Raising the Security Bar on User Authentication

The advantages of passwords are well known by now: Simplicity, portability, low cost. But the reality is that modern cloud and enterprise applications are so highly vulnerable to malicious attack that two-factor authentication, a second layer of security, has become a de facto requirement. (If you don’t believe me, then perhaps you might ask John Podesta what he thinks.) And yet, so many existing on-line, Internet, mobile, cloud, and enterprise systems and services continue to neglect this fundamental control, despite the multitude of compliance regulations put into place to enforce its use. Without stronger forms of authentication, experts agree that continued break-ins, leakage, and even destructive attacks are likely to occur. I wanted to dig into this topic more deeply, and so I asked my good friend Dug Song, CEO of Duo Security, and one of the world’s leading experts in authentication technology, to share his unique insights.

EA: Dug, do you still use passwords for any of the services you personally use on a daily basis?

DS: Yes, but with some modern coping mechanisms. As you know, every service still defaults to password-based logins, and this is a problem because passwords must be hard for attackers to guess, but easy for users to remember. This presents a basic compliance defect – namely, something that is hard to follow and impossible to enforce. Nevertheless, there are techniques now that can help make them safer and easier. Password managers, for example, like LastPass or Dashlane help users cope with this complexity, but the burden remains to find and use such tools, which are protected, by the way, with a single master password. A more powerful trend involves the open interoperability standards that reduce the number of logins and simplify identity management. OpenID, for example, enables Websites to federate the login credentials of consumers from their Google, Facebook, Twitter accounts. Similarly, enterprise single-sign on via SAML or OIDC is a common technical approach; it’s implemented on the Duo Security platform. So with these new single sign-on and federated approaches, the days of having separate passwords for every application will quickly fade away. To paraphrase Mark Twain: It’s better to put your eggs in one basket, but you have to watch that basket!

EA: How about introducing additional factors? Isn’t that really the best way to make user authentication more trusted?

DS: Yes, and the most common approach involves establishing a level of trust in the device being used. Enabling Web applications, for example, to "remember such-and-such computer for some number of days," and to not require password login each time that application is being used, is both convenient for users and better for security. This works best if the trust enablement can be established for devices to properly audited and HTTPS-protected services, and if logins are disallowed from unknown or unsafe devices, so that stolen passwords are useless to an attacker with an untrusted device. Some consumer services already alert on new devices being used to log in to an account, but newer enterprise platforms such as Duo's can actually stop them based on device identity or security profile. And this brings us to the strongest method, which involves two-factor authentication. Wearing a belt and suspenders might be out of style and redundant for your pants, but on the Internet, requiring a second factor of authentication is essential. Increasingly, users understand the need for this from their consumer experiences, such as when they use a credit card at a gas station pump requires the entry of a zip code. Choosing services that at offer two-factor authentication is for me – and I hope is for everyone reading this interview, like choosing restaurants based on the cleanliness of their environment. Two-factor authentication should be viewed as evidence of operational excellence and good hygiene.

EA: This sounds great coming from a security expert. But are you actually seeing greater adoption of two-factor authentication across the spectrum of users and business?

DS: For decades now, two-factor authentication (2FA) was limited to protecting only the most privileged accounts for only the highest-risk applications in large enterprises, banks, hospitals, and governments. It was essentially “security for the one percent.” But today, 2FA (also known as two-step verification) has become mainstream. At Duo, well more than half of our thousands of customers are green field buyers who have never deployed 2FA before, and nearly all end up deploying to their entire user population, not just admins. With high-profile public breaches since 2010 affecting so many industries, more buyers are driven by tangible risk, rather than just compliance. Cloud and mobile have led the way for 2FA adoption not only by allowing for rapid deployment and global scale – including the removal hardware – but also by allowing for better user experiences. For instance, Duo can enable users to complete their corporate logins with a tap or fingerprint swipe of their smartphone or smartwatch – something unthinkable just a few years ago.

EA: In the enterprise, why do you suppose the regulatory and compliance bodies haven’t been more aggressive in demanding stronger authentication?

DS: As the technology landscape sees vendors like Google, Apple, and Microsoft bake more security into their systems, broad security initiatives like 2FA become possible in ways regulators never dreamed of. We should therefore expect to see not just more, but better requirements emerge for strong authentication, driven by these innovations in the market. And this is also enabled by the growing adoption of smart phone usage. For example, back in 2009, only 18% of Americans had a smartphone. Since that time, massive adoption has enabled security in ways we’ve long been waiting for, including local biometric authentication, hardware root of trust, secure boot, secure crypto co-processing, secure software distribution and signing, hardened operating systems, and remote attestation. Further good news is that mobile devices themselves are becoming more secure. It takes about a million or a federal court order to break into an iPhone today, and it’s only going to get harder. The latest revision to NIST’s federal electronic authentication standard (NIST 800-63) reflects this, as it does away with prescriptive technologies to focus on the characteristics of authentication that define different levels of strength.

EA: Some pundits continue to claim that two-factor authentication is still too burdensome and will never reach mass adoption. Do you agree?

DS: Tens of millions of Touch ID-enabled iPhone users would disagree. And it won’t be long before laptop and other device are employing similar controls. The real opportunity in 2FA is to enterprise-enable the new generation of consumer security technologies that have been designed for usability. We’ve gone from telephony to push notifications as smart devices have been adopted en masse by consumers, thus offering a better option for 2FA than tokens. Duo was the first vendor to support new security hardware either in smartphones or standalone, such as U2F tokens from Yubikey. We have always been committed to delivering a future-proof cloud-based authentication service, not just a specific form of authentication, which is how we believe organizations need to keep up with new innovations, and changing user expectations. Our goal is to help customers learn how frictionless a user-facing security control can be. It’s not only the largest, or fastest-growing companies in the world that are seeing success with 2FA. We have federal customers for whom full-scale deployment, sometimes performed in a day or so, to large groups of users with modest technical skills will produce, only tiny numbers of help desk tickets.

EA: There has been some stir around adaptive, contextual authentication. What is this exactly?

DS: There are many ways to authenticate, some with higher confidence than others. Banks, for instance, whose job it is to know their customer, were the first to adapt authentication techniques to situational risk for customers at scale. This could mean a teller calling to complete a wire transfer over a certain amount, or requiring a faxback authorization. These were discrete policies applied to govern the risk of specific threats to the business. But in the hands of IT security vendors, this turned into what Jerry Brady, Global CISO at Morgan Stanley, has called the "mystery meat of authentication" – namely, loads of alpha-weighted authentication criteria merged into a composite risk scoring equation, with a step-up to a stronger authentication method, based on fairly arbitrary thresholds. If it sounds complicated, it is. And you can only imagine how users react to inconsistent login experiences, and admins to non-deterministic access controls. We’ve learned over the years at Duo Security that if you design security to be adopted, you must aim to make things intuitive, elegant, and understandable. Security should frustrate attackers, not users. Integrating multiple security criteria for access control doesn’t need to be mysterious. Most organizations understand how they’d like to enforce access; we just need policy frameworks that make this easily manageable, and implementable at scale. We call our take on this Trusted Access, which involves providing simpler, more powerful access controls that are user, device, and location aware, to govern access to any application.

EA: Do you see a day when we basically no longer must remember passwords and where the systems we use provide intelligent authentication without our having to do much more than just show up?

DS: Yes, the Holy Grail is possible, but we have to be vigilant in how we engineer privacy along the way. Authentication still needs to be different than identification, even if done automatically or we’ll end up with surveillance programs that mishandle user identities. The difference between authentication and identification is user consent and intent. Authentication requires users to prove identity in ways that can be jointly managed. For example, I can change my password, and I can choose what devices provide a claim to my identity. But I cannot change my mother’s maiden name, the places I’ve lived, date of birth, or my fingerprints, all of which were stolen by attackers in the massive breach at the Office of Personnel Management, affecting so many Americans. Authentication will only get easier and more convenient over time, but I don’t believe we’ll ever completely get rid of passwords, or want to - we’ll just get down to our favorite one.