First, there were just usernames. Then came usernames and passwords. Then came multifactor authentication (MFA), which requires something you know, such as a username and password; something you have, such as a one-time password token; or something you are, such as biometrics using your fingerprint or a retina scan. Now frictionless identity access management (IAM) is the “soup du jour” as companies work to make MFA more effortless for the end user. Many of the chief information security officers with whom I've spoken attribute the lack of MFA adoption in the enterprise and in web applications to the amount of friction it causes for the end user.
To address the lack of MFA adoption by end users caused by friction, the Fast Identity Online (FIDO) alliance was created in an attempt to help bridge this gap, and vendors are quickly moving to implement its protocols. For example, the latest FIDO 2 protocol has been implemented by Microsoft in the spring 2018 release of Windows 10, allowing users to use FIDO-compliant hardware keys, such as the YubiKey and NXP, to authenticate with Windows without having to type their username and password.
As a follow-up to my previous post on the subject of the death of passwords in the enterprise, this post introduces new solutions that I've been researching for an upcoming Aite Group report on enterprise IAM that removes passwords as a form of authentication.
One solution coming to market is Trusona, which focuses on frictionless effort for the user while also implementing both authentication and identity proofing. Trusona uses two-factor authentication that does not require usernames or passwords. The solution even performs remote checks of government-issued IDs by allowing users to take a photo of the back of their driver’s licenses and checking those images against the government databases, and it also matches selfie photos with the government-issued ID on record.
What is interesting is how Trusona implements antireplay technology. It records the exact coordinates of where on the screen the user's finger is placed when the user pushes a button in the app. This is then hashed and nonced and sent with the authentication attempt to Trusona's servers. If the Trusona server receives a second "replay" of this authentication with the same exact coordinates, it prevents the authentication.
It gets even more interesting when the user takes a photo of the ID and sends it to the Trusona verification servers via the app. The app records where the ID was held in front of the camera, the distance of the ID from the camera, camera focus settings, and other values, which are then hashed and nonced. If Trusona receives another authentication request using these same parameters, the authentication is denied. The Trusona technology is even frictionless for the administrator implementing it, enabling easy integration through a software development kit that calls the Trusona cloud servers, preventing admins from having to implement any on-premises equipment or software installations.
I recently had the pleasure of interviewing both Nicole Culver and Arshad Noor of StrongKey in my most recent episode of LeetSpeak. We discussed their solution, which implements public key infrastructure in web applications and encrypts data at rest and in transit. StrongKey even supports a hardware security module option that eliminates legacy username and password authentication in its appliances for securing web applications.
The fact of the matter is that with recent large-scale password breaches, such as the theft of 1 billion account usernames and passwords from Yahoo, the days of single-factor authentication via passwords, both in the Active Directory domain in the enterprise to authenticate employees and in web applications, are quickly disappearing. With a new mélange of solutions in the growing IAM market that also support authentication across on-premises and cloud deployments (such as those from Okta, Trusona, StrongKey, and Duo), it's only a matter of time before hackers start going after the remaining laggards who will make headlines in the next breach for failing to jump on the MFA bandwagon.