From passwords to biometrics and beyond: a brief history of authentication

At any given moment, millions of authentication instances are performed around the world

Most often, by entering a password. More and more, however, are performed with biometrics or with the help of a unique object, specific to the user. And it’s not only humans who authenticate themselves: machines are now authenticating on a massive scale, too.  

How did it all start? And where does this lead us?  

In its simplest form, authentication is about proving a user’s identity. And the easiest way to do this is, of course, to agree on a “secret” shared between the user and the machine. This is the principle on which the tried and tested password is based on, and the technique that was implemented by the first multi-user machines installed in universities – the first microcomputers, considered as single-user, obviously did not need this. 

But quickly, the password began to demonstrate its limits. What happens when a password is stolen? How can we be sure it cannot be easily guessed? What do we do when users choose weak passwords or forget them? 

To overcome these limitations, a whole market of dedicated tools has developed, from the password safe, which allows to store passwords on one’s computer in a secure way, to Hardware Security Modules (HSMs), or electronic boxes that generate highly random passwords, through to Single Sign On (SSO) options that connect to different applications with a single password. Organisations started adopting these tools and developed their own policies around passwords.   

As long as passwords remained limited to the walls of the company, it was still possible to manage a wide range of support solutions. But when the Web opened the floodgates, things became more complex: millions of users were able to access tens of thousands of online services asking for a password. Databases containing several million passwords could be stolen and identities could be usurped. And criminals were very quick at realising that, for the sake of convenience, Internet users sometimes reuse the same identifier, which exacerbates the problem.  

In short, the Internet has clearly shown that the reign of the password is coming to an end.  

The end, really? Not exactly… Because the password still maintains two great advantage: the ease of use and its relative ease of implementation.  

However, the Internet ecosystem has started to look for alternatives. With the advent of social networks, a few web giants have notably tried to propose a common authentication standard, which would allow anyone with an account on a social network to authenticate on other websites – the principle of federating identities using standards such as OAuth. It doesn’t quite solve the problem, but it does benefit ease of use.  

At the same time, multi-factor authentication, which is still considered one of the most effective means of strengthening passwords, has emerged. By sending the user a very short-lived validation code, a One Time Passcode (OTP), by SMS for example, we ensure that even if the password has been stolen, the attacker will not have access to the associated phone and will therefore be unable to complete the authentication process. This worked; until we realised that text messages were never designed to support security for this. Now, the industry now turns almost exclusively to validation codes based on time synchronization with the server, generated on a hardware device such as RSA SecurID or a software device via a smartphone application. 

Smartphone manufacturers have also (finally) managed to make biometrics authentication available and usable for anyone by introducing fingerprint and face recognition. This made it possible to equip a large part of the population with a second, truly powerful authentication factor. The password is thus still present, but solidly reinforced by biometric authentication or a single-use validation code.

Progress has been made… 

But in all this history, the industry has mostly adapted on a case-by-case basis, trying to overcome the weaknesses of the password. What is still missing is a true modern authentication standard that is easy to use, reliable and accessible to all. This standard could well be FIDO (Fast Identity Online), developed since 2012 by a consortium of tech giants including Amazon, Google, Facebook, Paypal, as well as Visa and Wells Fargo.  

FIDO’s objective is not to make the password disappear as it is understood that passwords will always be useful, but to raise the other means of authentication to the same level of simplicity of deployment, in order to allow easy switching from one to the other. FIDO supports the use of passwords as well as biometrics (facial and digital), voice recognition and physical keys. Today, FIDO solutions enable strong authentication on a website or application at the touch of a button on a USB key inserted on the computer, while at the same time authenticating the service itself to protect users against phishing attacks.  

Why is it so important to make all other authentication methods as easy to deploy as the password?  

Put simply, during all this time, things were changing incredibly rapidly: applications were increasingly migrating to the Public Cloud, the perimeter was gradually disappearing, employees were increasingly working from unsecured networks with unsecured devices. Therefore, it no longer makes sense to have to choose a single authentication method. Companies must be able to adapt dynamically to the authentication context by taking into account the user’s identity in a broader risk analysis, in order to choose the right method at the right time. 

The future of authentication is no longer in the methods themselves: the industry has made peace with the good old password and no longer intends to make it disappear at all costs, provided they have the choice! Rather, the future lies in the dynamic management of identities and authentication processes at the enterprise level, in a pragmatic way. Because yes, the password still has its place. Understanding this and using various other support mechanisms that enhance security is the new frontier. 

About the Author

Hicham Bouali, Pre-Sales Director EMEA at One Identity, a specialist in identity and access management. One Identity helps organizations establish an identity-centric security strategy with Identity Governance and Administration (IGA), AD Account Lifecycle Management and Privileged Access Management (PAM) solutions. #SecurityStartsHere