Passwords are a chore. What if we got rid of them?

Ok, maybe we already are. After all, passwordless is a big deal nowadays.

As it should be. Who wants to remember all those different passwords (#fuzZles1990_1, #fuzZles1990_2, #fuzZles1990_3…)

Passwordless authentication isn’t just easier, it’s more secure.

I’d love to talk about passwordless auth all day (and I’m sure you’re very eager to hear that), but that’s not why we’re here.

You see, passwordless doesn’t mean interaction-less.

Usually, passwordless auth is done through a physical security key or an authenticator app. This still requires you as the user to take out your key or your phone and approve the sign-in.

What if that wasn’t required? What if every single action you took since you turned on your computer was actually part of your authentication?

What if we made authentication invisible?

It makes sense, right?

When we talk on the phone, we don’t ask the other person to validate who they are, we just recognize the unique combination of sounds waves that make up their voice. Same thing when we read a letter with someone’s distinct writing.

This isn’t a new concept by any means. Back in 2011 DARPA presented a slideshow discussing this very idea.

They called it… Active Authentication

They pointed out all the millions of passwords that were exposed in breaches. I’m sure they’d be happy to hear that number has only multiplied 13 years later!

Ok, but what exactly is active authentication?

Here’s DARPA’s wording on what the motive behind active authentication is, and I couldn’t have put it more perfectly myself:

“How do we move from proxies for you to the actual you?”

Here are 3 methods they proposed to implement active authentication:

Physical Identifiers

Now known as biometrics. Technology that was around even back then.

This is “something you are”. Uniquely identifiable traits of you. Your fingerprint, voice, face, iris… you get the gist.

But why stop at physical identifiers?

Behavioral Analytics

This is your digital fingerprint.

The unique ways you move a mouse, your typing speed, how quickly you change from one page to the next.

Every action you take on a system can be tied back to your individual behavior.

Let’s go beyond your actions, and look at your work…

Contextual Analytics

This is defined as the “context you exist in.”

This is similar to your digital fingerprint, but it seems to be focused on the content that you produce.

When you write a document, what is your word choice? What length words do you use? How do you space your sentences?

All this can forensically correlate you as the author of some work.

The full picture

Great, we have active authentication methods. But how do we use them?

To combine it all, DARPA proposed a metric called authentication fidelity.

As you continue to pass above methods, your fidelity increases. And the higher your fidelity, the more sensitive information you have access to.

Sounds really cool, right?

So… what happened to active authentication?

Here are 3 potential reasons that stopped this from becoming a widespread reality:

Computational Cost

Passwords are cheap to collect. You type it in... and that’s it.

All the data for active auth methods? Well, that’s very, very expensive.

An agent on the machine would have to be continuously running, collecting millions of signals an hour and sending them up for analysis.

That is.. assuming that analysis can be accurately done.

Lack of Robust Data

We all have different patterns of behavior. A good authentication model should accurately detect patterns in different groups of people.

The model would need to be trained on data that is representative of our behavioral differences.

Difference that are affected by our upbringing, career, culture…

That’s a lot of data.

On top of that, an authentication model is a supervised one. Meaning it needs labeled training data, behaviors labeled with accounts.

And it just turns out.. labeled data is much harder to find.

All that to say, 10 years ago, that data might not have been available. Even if it was, maybe that wouldn’t be enough…

Interpretability of Results

Sometimes an accurate model isn’t good enough. Humans need to understand why a model made the decisions it did.

Out of the million of signals that were used in the authentication, which ones were the reason this user was denied access?

This is called interpretability, and it is a growing part of machine learning.

Did active authentication really… just disappear?

All that said, just because we don’t see active authentication, doesn’t mean it’s not being used today.

A lot of that presentation’s ideas have shaped modern authentication:

• Biometrics make up a core part of passwordless methods today.

• Financial systems use behavioral tracking to detect fraud

• Anomalous behavior is used to flag a suspicious sign in

And just maybe, behind the scenes, active authentication is a lot more popular than we think.

It amazes me how a concept from over a decade ago is still so relevant, and how active authentication concepts have morphed into the every day.

Makes you wonder… what’s next in authentication?

Enjoyed the article (even a little bit)? Follow me on LinkedIn on to hear more of my rants: https://www.linkedin.com/in/nouraie/