Authentication, passwords and the future of digital signatures
In an age when so much business is conducted online, authentication is essential for establishing trust and proving the veracity of documents, deals and transactions. If we can’t be sure who has seen, amended and signed a contract, then we would need to revert to paper, pens and wet signatures – a huge step backwards that nobody wants to take.
The trouble with passwords
Passwords are one of the most common methods of verifying the identity of a user. But passwords are problematic. For starters, they’re only as secure as the person who chooses them. Both in the sense that some users will resort to easy options like 123456 or password, and in the sense that some users are careless with their credentials, leaving them jotted on Post-Its or scrawled on the back of their hand.
Can we blame people for seeking easy options when they have – according to a survey by Intel Security – an average of 27 login details to remember? The same survey found that 37% of respondents forget a password once a week. This might seem like a small problem, but the extra brain space and administrative time taken up by inputting, recovering and devising passwords could be better spent. And of course this inconvenience is one reason why people often recycle passwords, using the same login credentials for multiple sites and apps. Research by Gartner found that 95% of cyber attacks are conducted using stolen passwords – meaning the attacks might have been prevented if the individuals changed their passwords more frequently or used distinct passwords for each application.
But if passwords are the problem, what is the solution?
There are many technologies vying to replace passwords when we need to authenticate users – both when providing access to information and when seeking signatures, confirmations, or an audit trail.
Multi-factor authentication. This is an approach rather than a technology, but it underpins many of the current crop of security solutions that are touted as a more secure alternative to passwords. Technologies that employ a 2-factor approach include SMS-messaging, in which the application sends the user a one-time password (OTP) that must be input to gain access. This, of course, creates an extra layer of friction for the user, but it makes fraud and hacking more difficult to achieve (though not impossible for a determined cyber-criminal).
Smart cards and personal portable security devices. There is a wide range of these cards on the market, providing a variety of features using a mixture of technologies, and while they are more secure, they are currently an expensive option, and typically require considerable effort to deploy and implement. But once in place, a smartcard-based security system can reduce unauthorised access and make it quicker and easier for users to get to work.
Authentication as a service. Seeing opportunities where others see problems, software developers are building password management platforms that aim to replace your 27+ login credentials with a single sign-on (SSO). These solutions are certainly attractive to users because of their frictionless convenience, but using these solutions also means outsourcing your security, to some extent, to a third-party. You may like the software, but how much do you trust the developer?
Fingerprint scanners. Apple and Android devices have been including fingerprint scanners for a few years now, with relative success (apart from when it’s raining or you’ve just stepped out of the shower). But could fingerprint scanning become more widespread in the workplace, or as a system for signing important documents? The latest solutions don’t even require a dedicated fingerprint scanner; they simply turn the device’s camera into a scanner, using the LED flash to create the optimal light conditions in any situation. In these cases, scanning your fingerprints is as simple as taking a photo of your hand. This kind of technology, which makes the most of the technology that most people are already carrying, could help organisations avoid implementing solutions that require huge hardware rollouts or major adjustments to physical infrastructure (such as you would encounter if adding iris scanners to entrances).
Digital signatures. In 2000, the Electronic Signatures in Global and National Commerce Act (ESIGN) gave electronic and digital signatures the same legal standing as wet (ink) signatures. In the US, the Government Printing Office publishes electronic versions of bills and budget documents that are signed with digital signatures – a testament to their security.
While some organisations still prefer handwritten signatures, advances in technology are making it harder to justify the traditional paper and pen approach, particularly when wet signatures may involve printing, posting, chasing, sorting, checking and scanning. With digital signatures, the signing software uses a hashing algorithm to encrypt the data. Hashing is essentially a way of scrambling data so it can be hidden from view, and only unscrambled by someone who holds the correct key. Hashing also speeds up data transfer, because large amounts of data can be represented by the short hash value.
As you can see, there are many ways to authenticate users, but the trick is balancing security with the need for access, and efficiency.
With so many customer communications - and the technology that powers them - moving online, there is a growing need to protect those conversations, and also prove the identity of senders and recipients. So we're carefully watching innovations in this area and learning how smarter authentication and validation can help our clients create amazing digital experiences for their customers.