As society progresses with the influx of new technologies, security needs for individuals and organizations evolve in tandem.
In the past decade, data breaches and password leaks have affected large-scale organizations like Facebook, Home Depot, Equifax, and Yahoo. Additionally, numerous cases of individual identity theft and cybercrime have substantially increased. These instances have emphasized the lack of cybersecurity as one of the most prevalent issues today.
Fortunately, multiple methods to verify electronic authenticity are available, like entering passwords and biometrics. These procedures prevent identity theft and cybercrime from happening. To better understand digital authentication developed over time, outline the history of authentication.
The History of Authentication
1960s: The Emergence of Passwords
In the 1960s, computers were huge, and unreasonably expensive devices were only accessible to a few organizations and universities. These institutions would have one computer available to cater to a large group, which led to a great demand for these devices.
The Massachusetts Institute of Technology (MIT) was a privileged university with one computer shared by students and teachers through a program called the Compatible Time-Sharing System (CTSS).
In 1961, MIT researcher and professor Fernando Corbató created passwords to protect the files from being accessed by anybody in the time-sharing system.
In 1966, another researcher, Allan Scherr, created a bug to disrupt the CTSS and displayed all the passwords to all the logged-in users, forcing everyone to put the passwords into their own hands. Scherr wanted more time to use the computer, and this greed possibly prompted him to be the first “hacker” in history.
Despite the breakthrough, the emergence of passwords still posed several problems that needed to be solved to ensure tighter security. Since it’s risky to store passwords in plaintext, cryptographer Robert Morris developed a password encryption scheme that determined hashes of passwords for user authentication.
The encryption scheme had a key derivation function that computes a secret value that can be figured out in one direction but would be very difficult to crack in the other direction.
1970s: Asymmetric Cryptography
Asymmetric cryptography involves two keys: a public one to share your identity with everyone and a private one to sign things, which would confirm your identity. You would have to use a digital certification with your private key to verify your identity, which is a factor of online authentication.
It was further enhanced in secret by a United Kingdom government employee named James Ellis in 1970, but it wasn’t fully realized. In 1973, a co-worker of Ellis, Clifford Cocks, developed the Rivest-Shamir-Adleman (RSA) encryption algorithm, and Malcolm J. Williamson finished it with the Diffie-Hellman key exchange.
1980s: The Emergence of One-Time Passwords
With the advancement of technology, researchers and hackers found methods to abuse this development. People constantly looked for tighter authentication security measures since attackers can easily guess, steal, or intercept a normal and persistent password.
Enter the one-time passwords (OTP). It means a user would enter an entirely different password every time they log into an account. However, two main challenges presented themselves in OTP systems:
1. How will you algorithmically create new passwords that the central system validates without outsiders predicting it?
2. How will you get these passwords to the users?
In 1984, Security Dynamics Technologies, Inc., an enterprise network and security solutions provider, solved these challenges. They patented a methodology using a special hardware device and a time-based method. As time passed, S/Key, OTPW, OAuth, and two- or multi-factor authentication (2FA and MFA) were also born.
1990s: Public Key Infrastructure (PKI)
By this time, asymmetric cryptography was already made public and standardized even further through public key infrastructure (PKI). A major reason for standardization was the emergence of the internet. People and organizations have established their online presence, which also resulted in the availability of sensitive information.
The official PKI structure was spread out to define how to create, store, and distribute digital certification. KPIs include the following:
- Certificate authority (CA): Issuer of digital certificates (with signing)
- Registration authority (RA): Verifier of identities that request digital certification
- Central directory: Storage of keys
- Certificate management system: Structure for operations like accessing certifications
- Certificate policy: Statement of PKI requirements
2000s: Multi-Factor Authentication (MFA) and Single Sign-On (SSO)
By the 2000s, MFA gained serious interest and widespread adoption among individuals and organizations. It combines multiple types of authentication methods to verify identities. OTPs to users’ phone numbers or magic links were also used as a form of MFA.
Another major development in digital authentication during the 2000s was single sign-on (SSO) authentication. The initial idea was that users couldn’t be trusted with their passwords since they’re often not secure, used in multiple locations, and frequently forgotten.
SSO employs a trusted third party that verifies users’ identities so that individual sites don’t have to prove every set of credentials. When you log on to a website, the site checks if an SSO provider has already authenticated you to give you access. If not, you’ll be prompted to log in.
2010s: Mainstream Adoption of Biometric Technology
Passwords were still the most common digital authentication even during the 2010s. However, they were often mishandled by humans, resulting in database leaks. MFA tried to solve this problem, but the technologies and alternatives were too expensive or complex.
Enter the period of biometrics and 2FA. Biometrics uses biological traits, like fingerprints or face shapes, to authenticate users. These authentication factors reached the masses thanks to smartphones. It was in 2011 that a fingerprint scanner was added to the Motorola ATRIX Android smartphone.
Six years later, Apple developed a Face ID feature for their iPhone. It works by scanning the individual’s face with 30,000 infrared dots. Generally, biometric authentication is considered to be very secure since people can’t easily replicate biological features.
The Future of Authentication and Security: 5 Trends and Predictions
1. Integration of artificial intelligence (AI) and machine learning to authentication systems
AI has proven more capable than humans in noticing and facilitating domains that need attention. They pinpoint locations of possible security breaches, analyze them, and actively protect user identities.
2. Passwordless authentication will continuously gain traction
Organizations are aware of the limitations of traditional passwords and are migrating to passwordless authentication to provide a frictionless experience without compromising security.
Here, platforms send users a one-time link or code to access the site where they authenticate, or their identity is verified using a biometric trait like a facial scan or a fingerprint. This modern authentication method is used in various cases like customer payment authentication, mobile banking, wire transfers, and push notifications.
3. Multiple and contextualized authentications
While a password is still essential in protecting your identity, it’s better to increase the layers of security to protect yourself and your organization from online attackers. The same goes for biometrics.
The most likely solution for this is MFA with at least two of these elements: a knowledge factor (password), a possession factor (a push notification to authorize authentication or a Yubikey-type security key), and an inherent factor (biometrics).
An example of this multi-factor authentication feature is the Nymi band, which combines biometrics, heart rate detection, and Evidian Enterprise Access Management solution to authenticate and confirm your identity.
4. User and entity behavior analytics (UEBA) will further authenticate users in a low-friction manner
UEBA is a cyber security process that monitors and responds to suspicious behavior across the network. Any activity by humans and non-humans is studied using machine learning, algorithms, and statistical analysis, whether in the cloud, on mobile, on-premise locations, and endpoints.
In other words, UEBA measures and determines normal behaviors in the network, allowing them to detect the abnormal behaviors and prompt them to respond accordingly. The concept is like how credit card companies monitor spending patterns in a credit card user and detect suspicious or fraudulent activity.
5. Blockchain will play an increasing role in authentication
This distributed ledger technology (DLT) records data and stores it securely. Information is stored in blocks linked together in chronological order with cryptographic hashes, so it’s almost impossible for anyone to compromise data within the blockchain system once it has been recorded.
Blockchain is already used to track relevant information and pinpoint whoever is compromising data in financial institutions, supply chains, healthcare shipments, cybersecurity, and personal identities. It will likely continue being utilized in the future.
Better Authentication, Better Protection
From the humble beginnings of how people stored passwords to modern biometric scans—the history of authentication proves that this technology will continue to evolve. Over the years, expect new authentication modes to better protect individuals and organizations from various threats.
You must choose a reliable cybersecurity management service to improve your company’s security infrastructure. Digital authentication isn’t simply app-based or password-focused anymore, and it would be an advantage if you familiarize yourself with cybersecurity trends and developments to get a head start. Interested? Contact Q5id today to learn more.
"*" indicates required fields
