Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Is Passive Authentication the Future for User Authentication?

Passive Authentication May be the Future for User Authentication, and it’s Just Beginning to Appear

Passive Authentication May be the Future for User Authentication, and it’s Just Beginning to Appear

The problem with passwords is not in the theory but in the practice. Having to create and remember long, strong and secure passwords gets in the way of work (called friction); so users create short, weak and insecure passwords (to reduce the friction). The result is that passwords are not secure, and authentication needs to be improved.

The usual process for this is to add extra layers of authentication, often in the form of an additional passcode sent to the user’s mobile phone. The conceptual problem with this approach is that it increases the cause of the initial difficulty; that is, user friction. If users are tempted to bend the rules on passwords, they are very much more tempted to make SMS codes easier (and therefore less secure), or simply to complain louder over the process.

It’s a conundrum that actually does have a possible solution: the rise of passive biometrics (such as keystroke patterns) and behavioral analytics (such as time-stamps and IP geolocation) for user authentication–neither of which, by definition, create any user friction. It’s just beginning to find its way into commercial products, albeit rather conservatively so far.

Security officers are largely watching and waiting. They like the idea of reducing user friction, but do not yet have sufficient confidence in the security of the concept. One of the big problems is that there are no metrics on the security strength of behavioral analytics. It’s relatively easy to prove that a long password of mixed characters and punctuation will take so many thousands of years to crack. It is impossible, so far, to relate behavioral analytics to the same form of strength measurement.

Passwords remain the bedrock of authentication, increasingly supported by SMS passcodes. But many companies won’t introduce that second factor simply because of the increased user friction: they don’t wish to upset staff or annoy customers. Recognizing this, commercial vendors are increasingly offering passive options, while retaining the provably strong SMS option.

One such company is CensorNet, which today announced its certification under the CenturyLink Cloud Marketplace Provider Program. “As data and applications move to the cloud, the solution [CensorNet’s Adaptive Multi-Factor Authentication] authenticates users through their mobile devices.”

CEO Ed Macnair explains in more detail: “The growing use of cloud applications has changed the way we work, but this trend has also created a new attack vector for cybercrime and is putting CIOs under pressure to encourage productivity and protect sensitive data at the same time. Weak or stolen passwords are still the major source of network breaches, so CensorNet’s authentication capability helps businesses verify the identity and location of employees as they access company systems or networks. Our authentication solution improves an enterprise’s control and visibility over data that employees can view.”

While still offering the fallback SMS second factor for authentication, CensorNet is increasingly offering behavioral analytics based on context. “It’s all about context,” he told SecurityWeek.

“SMS PASSCODE can be configured to dynamically change the level of authentication needed based on where the users are located, what application they are logging in to, and what network they are logging in from,” Macnair said.  “For example, if the user is logging in from a trusted location such as the comfort of their home (where they have logged in from before), then they will not be prompted for a one-time password in order to authenticate. On the other hand, if they are attempting to log in while traveling, for example, from an airport lounge or hotel with public Wi-Fi, then a one-time password is mandatory to gain access.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...