Over the last couple of decades, multi-factor authentication, widely known as MFA, has become a popular jargon in the cybersecurity industry. Whether to protect an email account, log into a service, or perform a bank transaction, most of us have dealt with multi-factor authentication. This blog post is a review of the history of authentication and how the evolution of MFA methods changed the face of cybersecurity. Technological developments promise affordable, and user-friendly multi-factor authentication, which includes typing biometrics as an innovative option.
The context for authentication
Cybercrime is on the rise
In the early 2000s, Bill Gates predicted the death of the password as a single measure of account protection. In short, he was right. Passwords are simply not enough. Billions of people are the victims of cybercriminals, having their credentials stolen from databases of corporations such as Marriott, Equifax, and Yahoo. Although hacked personal data is problematic to everyone, the bad news is that as long as there is a financial gain, hackers are not going to stop anytime soon. Instead, cybercrime is on the rise and continuously evolving. The forecast for annual global costs associated with data breaches is estimated at $2.1 trillion in 2019.
Authentication changed cybersecurity
What can we do to secure our accounts? Apply multi-factor authentication (MFA), which makes it harder for hackers to access private data. By requiring the provision of identity evidence, MFA ensures only the owner of an account can have access to it. It entails the use of two or more security factors, including knowledge (something you know), possession (something you have), and inherence (something you are).
The history of authentication
Passwords are the oldest single-factor authentication system in the world, used with computing systems since 1961 when the first computer system implemented password login. Kim Dotcom claims to have invented two-factor authentication back in 1997 when he was awarded a patent for his “method for authorizing in data transmission systems employing a transaction authorization number or a comparable password.” However, AT&T patent precedes Kim’s, having been granted a couple of years earlier in 1995. Regardless of who invented it, authentication is becoming more and more popular and affordable and people should be given the opportunity to use it in order to secure their accounts.
Two reasons to avoid MFA
When authentication emerged decades ago, it was unappealing to the masses. The reasons for this are still relevant today. One reason remains the cost and inconvenience of additional hardware, such as portable tokens or biometric scanners. On top of that, the end-user is burdened with friction during the login process, due to the effort required to memorize information, access tokens, or to have their biometrics scanned.
However, the evolution of authentication methods changed the face of cybersecurity. tweet
The evolution of authentication
For a long time, MFA providers dwelled over security and usability ineffectively. While private individuals rejected MFA due to friction concerns, enterprises overlooked MFA due to complexity and costs associated with the procurement of software and hardware, on-premise deployment, and maintenance.
The ubiquity of smartphones pushed MFA adoption
However, the introduction and the mass adoption of smartphones meant less hassle during authentication. Being able to produce both possession and biometric factors from one place (the phone) meant an important decrease in disruption levels. Mobile phones support measures like one-time passwords (OTP) through SMS or email, and key push notifications. Acuity predicts that by 2020, 4.8 billion smartphones will support biometrics such as fingerprint scan, voice recognition, or facial identification.
2FA got worldwide attention
Moreover, cloud technologies, enterprise mobility, and the increased use of bring-your-own-device (BYOD) policies solidified the positive trend in MFA implementation. MFA got worldwide attention when two-factor authentication (2FA) started to be more frequently adopted by large brands, including Apple, Facebook, and eBay. Two-factor authentication combines two different types of identity evidence before being allowed access to an account. For example, the use of username and password (a knowledge-based factor), followed by one-time passwords via email or SMS (a possession-based factor), or biometric factors like the unique typing pattern.
Legislation and regulations, including PCI-DSS, PSD2, and NIST, align on requiring better protection for customer data against illegitimate access. They cover policies, procedures, and the implementation of authentication measures. Such enforcement direct not only governmental agencies but also enterprises within a range of industries such as commercial security, finance, banking, software services, and healthcare.
The boost in MFA’s popularity happened when technological advancements and legislation were leveraged for global cybersecurity purposes. tweet
MFA has indeed become a popular jargon in the cybersecurity industry due to its widespread global use. A study by Okta on their customers shows that, in 2018, 70% of companies used two to four different authentication factors. Turning on MFA is common as well, with 26% of individuals using it in their private lives and 38% at work.
There are a plethora of markets where MFA can easily be applied, such as account login, ATM, online banking, driver’s license, eLearning, etc. tweet
Today, three categories of factors are available to link an individual with the established credentials:
- Something You Know – Knowledge
A quick look at authentication factors is enough to grasp concerning drawbacks. Lower assurance factors are no longer perceived as trustworthy. For example, security codes sent through text messages can be intercepted or redirected, and the answers to security questions are easily available via public records, or on social media.
- Something You Have – Possession
There is a shift toward more secure factors such as one-time password codes (OTP), push notifications, app-generated codes, security tokens, smart cards, or physical keys. However, these can be stolen or lost, and they implicitly create additional costs and disruption.
- Something You are – Inherence
Biometrics can be traced back to the 19th century, gaining popularity in modern times, due to technological progress in the field. While finally taking off in the consumer space, biometrics’ intrusive nature remains a crucial reason for skepticism. Moreover, some biometrics like fingerprint or facial scan are less secure, as they can be duplicated. Others like voice recognition are many times too cumbersome, all of which, stand as challenges for the user adoption of a strong identity and multi-factor authentication.
The future of authentication
The trend in user authentication is behavioral biometrics, which analyzes patterns in the mannerisms of people (gestures, keystrokes, mouse movements, gait, etc.). Sophisticated technology allows for a thorough comprehension of people’s unique actions. It is usually regarded as a supplement to traditional authentication approaches like passwords, smart cards, and PINs.
Typing biometrics used for secure and frictionless MFA
As mentioned, user-friendliness, as well as privacy protection, are critical in how people perceive authentication. Typing biometrics provides accurate online security based on how people type on their keyboards. Typing biometrics analyzes new typing patterns against previously recorded samples to produce a matching score. If this score is within the predetermined thresholds, the user receives access to their account. This way, people can stay secure while just typing their credentials in the login. Even if credentials are breached, security is intact as it is almost impossible to replicate someone’s typing pattern.
The evolution of MFA methods changed the face of cybersecurity. Technological developments promise affordable, and user-friendly multi-factor authentication, which is the main vector in any comprehensive privacy protection systems. Typing biometrics is an innovative behavioral biometrics authentication method which focuses on individuals’ unique typing patterns, and which can be used as part of an integrated and robust MFA system.