User Authentication: Evolution and Associated Challenges

Introduction

Since the beginning of computer systems, identity verification approaches have been used for granting user access. Those approaches include the username and password paradigm, knowledge-based and token-based authentication. However, modern applications are embracing emerging identity authentication methods to reduce user friction and increase the level of security. And that’s the natural flow: as new security mechanisms are created, others become outdated. Gartner for instance defines password-based authentication as a legacy approach to identity verification, although it is still widely used.

Using password-based authentication is not a problem, but it turns into one when the entire identity proofing relies only on passwords. It is important to mention that password-based identity verification brings numerous security challenges to users.

Before we discuss these challenges we’ll introduce the different phases in the identity verification process, also known as the AAA framework. These phases encompass:

AAA Framework

• Authentication: In this phase, the user is identified through the combination of username and password, or other approaches. The system compares the user’s credentials with those stored in its databases to grant access.
• Authorization: After gaining access, it is necessary to grant the appropriate authorizations for users to operate the systems. During this phase, the activities users can perform are determined based on its access policies.
• Auditing: The final phase of the framework is monitoring the commands executed by the user during their session accessing the system. In the Auditing phase, all actions performed during the user’s session are stored and their records are sent.

Legacy authentication methods

The term legacy authentication is not associated with a particular approach or protocol but with traditional methods used for many years for verifying user identity. Those methods are usually associated with single-factor authentication and do not include additional security mechanisms, like Multi-factor Authentication (MFA). Let’s explore some authentication methods that should be avoided due to cyber threats. They include:

• Password-based Authentication: The drawbacks of this authentication method are clear: well-known attacks can be used to easily break the password (e.g. brute force), and they can be effortlessly forgotten, stolen, guessed, and reused. Enforced password policies are an ally, however, they are typically not enough on their own to ensure a robust authentication method.
• Knowledge-based Authentication (KBA): For quite some time it would be possible to authenticate or recover access across applications by using a password along with a secret phrase, such as a sibling’s name, city of birth, and a person’s first pet name, to guarantee that only the valid user knows the answer. However, KBA is highly vulnerable to social engineering. This kind of attack may come from malicious actors without advanced tech skills, which makes them a lot more likely to occur.
• Token-based Authentication: Token-based Authentication is safer than the previous methods, although it may not be convenient for the user to carry a smart card or RSA device. Physical (hardware) tokens can also get stolen or lost over time. Soft tokens, which generate codes on a user’s personal device have evolved from this concept, but soft tokens are more convenient and scalable.

Authentication and User Experience

It’s hard to imagine these methods still being used, but in fact, they are. We are not suggesting abandoning password-based authentication or any other method listed here, but rather complementing them with additional identity-proofing measures offered by emerging authentication technologies.

Emerging authentication technologies

Services are increasingly moving away from the username and password paradigm to stronger and more secure authentication methods. When the user adds multiple layers to their authentication process, it results in increased security, even when some legacy methods are involved. The mainly used emerging authentication methods are:

Biometrics: This method uses a person’s unique biological traits, such as fingerprint, facial, and voice recognition, as well as iris scanning. It offers better User Experience (UX), trust, and accountability when compared to other credential-based methods. However, organizations must ensure the proper privacy and security of user’s biometric data;

Behavioral Analytics: It allows users to be authenticated based on their behavior patterns, such as keystrokes, gestures, handling, gait, and even heartbeat. It is also possible to use Artificial Intelligence and Machine Learning to teach systems based on past behavior and provide continuous user authentication

Passwordless: Eliminates the need for traditional passwords by using other factors safer than password-based authentication. Some examples of passwordless are hardware and software tokens, phone-as-a-token and mobile MFA. Note that, even though we described them separately in this article, biometrics, and behavioral analytics can also be considered passwordless. Gartner estimates that, by 2025, more than 50% of the workforce and more than 20% of customer authentication transactions will be passwordless, up from less than 10% today.

Federated Identities: This authentication method allows users to use their credentials from a single trusted Identity Provider (IdP) to verify the user’s identity and provide access to other services and applications. This reduces the number of login credentials and user friction, which results in simplified user access. Examples of IdPs include Google, LinkedIn, Microsoft, and Okta.

Other modern authentication technologies include asymmetric encryption, digital certificates, and One Time Passwords (OTPs).

Options for Identity Proofing

Challenges in the authentication process

With the digital transformation process, almost every aspect of our lives happens online. According to a study from NordPass, an average user has between 80 and 100 passwords to remember. And as the expansion of digital services adds convenience, the identity verification process introduces challenges that should be taken into account. Some of those challenges are:

Poor User Experience (UX)

For sure no one likes to face reCaptchas multiple times, especially when selecting the right images, and still things don’t go as expected. UX is an important design principle to be considered when building an authentication schema.

Good experience does not imply a lack of security: Although people may feel inconvenienced by enhanced safety precautions, they are necessary against potential cyber threats. Jared Spool’s approach to Security User Experience revolves around reconciling robustness with usability for end-users. Fostering a user-friendly environment during authentication processes is essential to maintain high levels of protection as cumbersome or complicated procedures can prompt users to opt out entirely — posing a risk to data and device integrity.

Cybersecurity awareness: Users and employees need to be aware of potential threats since improper data management could lead to vulnerabilities exploited by attackers. When users gain cyber awareness they are able to realize how important organizational security policies are, thus comprehending the reason behind the complexity added to organizational processes in the name of cybersecurity.

Authentication in legacy devices

Legacy devices, often found in government institutions and critical infrastructure, pose a unique challenge as they must remain operational due to the inability to move to newer servers or architectures, like those cloud-based. Consequently, these scenarios introduce certain authentication challenges that require attention.

Lack of encryption: Some legacy devices do not support encryption at all. In other words, even if there is a strong authentication strategy in place, an attacker is able to intercept data and consume it (e.g man-in-the-middle). Remote access to those devices can’t be performed through SSH, for example, and Telnet should be used as a replacement.

Lack of support for modern authentication protocols: Robust authentication methods, like hardware-based authentication or even some standard protocols like OpenID Connect (OIDC), can’t be used for some sort of legacy devices. It turns out to be hard to implement authentication methods other than username and password, which we already understand are not secure.

No updates or patches: Many legacy devices do not have the capability to be updated or patched. This means that even if a vulnerability in the authentication mechanism is discovered, it may not be possible to fix it.

Default credentials: Some devices have their default password already set from the factory. Most of the time administrators can change the default password but it can be not possible for some types of devices (not necessarily IT assets). This approach is insecure especially when this software is distributed among other users, which may allow unauthorized access to those devices.

Password strength

The strength of a password indicates its effectiveness against brute force attacks, dictionary, or password guessing. When talking about password weakness, the following aspects should be considered:

Complexity: The more complex a password is the more difficult it is to break it. This involves the use of a combination of lowercase and uppercase letters, symbols, and numbers, and can be effective against attacks.

Length: the password should be long enough to prevent cyberattacks. According to new NIST password guidelines, users must consider password length over complexity when choosing passwords. In Special Publication 800–63, NIST sets a recommended password length of 8 characters for user-created passwords and 6 characters for machine-generated passwords.

Unique passwords: using a strong password is useless if it is the same across different user services. In other words, if a malicious actor breaches into a service and obtains unauthorized access to username and passwords, they can use those exposed passwords to access other services the victims use. The tactic of using stolen credentials to attempt to log in to another unrelated service is known as credential stuffing.

Other simple and secure ways to prevent password guessing and dictionary attacks are by enforcing MFA, and continuously monitoring compromised passwords. The last option is usually offered as a free service by cybersecurity companies.

Conclusion

Username and passwords have been used since the beginning of computer systems to grant access to services and applications. However, the digitalization of services multiplied the number of passwords the user has to remember. To solve this problem, new authentication methods were developed, such as biometrics, behavioral analytics, passwordless and federated identity.

Still, the user authentication process has many associated challenges. Creating and remembering complex passwords can significantly affect the UX, which may result in easy-to-guess passwords and increased cyber threats. Besides that, legacy infrastructure may not be compatible with new authentication methods, which may prevent those modern technologies from being implemented in the infrastructure.

We understand that completely removing passwords from our lives is no easy task, and we are quite distant from a passwordless world. However, adopting emergent authentication methods can streamline identity verification, improve the User Experience, and protect the infrastructure against cyber threats.