Security and Usability
How new authentication
methods eliminate old
trade-offs
Copyright 2014 Echo + Janrain, Inc. All rights reserved. | aboutecho.com | www.janrain.com | 888.563.3082 | 1
Security vs Usability
SECURITY AND USABILITY
HOW NEW AUTHENTICATION METHODS
ELIMINATE OLD TRADE-OFFS
It’s an exciting time for user authentication. The historical trade-off between usability
and security is dissolving, as technologies reduce friction while maintaining or
improving security. Whether you’re providing authorization for your employees,
customers, or partners, end users are becoming savvier about how to protect
themselves and how they expect to be protected—and they don’t expect to have to
sacrifice ease of use. We’ll explore the historical conflict between usability and security
and the focus of the security-minded company, the old models and the trade-offs they
created, and the new technologies that are bridging the gap between ease of use and
the ability to securely confirm user identity.
Copyright 2015 Janrain, Inc. All rights reserved. | www.janrain.com | 888.563.3082 | 2
Security vs Usability
THE CONFLICT BETWEEN
SECURITY AND USABILITY
CAN WE HAVE IT ALL?
IT organizations and security-minded companies
need a way for users to assert who they are
that extends beyond a username and password.
As Forrester reported in 2013, two of the top
three data breaches in that year involved
usernames and passwords.1 As far back as
2012, Janrain published a report outlining user
dissatisfaction with the username and password
paradigm.2 Because users need a different set
of credentials across the myriad applications
they use, passwords are frequently made too
simple or reused across accounts, reducing the
efficacy of a username/password combination.
For a company protecting a user’s personally
identifiable information (PII) or sensitive internal
information, the need for elevated security
meant adding another layer of authentication on
top of the traditional username and password.
For many companies, the go-to tools included
one-time password (OTP) hardware tokens,
like RSA SecurID, or proximity or contact-based
tokens, like smart cards or Bluetooth tokens.
These types of technologies could be used
as the primary method of authentication, or
as a method for accessing a restricted area
where the desired application additionally
required a username and password (twofactor authentication). In terms of a usability
trade-off, OTP hardware keys and their ilk
have the highest friction coefficient of the
technologies discussed in this paper. To utilize
this method of authentication, a user must carry
an additional physical device that has no utility
to the user outside of authentication. And,
even though hardware tokens and smartcards
add assurance on top of username/password
combinations, they are not foolproof. Not
even RSA is exempt from the possibility of
compromise, as their 2011 breach showed.3
Copyright 2015 Janrain, Inc. All rights reserved. | www.janrain.com | 888.563.3082 | 3
Security vs Usability
Rise of Mobile
A natural way to reduce the friction of OTP
hardware tokens is to shift the delivery
mechanism of the OTP to something the user
already has. In 2014, global mobile penetration
grew to 90% or higher everywhere except
Africa and South Asia.4 In addition, developing
countries are seeing a trend where mobile
devices are the only connected device a user
owns. This means all internet connections for
that user are handled over a mobile device,
rather than through a desktop or laptop.5
Naturally, the confluence of the existing technology
of OTP and the newly-prolific technology of mobile
devices produced a shift from hardware tokens
to delivering OTP via those mobile devices.
This new form of two-factor authentication
has the same security features as hardware
tokens, but rather than carrying around an extra
device, the user can authenticate with an OTP
that is sent to a device they already have.
While this is a step in the right direction in
terms of reducing friction for sign in while
maintaining security, it still requires that users
validate themselves twice: once with the primary
mechanism, like username and password,
and once with the OTP through their mobile
device when it’s being used as a second
factor for authentication. Additionally, some
companies utilize their own mobile app with a
QR code reader or OTP generator embedded
within it, which means users must download
multiple applications to utilize second factor
authentication across multiple web sites.
Another step up from OTP via mobile devices is
to instead use push notifications as validation of
Copyright 2015 Janrain, Inc. All rights reserved. | www.janrain.com | 888.563.3082 | 4
Security vs Usability
the user action. This marginally decreases the
friction of an OTP that is manually entered into the
primary device, since the user is simply approving
the authentication attempt on the primary device,
rather than entering a code. It also increases
security, since validating the action from the
mobile device is not subject to man-in-the-middle
attacks that are possible when confirming an
OTP from a secondary device on the primary.
Some companies may be looking to enable twofactor authentication to meet the security needs of
their end users, but don’t need to require it from all
users. In this case, they are able to reduce friction
while still permitting two-factor authentication by
using social authentication with identity providers
that offer two-factor authentication. In this way, a
user can opt to add two-factor authentication to
their own social account whenever it is used to
authenticate to a third-party site. It reduces the
friction for the user because it doesn’t require
an app that’s specific to the site, and it doesn’t
require the user to re-assert their identity using
an OTP every time they use social login with
that particular account. It also eliminates the
effort of implementing mobile OTP via SMS or
some other mechanism by allowing the end
user to control whether or not to they use twofactor authentication to protect their accounts.
Getting Smarter About Risk
The next step in marrying usability and security is
to take the concepts above, and add intelligence
and risk assessment to determine when and how
it’s most appropriate to increase the burden for
authentication. This could mean adding technology
like device detection or IP geolocation that can tell
you if the initial authentication is done in a different
location than expected, which can then trigger
some supplemental authorization to confirm the
user is who they claim to be. Or, this could mean
detecting anomalies in user behavior or patterns,
like keystroke patterns to trigger additional security
measures through step-up authentication.
In addition to supporting risk-based authentication,
concepts like step-up authentication can be
used to add protection for those resources that
necessitate a higher level of assurance of the
user’s identity. For example, in the case of a
financial institution, social login may be adequate
to access features like credit card applications
or interacting with customer service. However,
when accessing account information or making
purchases, a higher level of authentication may be
implemented, such as SMS validation, to increase
the certainty that the user is who they claim to
be. Or, the company may choose to implement
SMS validation only if the risk assessment dictates
that it’s needed, for example, if the device being
used isn’t on record as belonging to that user.
The Future Is YOU
The next big space for authentication innovation
is you—or more specifically, your unique
physiological characteristics. Just as moving
the hardware token to a mobile device reduces
friction for two-factor authentication, since users
are likely to already carry a mobile device, moving
to something users always have with them—
themselves—reduces friction even further.
Biometrics is a method of authentication that uses
a unique attribute of a person to assert identity.
Technologies that already exist and are available
commercially today include voice recognition,
Copyright 2015 Janrain, Inc. All rights reserved. | www.janrain.com | 888.563.3082 | 5
Security vs Usability
Biometric methods: retina scan,
fingerprint, and voice.
images that pattern-match the blood vessels of
the eye, and fingerprint scans. Some of these
technologies are faring better than others, as
Forrester reports in their 2013 market overview of
employee and customer authentication solutions.6
One of the better-known technologies in
this space today is TouchID, available on
Apple’s iPhones 5 and 6. This technology
allows users to place their finger on the home
button of their phone to unlock it, completely
obviating the need for a password to access
the device. The use of TouchID technology
in conjunction with something like SMS OTP
validation eliminates the need to remember a
password, even for two-factor authentication.
Biometrics are not yet ubiquitous enough
to function as an ultimate method of
authentication. However, as the technologies
continue to become more commonly
available on authentication devices,
biometrics may become the authentication
mechanism that finally heralds the longspeculated upon “death of the password.”
So What Next?
For now, we’re in a position of selectively
choosing the combination of authentication
mechanisms that provide the right level of security
and usability for the audience and sensitivity of
the content. The username and password is still
dominant as one of the primary authentication
mechanisms, thus replacing the need for a new
unique username password combination with
technologies like social login is a highly-effective
way to improve usability. This improvement can
be achieved without reducing security, provided
the password requirements of the accepted
identity providers are in alignment with the
security needs of the web or mobile properties
using it. And, because most social identity
providers already offer two-factor authentication,
using these providers automatically offers
end users a level of security that they
choose to impose on their experience—
without introducing additional friction.
Then, by introducing step-up authentication
when additional security is needed, or riskbased authentication to add assurance to
the identity claim, a company can provide
a robust authentication experience that
maximizes both security and usability. Customer
end users ultimately enjoy the benefit of
simplified access, as companies reduce risk
and liability through improved security.
Copyright 2015 Janrain, Inc. All rights reserved. | www.janrain.com | 888.563.3082 | 6
Security vs Usability
WORKS CITED
1.
Maler, E., & Cser, A. (2013). Market Overview:
Employee And Customer Authentication
Solutions In 2013, Part 1 Of 2. Forrester
Reports. Retrieved from www.forrester.com
2. Online Americans Fatigued by
Password Overload Janrain Study
Finds | Janrain. (2012, August 23).
3. Retrieved February 23, 2015, from http://
janrain.com/about/newsroom/pressreleases/online-americans-fatigued-bypassword-overload-janrain-study-finds
4. Moscaritolo, A. (2011, August 26). Researchers
study actual file used in RSA SecurID breach.
Retrieved February 23, 2015, from http://www.
scmagazine.com/researchers-study-actualfile-used-in-rsa-securid-breach/article/210612/
5. Kemp, S. (2014, January 9). Social,
Digital & Mobile Worldwide in 2014.
Retrieved February 23, 2015, from http://
wearesocial.net/blog/2014/01/socialdigital-mobile-worldwide-2014/
6. Kemp, S. (2014, January 9). Social,
Digital & Mobile Worldwide in 2014.
Retrieved February 23, 2015, from http://
wearesocial.net/blog/2014/01/socialdigital-mobile-worldwide-2014/
7. Maler, E., & Cser, A. (2013). Market Overview:
Employee And Customer Authentication
Solutions In 2013, Part 2 Of 2. Forrester
Reports. Retrieved from www.forrester.com
Copyright 2015 Janrain, Inc. All rights reserved. | www.janrain.com | 888.563.3082 | 7
About Janrain
Janrain makes it easy to know your
customers and personalize every interaction.
Our Customer Identity Management Platform
helps companies build a unified view of their
customers across all devices by collecting accurate
customer profile data to power personalized
marketing. The platform encompasses social login,
registration, customer profile data storage, customer
segments, customer insights, single sign-on, and
engagement. Janrain powers customer identity
management for brands like Pfizer, Samsung, Whole
Foods, Fox News, Philips, Marvel, and Dr Pepper.
Founded in 2002, Janrain is based in Portland,
Oregon, with offices in London, Paris, and
Redwood City, CA.
For more information, please visit
www.janrain.com and follow @janrain.