The State of Authentication Trends in 2022 – What You Need To Know

The State of Authentication Trends in 2022 – What You Need To Know

a person typing on a laptop with one hand and holding a smartphone in the other - the state of authentication in 2022 - what you need to know

In today’s digital society, we place a remarkable amount of sensitive personal data in the hands of digital service providers. From credit card details to our home address, we entrust valuable data to companies, websites and apps that reassure us they’ll keep it safe. But how do they do so? What are the key user authentication trends in 2022? 

In this article, we examine contemporary authentication trends, look at where digital security is headed and ask what impact changes in authentication methods could have on businesses.

A clear move away from passwords

Businesses and service providers recognise that digital security is a big deal. One security breach can cause irreparable damage to an organisation’s reputation.

Despite this, 55% of organisations rely on passwords as their primary authentication method (HYPR). When you consider the fact that 81% of all cyber-attacks are due to stolen or weak passwords (Verizon), it’s clear that there’s still a lot of work to be done. 

However, there are moves towards more secure authentication methods. A recent HYPR report suggests that the COVID pandemic and the resulting switch to remote work is driving passwordless authentication. 86% of companies that completed the survey reported that remote work is their number one passwordless use case. Significantly, Apple, Microsoft and Google announced on World Password Day that they are all committed to implementing passwordless authentication across all of their mobile, desktop, and browser platforms (SpiceWorks).

The future is passwordless

Passwordless authentication works by replacing passwords with a range of other security measures. These are known as factors and fit into three groups:

  1. Knowledge Factors (something you know)

2. Possession Factors (something you own)

3. Biometric Factors (something you are).

The first is pretty simple. It’s a shared secret like a password or code. Let’s look at the other two factors in greater detail. 

  • Possession factors – this measure utilises something that belongs to the user as a second security layer. It could be a hardware token or a mobile phone. For instance, a user might generate a One Time Password using a specific app or receive one via SMS. The latter is becoming increasingly popular, with Apple and Google both now supporting SMS verification via dedicated tools. 
  • Biometrics – these are physical or behavioural traits that authenticate user identity. Fingerprints, retina scans, voice pattern and facial recognition are all physical biometrics used in passwordless authentication. Behavioural traits include the pressure applied when typing, how people hold their phones, user location and purchasing history.

Biometrics are remarkably secure. It’s extremely difficult for anyone to mimic another user’s unique biometric signatures. However, that doesn’t mean biometric authentication is 100% secure. The passwordless push is also benefiting from the emergence of the FIDO Alliance – an open industry alliance that develops passwordless technology based on public key cryptography and is defining passwordless security standards.

Multi-Factor Authentication must be implemented intelligently

several laptops and smartphones on a desk being used for work - multi-factor authentication must be implemented intelligently

Multi-Factor Authentication (MFA) has been touted as the authentication process of the future. By requiring the user to identify themselves via several different processes, MFA adds extra layers of security. This ensures that accounts are not compromised by the theft of a single piece of identifying information.

However, an increasing number of experts are concluding that traditional MFA – that is MFA that relies on passwords – is not sufficiently secure. Just because there are now two security factors does not mean hackers can’t steal both.

Some MFA solutions utilise biometrics to unlock the user’s password, which is then used to authenticate the user. This “MFA Lite” – authentication doesn’t really make the most of multiple factors. Ultimately, the password is still all that’s required to gain access to the account, leaving it vulnerable to brute force attacks.

Consequently, the best solution is Passwordless MFA – an authentication process that utilises several security factors to prevent your account from being compromised should one factor fail. For many organisations, Passwordless MFA is the ultimate goal. However, cost and other implementation challenges mean many organisations are taking a more achievable step-by-step approach that moves them closer and closer to their ideal solution.

Envisioning authentication improvements as a journey

For those organisations that are taking a more step-by-step approach, adaptive MFA is proving a popular bridge between password-based authentication and passwordless MFA. Adaptive MFA is an AI-powered security approach that adjusts the number and nature of factors depending on the user’s behaviour.

For instance, if a user regularly logs in to their account on weekday mornings from the same location, the AI will recognise the pattern and attribute the login attempt a low-risk score. If a user attempts to login on a Saturday afternoon, the AI recognises this as unusual behaviour and introduces an additional factor – an SMS code, for instance. If the AI identifies a serious departure from typical behaviour – such as a login attempt from a country a user has never visited – it may block the account entirely.

Social Login is a potential alternative

smartohone homescreen showing instagram, facebook, and twitter app icons - social login is a potential alternative

Social Login, which also goes by the name OAuth, is an authentication process that uses the login details from one of your social network profiles to access third-party websites. That means you can use your Google, Facebook or Twitter login for authentication purposes on sites that have nothing to do with the original provider.

The big advantage of this method is a streamlined sign-up process. Users who would not usually go through lengthy registration processes are more likely to sign up if they can use existing logins. However, Social Login still suffers from concerns over password vulnerability and there are notable privacy issues. 

Apple has also picked up on this trend for consolidating multiple logins under a single authentication process. Its technology is called Single Sign-On (SSO). With SSO, the user authenticates their identity when they begin using the service but does not have to do so in the future. Instead, the system generates a token during that initial authentication process, which is then used in place of the password to authenticate the user.

SSO is more secure than traditional password-based authentication and ensures a seamless customer experience. On the other hand, SSO failure can mean users are locked out of all their accounts and, again, the use of a single password at the root of the process presents a security risk.

In contrast, Google has its Smart Lock system. This is designed to streamline login for individuals that use several Google products or who run Chrome. Devices can be set up to open without authentication when connected to other devices (when you open your phone while wearing a smartwatch, for instance) and Chrome can store credentials for instant access to certain apps.

Account recovery is recognised as a weakness

Another key trend in authentication is the recognition that many account recovery methods pose a significant security risk and require an overhaul. Traditionally, account recovery relied on email or telephony recovery. Neither of which are particularly secure. With the right information, both can be bypassed relatively easily. 

As a result, we’re seeing a growing number of organisations move to account recovery via official government ID. Facebook includes this as a recovery option, along with several other organisations. Of course, official government IDs are not entirely foolproof, so care still needs to be taken.

Account recovery methods should be as secure as your authentication process. If not, they represent a significant weakness in your security system. At the same time, recovery needs to be user-friendly. There is no point in implementing a recovery method that none of your users can comply with. That will only frustrate and push up customer service costs for your organisation.

Passwordless authentication isn’t just about security

Young woman helping senior man with payment on Internet using laptop - passwordless authentication isn't just about security

As businesses become increasingly comfortable operating in the digital sphere and focus more on the customer experience, every aspect of the customer journey comes in for close inspection.

In 2022, organisations are realising that authentication isn’t solely a security issue but also both a UX concern and a cost and productivity issue.

For instance, authentication processes that take the user out of an app to complete login on another site or service are now rightly regarded as a threat to the onboarding process. This approach is disjointed and cumbersome. Though it may be secure, it most certainly isn’t an example of great UX.

Passwords are difficult to remember, more complicated to reset (rightly so!) and time-consuming for organisations’ customer service departments. Research also shows that passwords have a significant impact on productivity. In a recent survey, 63% of respondents said they had been unable to access work-critical information due to a forgotten password (HYPR).

What next?

It’s great to see so many more organisations taking digital security seriously and looking for ways to mitigate weaknesses in their authentication methods. Throughout 2022, we expect to see a gradual shift towards more secure authentication, with Adaptive MFA, biometrics and Passwordless MFA all becoming more common. Though these approaches are undoubtedly more secure than credential-based authentication, organisations still need to implement them intelligently if they’re to have the desired effect. 

Taking a bigger step back and looking further into the future, there are suggestions that data security and privacy may form the foundations of new internet architectures. Tim Burners-Lee’s Web3 concept is an excellent example. It aims to return data ownership to users via a decentralised architecture that enables users to store data in different pods. These pods can be hosted wherever the user chooses and allows them to dictate which applications can access their pods and who they share their data with. 

As in previous periods of seismic technological and economic change, this is a radical attempt to redistribute resources from the minority (Big Tech) to the majority (Users). Except this time, the resource isn’t land, capital or the means of production but data. As before, those organisations with a vested interest in protecting the current internet architecture will not lie down and let it happen.

With cyber criminals deploying increasingly sophisticated threats and technology, we’re hoping that the growing awareness surrounding authentication results in a significant shift in the way users and organisations approach digital security. Fortunately, it appears as though digital security is now at the forefront of developers, users and businesses’ minds.

More from our blog