Although passwords are used to authenticate users for most business activities, they are not the most effective technique to secure critical information or accounts. Passwords have become an essential element of society and workplaces, yet they have recently been insecure for a variety of reasons.

Companies and users are actively looking for more secure password alternatives. As World Password Day approaches, let’s look into additional access security options.

Passwords are still the most used form of authentication on the market today. And this makes perfect sense. Passwords are simple to implement, inexpensive (on the front end), and useful in conjunction with other authentication techniques.

Passwords, on the other hand, are an artifact of a bygone era of computing, when users dealt with local or network equipment on a much smaller scale. Some of the fundamental flaws of password-based authentication are being demonstrated by modern technology, which is predicated on people interacting with hundreds of accounts.

Some of these can be classified as follows:

• Social Engineering: Phishing is one of the most prevalent forms of cyberattacks globally, counting on the fact that people will fall for official-looking communications. The success of these attacks also relies on the reality that passwords are completely compromised once given away, and it only takes a few minutes to lose control of an account or a system.
• Database Theft: Passwords need to be stored somewhere. That “somewhere” is usually a central database—a database that has a huge target on it, depending on its owner. Once a database is hacked, even encrypted passwords will eventually be compromised. 
• Lack of Identity Proofing: Passwords are a form of authentication that cannot guarantee the user’s presence. This means that whoever has the password will be considered authentic no matter where they are. Identity proofing and assurance are impossible with passwords alone. 
• User Experience and Bad Cyber Hygiene: One or two passwords are manageable. Dozens, perhaps a hundred, are not. To help users juggle these passwords, they often avoid following best password practices, like creating long, complex passphrases and using unique phrases for every platform. This leaves them vulnerable to brute-force attacks and password spraying.

So, while passwords are common, and there are ways to make better use of them, they also have some fundamental flaws across security, usability, and flexibility for compliance. Unsurprisingly, commercial firms will frequently offer comprehensive alternatives to single-password authentication methods. Replacing passwords as the sole authentication method protects not only the end user, but also the enterprise.

Some of the most frequent types of password substitutes are as follows:

Personal Identification Numbers

Sometimes companies will call for a PIN alongside a password, essentially asking for two different forms of password-like identification. Typically, you won’t find an organization fully replacing passwords with PINs because, by and large, they serve the same purpose and introduce the same risks. ]

Multi-Factor Authentication

Multi-factor authentication uses two or more forms of different authentication. By calling for multiple forms of identity verification, the system can assure that both author is who they say they are and that their credentials haven’t been stolen. 

For MFA to work, however, the authentication process must include two or more different types of credentials:

• Knowledge: The user proves that they know something, like a password or PIN.
• Ownership: The user confirms that they own or hold something, like a mobile device or email account.
• Inherence: The user proves that they are someone through biometric evidence from their body or behavior. 

By combining two or more of these categories, a system can reduce the risk of fraud or identity theft. 

Some common forms of MFA, including the most common two-factor authentication systems, will use passwords in combination with one of the following items:

• One-time passwords: OTPs are delivered at the point of authentication, automatically generated by the system and sent to a location that only the user should have access to (ownership). These locations can include an email, SMS text, or automatically generating OTP through a mobile verification app.
• Biometrics: Several biometrics categories (see below) serve as verification of “inherence.”
• Geolocation: Some modern authentication methods will check a badge or mobile device for location and only allow authentication based on proximity to a physical space, like an office.
• Physical Keys: Physical authentication devices differ from OTPs in that they can provide additional security based on cryptography while still serving as proof of ownership. These work well when a very close physical proximity to a device or security measure. 

Biometrics

Biometrics is the most rapidly expanding form of authentication on the market, mainly due to the proliferation of devices that can collect biometric data quickly. Biometrics are also popular because they are tough to fake—while some biometric information can be spoofed, it’s much more difficult to do than, say, stealing a password. 

Read Also: Artificial Intelligence in Cybersecurity: Opportunities And Risks

Biometrics also short-circuit some of the weaker aspects of passwords, specifically that most biometrics require some sort of physical presence and reduce the threat of phishing attacks.

Some common forms of biometric authentication include the following:

• Fingerprint Scan: Many smartphones, tablets, and workstations include the option for fingerprint scanners. While not 100% unique across the entire human population over time, fingerprints are still remarkably useful alongside or as a replacement for passwords. 
• Facial Recognition: Many modern devices, including camera-enabled computers, can perform facial scans, which are surprisingly unique when factoring in the size, shape and location of every piece involved (hair, eyes, nose, ears, mouth, etc.). 
• Iris Scan: Like facial recognition, iris scans use camera-enabled devices to scan the shape and contours of the iris, a part of the body that is as unique as, if not more than, a fingerprint. 
•  Voice Verification: Voice analysis was much easier to falsify than a facial scan. However, modern advancements in voice recognition with AI have made voice verification a viable tool for MFA solutions. 

Single Sign-On (SSO)

The challenges of multiple passwords across multiple apps and platforms are monumental. Approaches to managing the complexity of this situation have led to solutions like federated identity, a practice of using a central identity and an authentication manager to log in to multiple platforms. The central organization does not broadcast password information. Instead, external partner sites will send assurance requests to that provider, and when approved, allow the user to authenticate using that set of credentials. 

This is a critical step in reducing the problem of weak passwords or password theft compromising multiple systems. 

A smaller version of this, SSO, uses federated identity for authentication within a single domain. So, for example, while broad providers like Google can help authenticate against a wide range of apps, an SSO solution would do the same for all your accounts tied to your job (cloud apps, HR solutions, etc.).

Introduction to Password-based Authentication

Password-based authentication is a method that requires the user to enter their credentials — username and password — in order to confirm their identity. Once credentials are entered, they are compared against the stored credentials in the system’s database, and the user is only granted access if the credentials match. 

Passwords are a knowledge factor i.e. something only the user knows.

Ever since the dawn of the Internet, password authentication has been widely used due to its simplicity and broad user adoption. And despite its dwindling popularity in recent years due to security concerns that we’ll discuss below, studies show that last year 59% of businesses used password authentication to safeguard their digital resources.

Password-based authentication is intuitive for users: they enter the right credentials and they’re granted access to a page or service. On the back end, however, there are a few more technical steps to authentication than users see on the login page. 

Most password-based authentication systems follow a process in which:

1. The user creates an account by providing a unique identifier such as email, username, or phone number.
2. The user is prompted to create a password, which usually must meet certain complexity requirements.
3. The set of credentials is stored in the system’s database, usually in an encrypted form to protect against data breaches.
4. When a user tries to log in, the authentication system checks their submitted credentials against those stored in its database.
5. If they match, the user is granted access.
6. If they don’t match, the user will be denied entry and may be prompted to reenter their information or reset their password in case they forgot it. 

How do you Implement Password Authentication?

Registering with Username and Password

When a user first signs in to a website, they are asked for their username and password to identify themselves. If they don’t have an account, then they are prompted to make one and ultimately have to choose their username and password.

In a perfect world, a user would always pick a strong and unique username and password however, that is not the case and most times, people pick something simple so they can remember it easily.

Enforcing Password Rules

In terms of security, the longer and more complex a user’s password is, the better.

It’s recommended that you enforce good practice behaviors when forming a new password. There should be certain minimum requirements for the users however, there also needs to be a happy medium with the requirements and how complex they are.

To enforce a strong password, here are some rules you should consider for your users:

• Minimum of 8 characters
• At least one uppercase letter
• At least one number
• At least one special character

Storing the Users Credentials

Once the user chooses their username and password and clicks submit, there needs to be somewhere that the information is stored. Your first move is to check that the user doesn’t already exist in the database. Once they cleared that, you should check that the password meets your minimum requirements, but confirm the server side.

Now that the user’s credentials have cleared that, you can store the information in your database but there is one more step that needs to happen: password hashing.

Password hashing involves using a one-way cryptographic function that takes an input of any size and outputs a different string of a fixed size.

So essentially, before you store any passwords in your database, you should always hash them. The hashed password will be totally unrecognizable from the plain text password and will be next to impossible to regenerate the plaintext password based on the hashed one.

Most programming languages have either a built-in functionality for password hashing or an external library you can use. Make sure you use a secure and vetted hashing algorithm when implementing password hashing.

Handling Returning Users

After a user registers, they’re likely going to come back to your site and when they do, you’ll have to verify their identity using their credentials. Once they submit their credentials through the login form, you’ll search your database for the username they’re signing in with (normally done through your server automatically). If there’s a match, then the hashed password they typed in should be identical to the one in the system.

Now what happens when a user forgets their login credentials? Let’s say the username that’s required to sign in is an email address. You’ll have to generate a password reset link, email it to that user, and allow them to make a new password. Because you have the user’s hashed password stored in the database, there’s no way to let the user know what their old password was, therefore, prompting them to make a new password.

Even with maximum safety, password authentication still has its vulnerabilities.

User Generated Credentials

How do user-generated credentials pose a threat? Since users have to create their own passwords, there’s always a chance that they won’t create secure credentials. The majority of user generated passwords are considered weak and easily vulnerable to hacking. It’s usually because users want to have a password that’s easy to remember but aren’t up to date on password security best practices, or subconsciously use patterns to generate their passwords.

Even if your website is equipped with a password strength-checking tool, the results can be inconsistent and inaccurate, leading users to a false sense of security.

Creating a complex password can be difficult because our minds are drawn toward patterns. If you think about all the passwords you create, they all likely follow a similar pattern or formula such as using a word with numbers and a special character at the end.

As a user, these patterns make it easier for us to remember our credentials; however, cybercriminals are also aware of said passwords and as a result, can use this knowledge to adjust how they crack password combinations.

Brute Force Attacks

How do brute force attacks pose a threat? Well, a brute force attack occurs when a computer program runs through every password combination until they find a match. The system will run through all one-digit combinations, two-digit combinations, and so forth until your password is finally cracked. Some programs will specifically focus on combing through the most commonly used dictionary words, while other programs will target popular passwords against a list of possible usernames.

Aside from simply guessing your password, a brute-force attack is the most common technique hackers use. They are able to run through thousands of combinations in less than a second, which means that shorter passwords can be cracked in a very short time.

Recycled Passwords

How do recycled passwords pose a threat? It’s suggested that users create passwords that are at least 8 characters in length, and use a combination of uppercase and lowercase letters, numbers and symbols. Each password should be unique to each account, meaning no repeats.

This may be possible if users only had maybe one or two personal accounts, but the average user has about over 90 online accounts and it’s predicted to increase in the coming years.

The challenge is, in order for passwords to be secure, they need to be secure and complex. But that makes it difficult for the user to remember and not user-friendly. Since remembering a unique and complex password is difficult, they have to store their passwords somewhere that they can reference. If the user uses low-tech solutions such as a sticky note, or word doc on their laptop, then it makes those passwords easier to steal and/or lose.

Large-Scale Breaches

How do large-scale breaches pose a threat? Password breaches are becoming a real concern for businesses and organizations of all sizes. When you store all of your user’s credentials, it puts you at risk for a breach and simply encrypting the information is often not enough. It’s crucial that developers understand that weak internal passwords and improper storage of credentials could make a hacker’s job easier.

Password breaches of other websites could affect your website’s security. If you’re using a service from a company that recently had a password breach, your own employee’s accounts could be compromised which puts your end users at risk.

Explanation And Example of Biometric Authentication

Biometric authentication is a cybersecurity procedure that confirms a user’s identification by utilizing unique biological characteristics such as fingerprints, voices, retinas, and facial features. When a user enters their account, biometric authentication systems record this information in order to validate their identity. This type of authentication is typically more secure than regular multi-factor authentication methods.

Biometric authentication refers to a cybersecurity process that verifies a user’s identity using their unique biological traits such as fingerprints, voices, retinas, and facial features. Biometric authentication systems store this information in order to verify a user’s identity when that user accesses their account. This type of authentication is usually more secure than traditional forms of multi-factor authentication.

Types of Authentication Methods

The following are a few common authentication methods used for network security designed to beat cybercriminals and some of the biometric authentication technologies below are ones that you might use daily.

Facial recognition: These systems use a person’s unique facial features to identify them. It’s used in a variety of places such as smartphones, credit card payments, and law enforcement.

Fingerprint Recognition: Fingerprint authentication uses a person’s unique fingerprint to verify their identity. It can be used to secure everything from mobile devices to automobiles, even buildings, making it the most widespread biometric authentication technology.

Eye Recognition: Eye recognition uses the unique pattern of someone’s iris or retina to identify them. Because this type of biometric authentication is harder to implement, it’s less common than the other types of biometric authentication options. An iris scan requires an infrared light source, a camera that can see IR, and minimal light pollution in order to ensure accuracy. Although it poses its challenges, it is one of the most accurate biometric authentication systems available when those conditions are met. Eye recognition is generally used in situations where security is most critical such as nuclear research facilities, etc.

Voice Recognition: Voice recognition uses the tone, pitch, and frequencies that are unique to an individual to authenticate them. This is the most commonly used biometric to verify users when they contact a call center for customer service support (for example, online banking)

Retina/Iris Recognition: Retina or also known as iris recognition, uses the pattern of someone’s iris or retina to identify them. This type of biometric authentication is less common as it is harder to implement. It requires the implementation of an infrared light source, a camera that can see IR, and minimal light pollution to ensure accuracy. However, it happens to be one of the most accurate biometric authentication methods when those conditions are met. So it’s typically used in situations where security is most critical (nuclear research facilities, for instance).

Gait Recognition: Gain recognition authenticates using the way someone walks to identify them. Each person walks a little differently, so the way a person puts one foot in front of the other is an effective way to verify their identity. As of now, it’s not a common form of authentication but it’s expected to become more common as future forms of authentication become more popular.

Vein Recognition: Vein recognition uses the pattern of blood vessels in a person’s hand or finger to identify them. This type of biometric authentication uses infrared light to map the veins under the skin in your hands or fingers. Vein recognition is extremely accurate, more than retina/iris recognition.

Biometric authentication is used in almost every industry – from the financial sector and health care to retail, or travel. Due to the continuously growing instances of account takeover fraud, organizations need safe authentication and identification procedures more than ever.

Below you can find some examples of how these businesses are employing the use of biometrics to enhance the security and efficiency of existing processes.

Banking and Financial Sector

Security and authentication are vital in multiple industries, but especially in the financial sector. Financial institutions and banking organizations are integrating biometric authentication in their everyday operations to perform customer identification and for more rapid processing of user information.

According to a research conducted by Cision PR Newswire, almost 50% of the most appreciated mobile banking applications use biometric authentication.

Healthcare Sector

Healthcare facilities use biometric services to verify the identity of patients, keep a record so that whenever a person comes to the hospital his medical records could be easily and rapidly accessed by their doctor, keep sensitive data secure and prevent mix-ups.

The stored information can be used to make sure patients receive the care they need, whether that means faster identification in emergency cases, better medical diagnosis, or averting medical mistakes.

Academic Sector

Biometric authentication can also be used in school management systems where keeping records of students’ and teachers’ attendance is an ordinary custom. It is beneficial because it also keeps evidence of students’ arrival and leaving time from school, and work hours for teachers. Automated record-keeping of student identities significantly improves educational activities.

Travel and Hospitality Sector

Exclusive airlines and airports are giving their customers the possibility to check into their flight using facial recognition. In the same way, hotels and hospitality businesses are starting to allow self-check-in using biometric authentication.

Businesses Around the World Use Biometric Services

Disney’s biometric fingerprint scanners. Disney has implemented fingerprint biometrics as part of its access system since 2013. Disneyland and Walt Disney World’s entry gates require all customers who are older than 3 to scan their entry tickets and place their fingers onto a scanner to verify identification.

Barclays biometric technology. Barclays was one of the first to develop one-touch fingerprint banking access and have since expanded their biometric approach to include voice-enabled biometrics. This system allows the financial institution contact center to identify customers from the first few spoken words.

Their voice recognition technology analyses each client’s unique voice to immediately check their identity, providing Barclays with a streamlined method of authorization, whilst creating a more powerful barrier of protection against fraudulent calls.

American Airlines facial recognition biometrics. American Airlines is one of the major airline companies successfully using biometric technology in the U.S. by creating a biometric facial recognition program that plans to streamline a client’s journey through the boarding process.

How Multi-factor Authentication (MFA) Works

Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint. A second form of authentication can help prevent unauthorized account access if a system password has been compromised.

Multi-factor authentication works by requesting multiple forms of ID from the user at the time of account registration. The system stores this ID and user information to verify the user for next login. The login is a multi-step process that verifies the other ID information along with the password.

We describe the steps in the multi-factor authentication process below:

Registration

A user creates the account with username and password. They then link other items, such as a cell phone device or physical hardware fob, to their account. The item might also be virtual, such as an email address, mobile number, or authenticator app code. All these items help to uniquely identify the user and should not be shared with others.

Authentication

When a user with MFA-enabled logs into a website, they are prompted for their username and password (the first factor–what they know), and an authentication response from their MFA device (the second factor–what they have).

If the system verifies the password, it connects to the other items. For example, it may issue a number code to the hardware device or send a code by SMS to the user’s mobile device.

Reaction

The user completes the authentication process by verifying the other items. For example, they might enter the code they have received or press a button on the hardware device. The user gets access to the system only when all the other information is verified.

Implementation of the process

Multi-factor authentication might be implemented in different ways. These are some examples:

• The system asks for just the password and one more ID, called two-factor authentication or two-step authentication.
• Instead of the system, a third-party application called an authenticator verifies the user’s identity. The user enters the passcode into the authenticator, and the authenticator confirms the user to the system.
• During verification, the user enters biometric information by scanning a fingerprint, retina, or other body part.
• The system may request multiple authentications only when you access it for the first time on a new device. After that, it will remember the machine and ask only for your password.

Zero-trust Security

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

Zero Trust is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are a number of standards from recognized organizations that can help you align Zero Trust with your organization.