View all newsletters
Sign up to our newsletters

Support 110 years of independent journalism.

Advertorial feature by University of Surrey
  1. Spotlight on Policy
11 May 2020updated 04 Sep 2021 2:32pm

Beyond passwords

The future of web authentication is complex and exciting.

By Ashish Thakur

(Photo By Shutterstock/ Gaudi Lab)

The University of Surrey’s Mark Manulis, Helen Treharne and Chris Newton, and Matthew Casey from Pervasive Intelligence, discuss the new mechanisms being developed for keeping data secure.

What are the main issues with password insecurity?
Much has been said about password insecurity. Users are known for making poor password choices, with passwords often being written down, reused across multiple websites, or revealed through phishing attacks. Deployed policies requiring users to frequently change and memorise new passwords are unusable and magnify the problem. The need to adhere to legacy systems in password management and provide for alternative reset mechanisms introduce further risks and high costs. The UK’s NCSC has issued numerous guidelines on how to improve password authentication. But in the coming years passwords will no longer be used as a main authentication factor. This is foreseeable, given new regulations such as the revised EU Directive on Payment Services (PSD2) on stronger customer authentication and recommendations by the World Economic Forum on adopting passwordless authentication.

What does the future of authentication look like?
The need to strengthen user authentication has already been recognised and many competing solutions are currently being deployed. Collectively known as 2FA/MFA, they still widely rely on passwords, strengthened by additional measures such as one-time passcodes. There are less secure solutions with short time-limited codes sent through out-of-band channels, eg email or SMS, and solutions requiring additional software/hardware authenticators on the user side to locally generate and verify the codes. They must be securely configured for each web service and cannot be reused, limiting portability and requiring complicated, often manual reset mechanisms. As with passwords, using passcodes bears the risks of guessing and phishing attacks.

The game changer is the open FIDO Alliance specifications for completely passwordless user authentication. On track to become a new standard, WebAuthn, developed by the W3C Web Authentication Group, relies on public-key cryptography to improve the security and privacy of web users. While commodity smartphones and various USB/NFC/Bluetooth tokens will serve as WebAuthn authenticators, there are still usability limitations with regards to their portability, back-up and reset mechanisms.

How is the University of Surrey involved in shaping that future?
The Surrey Centre for Cyber Security (SCCS) is working with leading WebAuthn industries on back-up/recovery mechanisms for future web authenticators and is also exploring new cloud-based architectures with hardware-based roots of trust to support delegation of WebAuthn credentials. SCCS has experience in the design and analysis of (multi-factor) authentication and identity management protocols, grounded in modern cryptography and formal protocol analysis. In our recent projects we developed privacy-preserving authentication and attestation protocols for users and machine-to-machine communications, with applications for future transport and rail systems. SCCS is also working on authentication protocols for distributed systems involving IoT and blockchain technologies.

Topics in this article : ,
Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via saturdayread.substack.com The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via morningcall.substack.com Our Thursday ideas newsletter, delving into philosophy, criticism, and intellectual history. The best way to sign up for The Salvo is via thesalvo.substack.com Stay up to date with NS events, subscription offers & updates. Weekly analysis of the shift to a new economy from the New Statesman's Spotlight on Policy team. The best way to sign up for The Green Transition is via spotlightonpolicy.substack.com
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU