Why Passwords Will Cease To Exist

by Sohini Bagchi    Apr 01, 2015

password

Given the nature of cyber threats today, every organization is concerned about its safety in the cyber space. In such a scenario a mere user-name and password-based login or single factor of authentication system is not enough. Those opting for multifactor authentication that require additional credentials beyond username and password for gaining access to an application, site, or data are in a much secure position to fight the myriad cyber threats that crop up daily. In a recent interaction with CXOtoday, Tarun Wig, Founder, Innefu Labs, a product-based information security company discusses the various facets of multifactor authentication and how password will cease to exist in the coming days. 

Need for multi-factor authentication

Wig mentions a case from the Delhi Police, which was working with a client in Canada on a very large project, in which, invoices were usually cleared within one month of delivery. However, in this particular case, an invoice of $ 1.5 million was not cleared in the stipulated time. On reminding the client, they were informed that the invoice had been cleared almost fifteen days back. Upon investigation it was identified that a separate trail mail showed requests for change of Bank accounts for ‘auditing’ purposes and strangely even though the mails had come from the same mail ID, they had never originated from any of the systems inside the organization. A hacker had hacked into one of the accounts, and sent a couple of mails requesting for a change of bank accounts. Wig says, a simple hack account had cost the company $ 1.5 million.

There are several such instances today in a world, where email is the primary means of communication and accounts can be accessed from anywhere in the world through different devices. According to a public service announcement released by the Internet Crime Complaint Center (IC3), in the period between October 1, 2013, and December 1, 2014, there have been nearly 1200 US and a little over 900 non-US victims of scams where the Business mails have been compromised.

Wig believes that despite such gruesome cyber crime, most of the IT assets used today have simple protection in the form of user name and password validation. This includes access to mail ID’s, social networking accounts and critical web applications among others. “This single factor of authentication can be easily compromised leading to the most prevalent form of cyber crime present in the world today,” he says.

Is the password dead?

According to wig, companies should look beyond passwords to secure users and their data. Even encrypted passwords are stolen in so many cases. “Anything from your bank account to your social media account that you access simply by typing a password into a computer or mobile device is not as secure - doesn’t matter how sophisticated that password may be,” he says.

tarun

It has been proved time and again that methods such as identifying ones physical identity such as biometric and face recognition are most secure. Unfortunately, most of the third party applications do not have provisions to authenticate users using these authentication systems.

As a powerful alternative, identifying by virtue of a device registered to the user is becoming the most prevalent authentication mechanism today. It authenticates the user based on a device in his possession. Most of the popular sites such as gmail, facebook, twitter, amazon web servers etc provide integration steps for this factor of authentication making it the most convenient and interoperable second factor of authentication. As long as the user possesses his device, his account cannot be hacked.

Challenges In the process

A big challenge was to integrate the solution with applications which do not have inbuilt mechanisms available for integration. “While this is a problem with companies, especially small businesses, with the recent R&D efforts it has now become possible to integrate this factor of authentication with almost any applications such as Microsoft Exchange, SAP to name a few,” says Wig.

“We have developed a unique Multifactor Authentication solution which integrates second factor of authentication using a protocol decoding mechanism. This is a patent pending technology which integrates two-factor authentication at a protocol level rather than integrating the solution at client end interfaces. The integration at protocol level ensures that AuthShield can be integrated in even those applications which do not inherently provide support for the same,” he says.

Road ahead

The nature of multi-factor authentication will continue to change and accordingly organizations have to come up with more innovative strategies, believes Wig. The company is planning to establish a wide network of channel partners in South Asia and is foraying into the Bangladesh market soon. On the technology side, Wig states the Innefu Labs will venture into biometric authentication by March 2016.

According to him, this may take some time as, the technology itself will take years to stabilize and become interoperable. However, the company plans to introduce low-cost biometric chip to integrate it across several devices. This in turn will increase the pace of adoption of this technology, he sums up.