Event Recording

George Fletcher: The Changing Landscape of Authentication


So as we get started today, I wanna take a quick look at some of the things regarding authentication and sort of where we're at today. We have the venerable password authentication method. We have codes sent to, you know, your, your phone or your email address, right? We're pretty used to that push notifications to an app on your phone. It's important to think and realize that users interact with many different kinds of authentication methods. And I have a few more, but other ones that I don't have, you know, images for are things like your Google authenticator app, right? That uses an underlying protocol called T OTP for time based one time passwords. And you know, that's another mechanism of authentication. There's other cases where you might receive a link in an email or a, a text SMS and you click the link and that gets you authenticated.
So there's lots of different authentication methods and for a user, right, they're interacting with these. And it's important to understand that users need to, to understand what's happening. So there's user education, but there's also an understanding of what makes sense for user at a given point in time. And we'll talk more about that as we go through this presentation, additional authentication methods, scan your QR code. I don't know how many people have connected their WhatsApp chat application to the, the laptop version, right? But you op you know, you open the lap, the app on the laptop, and it gives you a QR code. You open your WhatsApp on your phone, you scan the QR code, and it basically transfers authentication from the phone to the app on your laptop. And, you know, you've effectively authenticated. We have security keys. So I have one here, right. Might be visible. The Yubico security key. Right. I can use that as a second factor. I might be able to use it as a first factor. Works really great on my laptop where I can plug it in is pretty painful, even with NFC or lightning connector to connect it to my phone.
So, so these kinds of things all come into play. When we think about consumers in authentication and each different authentication method dictates a specific user experience, right? If I'm using a security key, you know, either a biometric one, or just a touch one like this YubiKey, you know, I have to touch it, right? There's a, there's a ceremony that goes with it. If I'm using a QR code, I have to scan it with my phone. If I'm entering a password, I either have to type it in, or I have to use my password manager to fill it for me. So each authentication method dictates a specific user experience. They all have unique attack vectors, right? So the one time code sent to your phone is susceptible to Sy swapping attacks or, or, you know, those kinds of attacks, a T O T P, which is effectively the same kind of one time password code is susceptible to a server side attack, right?
Because the, the algorithm uses a shared secret one on your phone, in the app, on your phone, and one on the server side, so that they generate the same code based on time. And so the attack vectors are different. And then, you know, as I briefly explained, different authentication methods can make more sense on different devices. So these are all things that sort of have to come into play. I wanna bring out one other thing. You, the last image here is, you know, sort of biometrics and looking at, you know, using the touch ID or a fingerprint sensor on your phone, or, or laptop as an authentication method. This is really tied into 5 0 2 and web a out of the w three C apple just posted on their blog, a whole article on how to leverage touch ID and face ID on the web. And so biometrics are coming into play.
The other really interesting announcement in the last couple of weeks has been Amazon one. And I don't know how many other people saw that blog post, but effectively it's a Palm vein reader, right? So you walk into the whole food store, whatever, and you can just put your Palm over the, over the scanner and it will identify you connect you to your account, right? Charge your credit card on file. All of that stuff. Now, biometrics have some really interesting, you know, security related properties and they have to be taken into consideration when leveraging them as authentication methods, right? You don't want a biometric of a user, both from a privacy perspective and from a security perspective to be compromised because it's generally something the user can't change. And one other aspect of biometrics that I think is really interesting, and there's a number of efforts going on in this space, and that would be behavioral biometrics.
And we do this, you know, on the machine learning AI side of fraud detection. And is it the real user? We do this all the time from a behavioral perspective, but from a device perspective, how I hold my phone, how I scroll, how I tilt it, those are all things that tend to be unique to me. And if I can keep that biometric on the device, but send up a sort of confidence score as to how likely it is. I think it's the real user that can be a really strong signal in your authentication flows. So I wanted to make those points about biometrics.
So the other aspect we have here is that there are different kinds of authentication flows. So in the sense of where are we today, right? We have all these, we have a plethora of authentication methods and we have, you know, different kinds of authentication flows. And this is not exhaustive again, but, you know, we have our sort of single factor authentications. We have, you know, a true sort of multifactor authentication like a password. Plus one of those security keys, you might have a step up authentication. We have, how strong is the authentication, right? So if you look at the N spec, there's different levels of authentication. All of these things come into play and they lo largely come into play in the context of what kind of a service are you providing to the user? What's the risk to the user of compromise. These kinds of things come into into consideration when we're looking at what kinds of authentication flows we want the user to go through, obviously from an identity perspective, there's many other flows, but we're really sort of focused in, on authentication today.
So for a user, you know, what does this end up looking like? Right. Well, in reality, I might go to my desktop and get presented with a password, right? And that may work fine. I have a keyboard easy to type, right? If I get presented with a password on my phone, right? That's a little more problematic, a little harder to type in, you know, and, and the integration of iOS and Android of password managers is largely there to help users get through that process. But most people, I think have more than a single device, right? They may have a laptop in a phone or a tablet, or, you know, maybe they have a phone, but they go to the library or a internet cafe and use a device there. And so the, the journeys that a user goes through, oftentimes from an identity perspective, we treat them as all the same, right?
It's the same, it's the same authentication method. I'm going to show you no matter what device you're on, no matter what activity you're trying to perform, any of those kinds of things. And I think this ends up becoming problematic for a user, as I gave the example with my YubiKey security key, right? This is an awesome authentication factor on my laptop. And it's a big pain when I have to do it with my phone, I do actually have one of these that has a USBC and a lightning connector on either end of it. And I do plug it into my phone from a security perspective, but it's a hassle. And so we need to get out of the model of treating all of our identity flows across every device. Exactly the same. So that's sort of a segue into where do we need to be?
Well, we should be looking at authentication experiences that are delightful, right? That actually the user connects with, right. We need to tailor them to be for the individual and the device. We've had a number of experiences where users may opt into a particular authentication method, say a push authentication method to an app on their phone, and then realize they actually don't like it, right? They don't, you know where however it is, they're interacting with the, the service, their phone might not be nearby. And so getting up to get their phone to answer the push notification is actually a hassle and they may rather type in their password. Right? And so for that individual on that device, a different authentication method may be the better choice we need to basically ensure that whatever authentications we're doing is, is commensurate with the risk of the activity of the user. Obviously, if I'm, you know, accessing my financial records, the authentication probably needs to be stronger than if I'm leaving a comment on, you know, a news article. So, so we need to personalize our authentication experiences, which means we need to understand the user better.
So these factors then that come into play are risk, right? What's the user trying to do, what's the con context, right? What's the user's device, you know, in, in an enterprise world, you would look at endpoint management or security. But I think even in a, in a consumer world, right, if you can know that the user's phone is not rooted, that's an actually pretty important signal. And if it is rooted, right, that's another in signal, in the sense of what kind of authentication you may want to challenge that user with, right? Where are they coming from? Is it a normal place? You know, are they logging in one? You know, the classic example we give from a backend fraud detection perspective is right. One minute they're logging in from the us the next minute they're logging in from checklist Slovakia, right? And the, you know, the likelihood that that's really the same person is very small, but those kinds of contextual factors are important in how we think about presenting an authentication journey for the user.
And then, you know, continuous authentication or session confidence is also an important factor, right? If you think about this in the context of step up authentications, you know, I logged in maybe with a, a simple password to leave a comment on a news article. And then I transition to my financial service and, you know, I get a step up authentication because, you know, they want effectively a stronger authentication for the user. So those things come into play. So all of these are factors, again, not an exhaustive list, but important factors to consider when you're building authentication journeys. Right? So we are thinking about what are the, what are the requirements for the authentication journey to keep it secure private commensurate with the risk, and how do I make it personalized for the user so that it gives the user the best experience in getting through that authentication sequence in order to get access to the service they're looking for.
So for us on the technology side, right, we need new understanding. How do we understand the user in a way to know, to be able to provide them that, that simplified that delightful in context experience, right? And so we need contextual factors. We need user preferences. We need behavioral understanding of the user in order to provide that. And I'm not gonna spend much time on this new math for ensuring recovery flows or equivalent to authentication. It's a very important point. You must consider recovery as just another authentication event. And, and that's super critical if you, you know, if the user opts into, you know, two-factor or two-step verification on login, but they can recover their account by sending a code to their phone. Right. There's a big problem there, right? Cause those are not equivalent authentication events. It, you know, two, two factors versus a single factor. So I did give another talk at another Casey live event earlier this year that looked at vectors of identity and a model. You can go find that talk, and there's a lot more information on this concept of new math. All right. So, oh, my apologies.
Hit the button too much. Okay. So what could this look like in regards to a user? Right. And I won't go through all of these, but the concept here is really that Alice's experience on a desktop can be different than Bob's experience on a desktop, which can be different from Eves, right? They may each have a particular preference. And when that same user moves to a different device, the, their preferred authentication method could change, right? So password or, or something, you know, or security key on a laptop fingerprint, you know, using web off end as a single factor on a mobile device. So these are the, the, the kinds of changes that happen, right? What's the best authentication method for the user on that particular device. And again, if you're talking about TVs, right, the experience changes right. Entering a password on a TV is really difficult, right? Scanning a QR code with an already authenticated app. That's probably gonna work a lot better. And you can think about other authentication methods for IOT devices and things like that. So this is sort of where we want to be. We want to craft the user journeys to be specific to that user, the experience or, or the activity they're trying to perform.
I am apologize for my inability to hit the buttons the correct way. So we've talked a lot about this, right? The, we need a better understanding of users. That means we need to actually collect some data about the users. What kinds of devices do they use? Where do they normally come from that an environmental context, right? Do we, how do we sort of map that against normal user behavior? So this is this, I'll get to, you know, the elephant in the room about this in a minute, but to really craft a delightful authentication experience for a consumer, we must have a better understanding of users. And then how do we choose that best authentication method? And that is basically, you know, we need to look at risk. We need to look at what authentication methods has this user used on this particular device. They may never have used a biometric on their laptop.
So may not be a good idea to offer them that, right, which authentication method meets the risk requirements, which is the easiest for the user on the device. And, you know, which has the highest authentication strength. So if you get down to the end and you have two authentication methods, always choose the one that has a higher authentication strength. So the elephant in the room, or at least the way I think about it is really the privacy angle. And, you know, GDPR calls out that, you know, data can be collected for the purpose of securing the user, protecting against fraud, those kinds of things. I think most users actually want the system to provide them a, a delightful authentication experience and keep them secure. But that does mean that the identity platform has to collect this information. And if you want to opt out of that experience, right, then you're going to have a much more friction, full authentication experience. And you could sort of try this yourself, right? Every time you go to login to Google, open a different browser, clear every single cookie and use an IP address you've never used before, right? You will get a different experience than when you do that on a regular basis from the same place.
So just some final thoughts as we wrap up, hopefully the message has been clear, right? We need to tailor the user experience for the specific user and the device that user is using. At this point in time, we need to incorporate the concepts of risk, right? What is the user doing? You know, why do I have to challenge the user for, you know, a multifactor authentication when all they want to do is leave a comment and then we need to evaluate our authentication methods in this concept of what is the best one for the user at this particular time, for this particular activity, while still meeting all of our security and risk requirements. So with that, I'll finish up. I realize I'm a couple minutes over. I apologize for that. I will be available after in a speaker room.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00