We must stop blaming the user for the failures of authentication technology. As people have been required to manage almost every aspect of their lives through multiple accounts accessed through technology, authentication practices have evolved, but not necessarily improved.
Authentication technologies are not kind to users. Too many layers have been added and it’s not sustainable because people misuse complicated technology. Yet it’s the users, not the technology makers, who get the blame when things go wrong and mistakes lead to a data breach or a compromise of security. Authentication technology needs to be convenient; it must not require technical expertise to use, nor should it lead users to try and circumvent it.
The “convenience vs security” debate
The information security industry is often guilty of trying to force its culture on to everyone else, whether or not those rules make sense in other walks of life. Authentication is a prime example of this.
Let’s consider passwords. Users have long been told to create unique and complex passwords for each individual account they access. We know that the average person in the workforce has almost 200 accounts requiring passwords, making that advice absurd. To make things even harder, we’ve told users that they are not allowed to write their passwords down. In theory, I understand the intent behind this, but in reality, what’s more likely: someone breaking into your house and stealing the piece of paper with your passwords on, or someone brute-forcing or guessing your password online?
I hate the security-versus-convenience debate and its suggestion that we have to choose between the two, and when it comes to authentication specifically, it riles me even more. Consumers deserve an easier experience and should be able to utilise their power as consumers of products, services and sites to demand a less stressful and more convenient authentication experience.
Shared authentication and biometrics drawbacks
It’s easy to lament all of the mistakes made by the industry and the various shortcomings when it comes to authentication, but it’s a lot harder to accurately predict its future.
Shared authentication certainly ticks a lot of boxes in the convenience column, but lacks in security. If your Facebook or Google account is compromised, for instance, all other accounts authenticated using those platforms would be vulnerable too. We all know about eggs and baskets.
Touch ID and Face ID on phones is another indicator of the direction in which authentication is going, but biometric use carries concerns around privacy, politics and of course in the instance that the biometric authentication fails, it refers you back to enter your passcode. With authentication only as secure as the weakest authentication option, this is therefore ‘biometric for convenience’ as opposed to an increased level of security.
Design is key to the future
Design needs to play a big part in the future. Authentication design needs to be simpler, more usable and create far less friction and frustration for the user. Attractive design could even encourage security adoption, with the authentication process becoming desirable rather than dreaded.
On a more technical level, the future of authentication will likely rely on algorithms to determine a user’s identity and ultimately detect fraudulent behaviours and actions. It should be mostly invisible to the user, with machine-to-machine negotiation hidden behind the scenes. Credit card companies have been doing this for years – fraud detection that is invisible to the user that successfully detects crime without friction for the consumer.
Machine-learning and artificial intelligence will be utilised to pull insight from authentication events and find behavioural patterns.
I have hope for a future where authentication is seamless (and mostly invisible), where identities are less hackable, and where passwords are obsolete. Until then, let’s stop blaming the user and focus instead on making authentication technology that doesn’t require us to make a choice between usability and security.
In association with Infosecurity Magazine