Security Experts:

Is Passive Authentication the Future for User Authentication?

Passive Authentication May be the Future for User Authentication, and it's Just Beginning to Appear

The problem with passwords is not in the theory but in the practice. Having to create and remember long, strong and secure passwords gets in the way of work (called friction); so users create short, weak and insecure passwords (to reduce the friction). The result is that passwords are not secure, and authentication needs to be improved.

The usual process for this is to add extra layers of authentication, often in the form of an additional passcode sent to the user's mobile phone. The conceptual problem with this approach is that it increases the cause of the initial difficulty; that is, user friction. If users are tempted to bend the rules on passwords, they are very much more tempted to make SMS codes easier (and therefore less secure), or simply to complain louder over the process.

It's a conundrum that actually does have a possible solution: the rise of passive biometrics (such as keystroke patterns) and behavioral analytics (such as time-stamps and IP geolocation) for user authentication--neither of which, by definition, create any user friction. It's just beginning to find its way into commercial products, albeit rather conservatively so far.

Security officers are largely watching and waiting. They like the idea of reducing user friction, but do not yet have sufficient confidence in the security of the concept. One of the big problems is that there are no metrics on the security strength of behavioral analytics. It's relatively easy to prove that a long password of mixed characters and punctuation will take so many thousands of years to crack. It is impossible, so far, to relate behavioral analytics to the same form of strength measurement.

Passwords remain the bedrock of authentication, increasingly supported by SMS passcodes. But many companies won't introduce that second factor simply because of the increased user friction: they don't wish to upset staff or annoy customers. Recognizing this, commercial vendors are increasingly offering passive options, while retaining the provably strong SMS option.

One such company is CensorNet, which today announced its certification under the CenturyLink Cloud Marketplace Provider Program. "As data and applications move to the cloud, the solution [CensorNet's Adaptive Multi-Factor Authentication] authenticates users through their mobile devices."

CEO Ed Macnair explains in more detail: "The growing use of cloud applications has changed the way we work, but this trend has also created a new attack vector for cybercrime and is putting CIOs under pressure to encourage productivity and protect sensitive data at the same time. Weak or stolen passwords are still the major source of network breaches, so CensorNet's authentication capability helps businesses verify the identity and location of employees as they access company systems or networks. Our authentication solution improves an enterprise's control and visibility over data that employees can view."

While still offering the fallback SMS second factor for authentication, CensorNet is increasingly offering behavioral analytics based on context. "It's all about context," he told SecurityWeek.

"SMS PASSCODE can be configured to dynamically change the level of authentication needed based on where the users are located, what application they are logging in to, and what network they are logging in from," Macnair said.  "For example, if the user is logging in from a trusted location such as the comfort of their home (where they have logged in from before), then they will not be prompted for a one-time password in order to authenticate. On the other hand, if they are attempting to log in while traveling, for example, from an airport lounge or hotel with public Wi-Fi, then a one-time password is mandatory to gain access."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.