From the Greek word authentikos, authentication, the act of verifying an identity, continues to evolve. Depending on the context, authentication might involve validating a person’s identity through identity documents, verifying the authenticity of a website with a digital certificate or determining the age of an artefact by carbon dating or ensuring a product is genuine.
For decades passwords have been the most popular mode of authentication when accessing computing resources including applications and data. However, in recent years, its effectiveness has been called into question given its susceptibility to phishing, brute-force attacks and insider threats.
Today, it is widely recognised that passwords, even the use of multifactor authentication, alone are not enough to secure users, networks and systems.
While passwords were meant to protect systems and users from internal and external threats, these have become more of a cybersecurity problem than a solution in 2024. Passwordless authentication has evolved since the 1980s starting with dynamic one-time passwords held by physical fobs.
The passwordless journey
Johan Fantenberg, principal solutions architect for APJ at Ping Identity, acknowledges the challenge organisations will face implementing passwordless authentication. For one thing, the trust of the users in the new technology is a key barrier, he commented adding users are used to viewing passwords as a form of security.
“Due to the complexity of passwordless solutions, they may find it hard to trust them,” said Fantenberg. “There is also a challenge in educating the general public before organisations can fully implement it.”
“The benefits of biometric authentication might be overshadowed by how well users trust biometrics technology. Users will only start to see the benefits such as its ease of use when they trust the technology.”
John Fantenberg
He posits that the way to start the journey is to understand at the group or enterprise level that passwordless solutions are viable and can be adapted and customised.
“It is crucial to be updated on the latest developments in the enterprise application landscape to adopt identity controls,” he advised. “Secondly, organisations need to integrate and onboard that with existing applications. Organisations need to have a well-thought-through plan and execute it in steps.”
AI in authentication
The sophisticated capability of generative AI (GenAI) poses significant risks in the area of cybersecurity. Already GenAI is being used as part of advanced impersonation techniques with AI crafting emails that closely mimic legitimate sources.
“AI and machine learning (ML) give us the capability to analyse and assess user-related signals and analyse those signals in real-time to decide what we need to inject for authentication,” said Fanterberg.
GenAI is being used in the production of varied and dynamic phishing to bypass static security filters. On the positive side, Fantenberg says AI is complementing the capabilities of passwordless solutions by managing risks associated with signals.
“AI might also be used to detect deepfakes and used to verify that these are genuine people using biometrics to authenticate and authorise access. At the same time, bad actors are also leveraging AI and ML,” he continued.
Fantenberg posited that with the speed of attacks coming in, it has been hard for humans alone to analyse them and apply mitigation controls. He believed AI is useful in classifying attacks, tailoring responses in real-time, and looking into patterns never seen before.
Another area AI and ML can help is to look at patterns and close the gap from detection to response,” he continued. “AI can also play an important role in the recovery from an attack by finding out where an identity was compromised and in what way.”
Passwordless trends
Fantenberg is certain that AI and ML-driven capabilities are reducing the need for direct human and user interaction apart from presenting one's identity, which is where we see the increase in the uptake of decentralised identity and digital identity wallets.
He points out that organisations need to consider verifiable credentials and allow people to carry cryptographically asserted facts about themselves that can be presented online, person to person and also when interacting with a machine.
He cited the European digital identity program, 'eIDAS' which stands for electronic identification and trust services as groundbreaking in this regard allowing for cross-border authentication.
Click on the PodChat player and hear in detail, Fantenberg’s perspective on how machine learning and artificial intelligence may be influencing the evolution of authentication.
- What are the different types of authentication that have the potential to displace or augment current password methods?
- Set a baseline: What is passwordless?
- What are the challenges with going passwordless?
- How do you address concerns about the feasibility and practicality of implementing passwordless security solutions across different industries and sectors?
- Is there a role for AI in the passwordless security marketplace?
- How should CISOs incorporate AI-embedded practices and technologies to enhance their security posture?
- Can you cite examples of passwordless authentication?
- You mentioned FIDO 2 Alliance early on.
- Cost of deploying passwordless authentication technology.
- Looking ahead, what trends do you foresee shaping the future of cybersecurity, particularly in the realm of authentication and access management?