First, there were just usernames. Then came usernames and passwords. Then came multi-factor authentication (MFA), which requires something you know, such as a username and password; something you have, such as a one-time password (OTP) generator token; or something you are, such as biometrics using your fingerprint or retina scan. Now, frictionless identity access management (IAM) is the "soup de jour" as companies work to make MFA more effortless for the end-user. Many of whom I've spoken to attribute the lack of adoption of MFA in the enterprise and in web applications to the amount of friction it causes for the end-user.
For example, the FIDO 2 protocol has now been implemented by Microsoft in the latest Spring release of Windows 10, allowing users to use FIDO compliant hardware keys, such as the Yubikey and NXP to authenticate with Windows without having to type their username and password.
As a follow-up to my previous article on the subject of the death of passwords in the enterprise, this article introduces new solutions that I've been researching for an upcoming Aite Group research paper on IAM in the enterprise that removes passwords as a form of authentication.
Some of these solutions coming to market, include Trusona, which focuses on frictionless effort for the user while also implementing both authentication and identity proofing using password-less two-factor authentication where no userID and password is required -- not even the requirement to type it. Trusona even goes as far as implementing ID proofing by performing remote government issued ID checks that allows the user to simply take a photo of the back of their drivers license for example, that is then checked against the government bureau databases and also performs a selfie photo match with what's on record.
Where it gets interesting is how Trusona implements anti-replay technology recording the exact coordinates on the screen of where the user's finger is placed when the user pushes a button in the app. This is then hashed and nonced and sent with the authentication attempt to Trusona's servers. If the Trusona server receives a second "replay" of this authentication again with the same exact coordinates, it prevents the authentication from occurring.
It gets even more interesting when the user takes a photo of their ID and sends it to the Trusona verification servers via the app, which records the ID's X and Y coordinates of where the it was held in front of the camera, the distance of the ID from the camera, camera focus settings, and other values, which is also then hashed and nonced. If Trusona receives another authentication request using these same parameters, the authentication is denied.The Trusona technology is even frictionless for the administrator implementing it, enabling easy integration through an SDK that calls the Trusona cloud servers preventing admins from having to implement any on-prem equipment or software installations.
I recently also had the pleasure of interviewing both Nicole Culver and Arshad Noor of StrongKey in my most recent episode of LeetSpeak, where we discussed their solution that implements PKI into web applications that also provides data at rest encryption, encryption in transit, and even a hardware security module (HSM) option in their appliances for securing web applications that also eliminates legacy username and password authentication.
The fact of the matter is, with recent large-scale password breaches such as what happened at Yahoo where 1 billion account usernames and passwords were stolen, the days of single-factor authentication via passwords both in the Active Directory domain in the enterprise to authenticate employees and web applications are quickly disappearing and becoming a thing of the past. With a new melange of solutions in the growing IAM market, such as those from Okta, Trusona, StrongKey, and Duo that also support authentication across on-prem and cloud deployments, it's only a matter of time before hackers start going after the remaining laggards who will make the headlines in the next breach for failing to jump on the MFA bandwagon with these new solutions.
About Alissa Knight
I am a senior analyst with Aite Group where I perform focused research into cybersecurity issues impacting the financial services, healthcare, and fintech industries through the assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models. I provide these industries a combination of syndicated and bespoke market research, competitive intelligence, and consulting services in the cybersecurity market through unbiased, objective and accurate research and content development. Out of my research into the contemporary cybersecurity issues affecting these industries today, I produce research reports and white papers, as well as provide advisory services that include inquiries, briefings, consulting projects, and presentations on study findings as well as bespoke speaking engagements where I often keynote at cybersecurity conferences, seminars, and roundtables annually.