Authentication Trends For 2017

A look back at 2016 and predictions for 2017 for the main authentication methods

Published in

Passwordless Security | UNLOQ

8 min readDec 29, 2016

It’s that time of the year again. It’s time for next year’s predictions on security and emerging technologies. 2016 was yet another year in which cyber-crime reached new heights, topping the previous year’s portfolio of threats.

The increase in hacktivism, new technologies and minuscule security budgets for companies create the perfect storm for more sophisticated threat mechanisms.

One thing is for sure, though: all this storm, in turn led to an increase in awareness regarding cyber-security threats and methods of mitigating these threats.

Companies realized that by going with the same security strategies, they can’t expect different results. Their inability to influence the course of cyber-crime within the organisation is a clear indicator of this need of change. At most, the lucky ones were able to slow down and even redirect the attacks, but not stop or significantly reduce them.

Governments and companies finally acknowledged its importance and started pouring big bucks into data protection.

One thing is for sure, though: 2016 was a good year for cyber- security awareness. Governments and companies finally acknowledged its importance and started allocating funds for data protection.

CISOs have moved towards a more proactive approach regarding cybersecurity and are focusing on areas within their control. Their top initiatives in 2016 (in the US) are:

Source: 2016 Deloitte-NASCIO cybersecurity study

With a total of 29% of US CISOs concentrating on Identity and access management (IAM), the top position in their priorities’ list is taken by Multifactor authentication, with 77%. Threats targeted at employees, such as phishing, pharming, social engineering and ransonware are the ones that most concern CISOs.

Although being a top priority, CISOs continue to face a series of barriers when implementing IAM solutions within the company, including costs, legislation and company priorities.

Authentication trends for 2017

Gartner defines “user authentication” as the real-time corroboration of a person’s claimed digital identity with an implied or notional level of trust.*

The user authentication market includes several types of products and services, which enable the implementation of a variety of authentication methods that aim at accompanying or removing altogether the classic password-based systems.

The 3 main authentication methods are:

Single factor authentication (through passwords)
Two factor authentication
Multi-factor authentication

1. Single factor authentication (SFA)

The most common form of single factor authentication is the password-based authentication. Passwords have been around since the early days of computing, about 55 years now.

A password is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user.**

It’s only natural that in such a fast paced environment, what used to work 55 years ago is not sufficient anymore.

Passwords are indeed the weakest link in the security chain, and this is due to:

People’s inability to come up with a strong password (they tend to underestimate hackers’ ability to guess their passwords).
Users’ tendency to use the same password for more than one account (at a rate of at least 50 different accounts, it’s impossible for anyone to remember 50 different passwords).
Hackers’ ability to crack them in a matter of seconds.

Sure, there are plenty of password managers out there, but even these tools are proven vulnerable once in a while.

The interest for passwords is not decreasing, as Google searches for the term “Password” is overall consistent, which means that they are still the primary authentication method for most users and systems.

Despite this consistent interest, passwords are being hunted down by the creators of the WWW themselves, who created a consortium, called the World Wide Consortium. This initiative aims at replacing passwords with more secure ways of logging into websites, as “Strong authentication is useful to any Web application that wants to maintain an ongoing relationship with users”***.

Having taken all of these facts into account, we conclude:

2017 Prediction: Password-based authentication will stagnate

Why this might happen:
- People's increasing interest in protecting their privacy will lead to an increasing adoption of alternative authentication mechanisms.
- Passwords inefficiency in protecting users' accounts.
- As a consequence of the development of more sophisticated and secure authentication systems.
- The traditional password will be increasingly oriented towards a more biometric approach.
- Websites are switching to more secure login mechanisms.Why this might not happen:
- Normal users generally have a basic computer knowledge, and consider their current passwords as being strong enough.
- More users turn to password managers, therefore keeping their password-based login habits.
- General population don't consider their data "worthy" of hackers' efforts.
- Due to the creation of new websites that use the classic user/password authentication mechanism.

Overall trend: Stagnation

2. Two factor authentication (2FA)

Two factor authentication is basically an upgrade to the traditional password-based authentication, resulted by adding an extra step to the log in process (the second factor).

Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides two authentication factors to verify they are who they say they are, as opposed to single-factor authentication (SFA), where the user provides only one factor — typically a password.****

2FA has been around for quite a while now, but it wasn’t noticed by users as such: a different authentication system.

The interest for this type of authentication is increasing quite abruptly, as the Google searches for the term “Two factor authentication” are on the rise, especially in the second half of 2016.

One of the most common forms of two factor authentication is SMS- based, as it is largely used by most financial institutions.

Although widespread, SMS-based 2FA is now considered insecure, due to the fact that they are sent through various insecure systems, and there is the risk of the SMSs being intercepted by undesired parties.

The National Institute of Standards and Technology from the US Department of Commerce released a draft which contains new recommended standards for authentication. This draft recommends other authentication methods than SMS-based ones:

“OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”*****

2017 Prediction: Two Factor authentication adoption will further increase

Why this might happen:
- Switching from password authentication to 2 factor authentication is relatively easy, as it adds just a simple step to the process.
- Major companies such as Apple, Google and Facebook have already implemented it, acquainting their users with this new technology and increasing adoption.
- As 2FA will gain more traction in terms of implementation, vulnerabilities will be eliminated, the number of companies to implement it will increase.Why this might not happen:
- Two factor authentication still relies on passwords for the authentication, to which it adds an extra verification step.
- As SMS-based authentication is losing ground, being considered insecure, this might affect the overall increase of 2FA.
- Users are initially resistant to 2FA systems before they are implemented, often making them switch to a different service. However, once the system is implemented or becomes mandatory, the resistance is significantly diminished.

Overall trend: Increase

3. Multi-factor authentication (MFA)

A much more secure alternative to the two factor authentication mechanism is Multi-factor authentication.

Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.******

MFA creates a layered defense system that makes it harder for hackers to break in, since they would have to hack all the independent credentials:

Something the user knows (password)
Something the user has (security tokens)
Something the user is (biometric verification)

Even though the Google searches for the term “Multi-factor authentication” didn’t see an abrupt increase, as in the case of 2FA, it sees a steady, rhythmic evolution.

A report released by Markets And Markets reveals that the market for Multi-factor authentication is projected to surpass $9.6 billion, applicable across various domains (Travel & Immigration, Government, Banking, Defense, Commercial, Security, Consumer electronics, Healthcare).

Besides the high level of security, multi-factor authentication allows a certain degree of flexibility, the company being able to set the desired level of security, depending on its users’ profile, and needs.

2017 Prediction: Multi-factor authentication is increasing steadily

Why this might happen:
- As security concerns increase, companies and governments will seek more sophisticated authentication systems such as MFA.
- The value of data is increasing as well as the pressure to protect it.
- MFA is much safer than 2FA, which still relies heavily on passwords for authentication.
- Considering the level of security it brings, the usability is superior to 2FA.
- Legislation is an important factor that contributes to the increase of MFA market, as it is becoming a legal requirement for data security.
- Governments are allocating high sums of money for cybersecurity products' development.Why this might not happen:
- Cyber security awareness is still low among companies and employees.
- Organisations have limited budgets, skills and resources for increasing cybersecurity, this slowing down adoption.
- Lengthy and often difficult financing process for cybersecurity companies that develop authentication products.

Overall trend: Increase

As the world is increasingly concerned about privacy and data protection, hacking sophistication rises, companies and governments worldwide are forced to come up with more efficient cyber-security tools.

The evolution of the cyber-security market is influenced by a several factors, ranging from usability, security awareness and demand, budgets and legislation, so the authentication trends for 2017 are partly wishful thinking.