It has been clear for a while now that passwords no longer provide the user experience or security needed for consumers today. Take the fact that a few months ago, health and fitness app MyFitnessPal, was the latest brand to hit the headlines, as cyber thieves made off with the encrypted passwords of around 150 million users.
This type of news simply serves as a reminder that an alternative to passwords is no longer just desirable, but necessary. The answer is zero login: a technology that is about to redefine authentication forever.
While the majority of us are familiar with fingerprint or facial recognition methods, the latest advances in authentication will see our most intricate behavioral characteristics – such as typing patterns, location and occupation – used to verify our identity and protect our personal information. These new technologies will allow you to log you into your applications without you needing to do anything at all.
Zero login today
It may surprise you to learn that zero login is already in action today. If you’ve logged into your online banking from a new device or connected from a cafe that you’ve never been to before, you may have received a message or call from your bank asking you to verify your email or phone number to prove it’s really you. These technologies have been deployed for a number of years and may have signaled the beginning of the authentication revolution we are seeing today.
Amazon.com is currently testing behaviorial characteristics, including the pressure applied when a user taps their phone and typing speed as vectors for verifying a user’s identity. Such intricate and unique patterns are extremely difficult for a potential attacker to guess or replicate and not one uses a password.
Recent models of iPhone already allow the user to change the pressure of their home button, also holding the ability to detect and remember signals from other devices such as your car, Fitbit or headphones. While an attacker may be able to trick one of these technologies, fooling them all simultaneously would be extremely tough.
A zero login world would see passwords as the final level of security and only attackers should ever be asked to enter one. Today, many applications and online stores will ask for a password even though the chance of that transaction being fraudulent are extremely low.
Many people second-guess their purchases when met with a password request and removing such a barrier, while maintaining and even improving the level of security, would be advantageous to both consumers and retailers alike.
The ugly side
While zero login comes with an obvious number of benefits, it also brings to mind a variety of potential limitations. How do you know when you have successfully logged out? How well is all of this behavioral data being protected? Perhaps more worryingly, how do you know when you are being monitored without your knowledge?
If your phone is collecting all of this information about you, how is it being protected and where is it being sent? Allowing your device to run background software that can calculate a ‘risk score’ based on the interactions of the user with the phone is a positive example of how this innovation can be used, as the score would then be sent to the cloud where a decision would be made on the likelihood of infiltration.
However, an inherent level of discomfort comes with knowing your biometrics and location are being sent and stored across the internet. While some of us demand complete privacy, we still want to keep some parts of our lives separate and even if this information is encrypted there is still a chance this information can be seized by attackers.
Understandably, there are considerable implications if users are logged into a service without realizing it and with passive authentication, we can easily be logged into all of our accounts, all of the time, without even realizing it.
Authentication is about to be redefined as we know it. The thought of remembering numerous complex passwords will soon fall under the umbrella of ‘the old fashioned way’ and our phones will soon be able to recognize us from the moment we pick up the device.
Perfecting zero login to ensure it is secure, frictionless and personalized is just around the corner but to combat its potential limitations and to ensure a successful transition from passwords will see the need for effective regulations to be enforced. The technology is smart but people’s privacy and consent must be prioritized if we are to successfully construct the new era of authentication.
Source: InfoSecurity Magazine