances organizations must look to combat the pitfalls of human-generated passwords in conjunction with implementation of a multi-factor system.

For passwords to have an effective impact they must avoid any burden of human compliance. Passwords must be automatically generated, and automatically entered into a system without the user’s knowledge of the password. To maintain a level of strength, passwords should also be reset randomly after every authentication event.

These additional authentication factors should involve contextual data analysis, examining data created without human compliance to further separate users from the process. Time-specific and geo-specific or IP-specific authentication rules for individual users are examples of additional authentication factors which require no human input.

For organizations, in addition to bolstering cybersecurity systems and retaining greater control over the authentication process, there are also clear financial benefits of developing a frictionless authentication system.

Authentication that is dependent on human compliance requires that all users have sufficient training to manage the system, which occupies an organization’s resources. This drain on resources is compounded by the necessity to maintain troubleshooting support for users, and the administration costs of doing so.

Further impacts on the overall profitability of the organization include workflow disruption for any user, particularly if the user is non-compliant with the system, and overall lower productivity caused by the friction in the process.

Ultimately corporations and financial services will fail in their cybersecurity objectives if they persist with putting the responsibility for system authentication into the hands of its users. Human-proofing an authentication system by increasing the number of technology-driven, automated authentication factors and consequently removing the burden on passwords puts access control back into the hands of the organizations while simultaneously upgrading a frictionless experience for users. A frictionless user experience and developing the most complete security system are the two priorities for any authentication system, removing human compliance entirely is the ultimate method of achieving those goals.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development