Three Ways Authentication Has Evolved Since 1960

An oral history of authentication: the tech community’s efforts to connect computer operations with the people behind them.

When you think “authentication,” what comes to mind? For most security professionals, authentication = passwords, and the many security issues which passwords have created over the years when verifying identity.

Password driven security has always incurred a bad reputation. This is primarily due to the human element of the equation. 50% of IT professionals and 39% of individual users reuse passwords across workplace accounts; 50% of users (IT and non-IT) share passwords with colleagues; and 60% of individuals and 64% of IT professionals do not use two-factor authentication to protect their personal accounts.[1]

Today, authentication stretches far beyond the password, however: it is the entire concept of verifying who the user is behind any computer/cryptographic operation — and it is evolved as fast computers themselves have over the past 60 years. In this post, I wanted to review and put more color to the three ways authentication has evolved since the 1960s, and what to expect in 2020 and beyond.

Passwords emerged on the scene in 1961, when Fernando Corbató, a pioneer of CTSS Compatible Time-Sharing System (CTSS), to protect user files on a time-sharing system. [2] Those passwords, however, needed to be stored somewhere to validate them against user input — and this introduced its own security risk.

Ph.D. researcher Allan Scherr demonstrated the weakness of password storage in 1962 by gaining access to the shared user file and printing all of the passwords. (To be fair, he later re-hacked the system in 1966 and gave those passwords back by showing the full password file to all users in the system.[3])

Allan’s not-so-genius share was followed by Bell Labs researcher Robert Morris, who thought he solved the authentication issue in the 1970s by securing the master password file for his then Unix operating system (OS) .[4] This system used a mathematical function which converted a numerical input value into another, (and then delivered a) compressed numerical value.[5] Later functions such as salting, or the addition of random data to the hash, was used to strengthen the protection of password master files.[6]

As password developments continued, cryptographers began working on solutions that would enable secure verification of the data. Ron Rivest, Adi Shamir, and Leonard Adleman introduced the Rivest-Shamir-Adleman (still famously known by its moniker RSA) public-key crypto system in 1977. RSA uses two keys in combination — the public key, and the private key — to verify digital signatures. In fact, digital signatures are still used today as proof of “something you have” (to be discussed in the next section) and were instrumental in the rise of the internet.

Public Key Infrastructure (PKI) made its official public in the mid-90s, 20 years after it was originally developed by British intelligence. With PKI technology, users now had a built-in ecosystem for digital signature authentication — as well as a means for verifying that the digital signature holder is indeed the same user as the signatory. PKI, while believed to be solid at the time from a security standpoint, proved to initiate a cumbersome user experience (UX) due to the need for hardware authentication devices, i.e. smartcards, and the overall complexity of its deployment. [7]

Multi-factor authentication (MFA) commercially emerged as early as 1998 but was not popularized until the rise of the smartphone and device era.[8] MFA which required users to verify their identity using at least two of three factors:

• “Something you know” — e.g. a password, a PIN, a code word, etc.
• “Something you are” — i.e. any biometric scan, e.g. a fingerprint or an iris scan
• “Something you have” — e.g. a hardware token, a smartphone, a digital signature, etc.[9]

MFA is not infallible to security issues due to dependence largely based on the security of the underlying devices holding those three factors. However, it is universally agreed that the introduction of MFA was a step forward in terms of the likelihood of matching operations to the user and reduced the possibility of a straightforward social engineering attack by involving more hurdles to the hacker.

The tech community has strengthened the tools to connect between digital and physical identity — and those tools are more important now than ever. As our device-driven culture and on-the-go society continues to grow, so do the number of Internet-of-Things (IoT) devices. Norton estimates, in their most recent study title; “The Future of IoT: 10 Predictions about the Internet of Things,”, that the IoT device market is expected to balloon to 21 billion by 2025.[10] Meanwhile, while MFA is standard practice, organizations vary in their approaches to its implementation, and this cost can be significant on a business — well over $800K — $3M for the first year alone.[11]

At Unbound, using multi-party computation technology, we’re committed to making secure MFA for everyone, using the latest cryptographic algorithms in the field. Together, we can help companies move into the future of authentication with better security, better efficiency, and better ROI.

It’s not often in life where your work and home worlds collide. For me, they did in researching the different levels of authentication adopted over the years. See, when you leave the world of journalism for a career in tech, you focus on the personification of messages and how they impact your potential customer. Well, the more I read and researched authentication over the decades, the more I began to appreciate what it is Unbound does for customers, and how it affects the human experience in real-time.

As a journalist, I usually treated corporate pitches as philosophical snake oil: a toxic distraction from my mission to deliver the truth, without my own color and perspective, as quickly as possible to as many readers as possible. It’s been almost 5 years since I left this space, yet this is the first time I can appreciate that our “corporate pitch” actually does have the potential to make lives easier on a global scale. Truth be told, I’d love to report on it.

To learn more about Unbound’s next-gen authentication methods, click here.

_____________________________________________________________

[1] “The 2020 State of Password and Authentication Security Behaviors Report.” Ponemon Institute; Yubico. Web. June 18, 2020. https://www.yubico.com/wp-content/uploads/2020/02/Ponemon-Infographic-2020-final.pdf

[2] Nachreiner, Corey. “Digital Authentication: The Past, Present and Uncertain Future of the Keys to Online Identity.” GeekWire, 22 Sept. 2018, www.geekwire.com/2018/digital-authentication-human-beings-history-trust/.

[5] “Cryptography Hash Functions.” Tutorialspoint, Tutorials Point, www.tutorialspoint.com/cryptography/cryptography_hash_functions.htm.

[6] Arias, Dan. “Adding Salt to Hashing: A Better Way to Store Passwords.” Auth0, 3 May 2018, auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/.

[8] Blonder, Greg E, et al. Transaction Authorization and Alert System. 13 Jan. 1998.

[9] Stewart, James Michael. “The Three Types of Multi-Factor Authentication(MFA).” The Three Types of Multi-Factor Authentication | Global Knowledge, 26 June 2018, www.globalknowledge.com/us-en/resources/resource-library/articles/the-three-types-of-multi-factor-authentication-mfa/.

[10] Symanovich, Steve. “The Future of IoT: 10 Predictions about the Internet of Things.” Norton, NortonOnline, us.norton.com/internetsecurity-iot-5-predictions-for-the-future-of-iot.html.

[11] Original source: “The Cost of Implementing Multi-Factor Authentication.” 24, 30 Jan. 2006, www.24-7pressrelease.com/press-release/10729/the-cost-of-implementing-multi-factor-authentication#:~:text=Hardware%20tokens%20have%20implementation%20and,distribution%20(%2440%2C000%20to%20%2480%2C000). The number cited in the text is adjusted for inflation from 2006 dollars to 2020 dollars, using the calculator found here: https://www.usinflationcalculator.com/

Originally published at https://www.unboundtech.com on June 29, 2020.