Accessibility Trumps Security in the Battle Between Authentication Alternatives

A new Ping Identity survey has revealed that simplicity wins out over security when it comes to authentication. Respondents to our recent survey knew what provided better security, but continued to use weaker, if simpler forms of authentication as their primary log in methods. 

The Ping Identity consumer privacy report aims to look at consumer attitudes towards privacy, security and identity protection. To that end, we surveyed 3,264 consumers across the US, UK, France and Germany to test public attitudes towards security in 2018. 

While over half of respondents (51%) believed biometric solutions to be more secure, user/password combinations were the primary sign in method for 70%. Actually, only 10 percent of respondents use biometric authentication as a primary log in. 

We have the technology to make authentication more secure, so why do we insist on outdated, tired and inferior solutions? The password’s imminent death has been the conventional wisdom for many years, almost too long to believe that it's still conventional wisdom. Still Bill Gates said it, IBM said it, Google said it and everyone’s been saying it for years, so it must be true. Right?

Passwords, for all their weaknesses are a known quantity. Yes, there are superior alternatives that should have buried it a long time ago but we should know that security is never just about security. 

Cormac Herley and Paul van Oorschot pressed upon this point in their paper The Persistence of Passwords. The notion that passwords are dead, the authors declared, was “spectacularly incorrect.” In fact, there are plenty of factors other than security that go into the unconscious clinging to the password. They state that "no other single technology matches their combination of cost, immediacy and convenience.”

Biometrics, or other alternatives, might provide better security but they may not fulfil the other demands that an enterprise wants out of a security solution. 

Alternative forms of authentication could bring more costs as well as a cumbersome process of hardware integration and user education. By comparison, passwords are simple, cheap and easily replaceable. 

It's also starkly obvious that security is often not high on the list of enterprise concerns. Breach after breach shows that enterprises are making the simplest mistakes time and time again. Unpatched vulnerabilities, exposed credentials and poor cyber-hygiene are all some of the most basic, most common, and - from a hacker’s point of view - most useful ways into an organization.

If that’s the case, the prospect of enterprise’s adopting solutions that might advance their security stance doesn’t look very strong. That image of everyday enterprise security is changing though. These findings might offer us a new perspective on how to hasten that change. 

The conflict between simplicity and security is often false a dichotomy. The fact that most users prefer the simplicity of a password does not mean a rejection of more advanced solutions. Rather it requires a change in thinking on the part of decision makers.

The fundamental problem of the password is that it so heavily relies on its user and its users, being human, engage in all manner of poor security habits: they share passwords, they write them down in plain view, they create weak ones which anyone could guess and they make every mistake there is to make when it comes to creating a password. 

In fact, 81% of data breaches involve weak, default and stolen passwords. So, considering the human weaknesses that have for so long beset the password, it might be a good idea to take them out of the picture. There are plenty of ways to do that too.

There are plenty of factors beyond personally recorded usernames/passwords that can be used to effectively authenticate someone without the need for much user intervention. For example, a device ID which ensures the security, and ownership of an access-requesting device.

There are contextual factors too, such as time of day or location, which can ensure that the access request is legitimate. There is always biometrics too, which are already being employed in a relatively frictionless manner in leading consumer electronics like the iPhone. 

Single Sign On (SSO) can use those factors to enable greater accessibility - using one point of sign on. More passwords and sign-ons often don’t enable better security, but merely provide more points of failure, using one set of credentials can securely grant seamless access to a whole range of connected services across SaaS, mobile, cloud and enterprise. 

Multi-Factor Authentication (MFA) combines authenticating factors such as something you know (such as a password), something you have (such as an ID card), something you are (this could be biometric), thereby providing multiple barriers to potential intruders. 

While many applications of MFA use passwords, it is entirely possible to apply MFA without any passwords at all. In fact, you can employ mobile push authentication, tokens or one time passwords to provide a simple but secure user experience. 

People might want the simplest option when it comes to security but that by no means the weakest. In fact, security set against accessibility is so often a false choice and there exist today a variety of solutions which can marry these two needs, providing a seamless user experience that users want and the security that an enterprise needs. 

What’s Hot on Infosecurity Magazine?