Logging on to a website is a process that many would not give a second thought. However, with 28 billion credential stuffing attempts made in the last half of 2018, according to Akamai, ensuring that those logging into websites and applications are who they say they are is more important than ever.
One company attempting to ensure that every person who logs into a system is properly authenticated is Auth0. Offering authentication-as-a-service to its customers, the company has risen through the ranks, achieving unicorn status earlier this year after reaching a valuation of over $1bn.
According to TechCrunch, the company provides authentication for “single sign-on, multi-factor authentication and passwordless logins”, including logins for Internet of Things devices, claiming to reduce the chance of costly and damaging data breaches.
Verdict spoke to Auth0 CEO Eugenio Pace about the technology behind the seemingly simple login process, and how the means by which we log in is changing.
The business of authentication
Claiming to “authenticate and authorise apps and APIs with any identity provider running on any stack any device or cloud”, Auth0 provides developers with code that can be easily added into applications.
Managing 83 million logins every day from over 7000 clients including Mozilla, The Economist, Jet Airways and PBS, Auth0 claims to solve the “most complex and large-scale identity use cases”.
Pace explains that although the company’s central aim may be simple, ensuring that this process is secure is more complex:
“Anything to authenticate the user and to authorise users into application. That’s what we do — we provide infrastructure for that to happen… Are you a legitimate user? Are you who you say you are? And second, what can you do with your business application?”
“It’s one of those things that are on the surface, it looks like it’s really simple. If you look at a login screen, and you see two text boxes, where you enter your username and password, in some cases, you might log in with, let’s say, one of your social network, too, right? How difficult could that be as it’s only two text boxes and a button. There’s not much to it. But it’s similar to what happens when you have a power socket in the wall…Behind the scenes is a lot of technology that needs to be aligned for it to be secure.”
Security is key
Aside from providing the infrastructure for users to log in to an application, the company’s key concern is ensuring bad actors are not granted unauthorised access.
According to Pace, on some days around a third of the login activity they process is fraudulent, and considering the company processes more than 2.5 billion logins every month, this is a significant proportion of activity.
He explains how Auth0 detects when suspicious activity may be afoot:
The State of Technology This Week
“Perhaps the simplest method of detection, is detecting when somebody is trying different combinations of usernames and passwords. So if I can guess your email, or if I know your email, then what I can do is I can go to a website, type your email, which is semi-public information, and then try combinations of common things that people use [as passwords]. You would be surprised how many common words people use for passwords.
“If we see somebody repeatedly trying, it’s called a dictionary attack. It is like trying one after the other with the same email from the same computer. That’s what we call a brute force attack. If we see the pattern, we send an alarm. We don’t necessarily block it, but we might send an email to the administrator and say, Hey, somebody is trying to do this, maybe block it for one hour.”
However, as the methods being deployed by attackers grow increasingly more sophisticated, so do the methods needed to stop them:
“There’s also very sophisticated forms of attacks, attacks that are happening on a distributed network. So you can have hundreds of computers, and they have lists of passwords, trying to get in from different locations. We detect that too.”
“So we can detect a variety of circumstances like contextual information, location, IP addresses, frequency, emails, breached credentials that we know, the fact that you are changing devices often…all that context constitutes a score of risk.”
With phishing now the most common type of cyberattack, Auth0 also focuses its security efforts on ensuring that login pages are not faked:
“When you host the login screen with us, one of the features that we have is the custom domain names…When you login to a website the company owns the domain. It’s difficult to pretend to be somebody else. It’s difficult to change names because one of the validations we make is are you the owner of the domain?”
“Eventually passwords will not exist anymore”
However, the process for logging into applications is changing. With biometrics on the rise, many are predicting that passwords may reach obsolescence in the near future. Pace explains how the company is preparing for a future without passwords:
“Biometrics today are mainstream… eventually passwords will not exist anymore. Because they are an obsolete form of authentication. Our opinion is that passwords will not survive maybe a couple of iterations of technology. But different companies move at different speeds, so it will take some time for [passwords] to fade out of our normal.
“The two questions fundamentally remain the same. Are you a user? And what can you do? Those two questions are the questions that we answer. The mechanism to answer those questions change over time, before it was passwords. Now it’s faces, in the future, maybe something else, maybe devices that you’re plugging into your computer, who knows? We support 10s of methods of authentication.
Looking to the future, Pace believes that the focus of authentication will not just be on biometrics, but will increasingly look at balancing security with usability through what he refers to as “continuous authentication”.
According to Okta, in continuous authentication, applications continually monitors an ‘authentication score’, measuring how sure it is that the account owner is the same as the person using the device, allowing certain actions to be performed or denied based on this score.
Pace explains how Auth0 has adopted this into their authentication process:
“For every login, we are able to essentially come up with a number between zero and one, we’re one is complete certainty that it’s you, and zero is it’s definitely not you, and anywhere in between. And what changes that number is all the things that I mentioned, location frequency, the last time you enter successfully device that you’re using, what you do with that number is up to you as a developer of the application.”
“We provide a tool that allows [clients] to define the rules and say, if somebody wants to make a payment, and they’re below 0.8, challenge the user with a second factor of identification. so you might enter username and password, your score was 0.6, but you’re trying to pay now, the system will send back to us and say, bring the score up to over a point date. So we might go and send you an SMS and say yes, this is my phone, my SMS. Now your score increases, because you proved with to those who you are.”
He believes that is enables greater usability while not compromising on security:
“So traditionally authentication or security and user experience have always been at odds. If I really want to be super secure, I can ask for your username and password every time, which is an annoyance, but it’s very secure. So this trade off between a lot of usability, better usability would be to never ask for a login, but that’s very insecure. So with continuous authentication, what we’re trying is to maximise those two things. Being secure for the things that are required, but also being adaptive to the type of interaction that you are having. So if you are browsing a e-commerce site, [the website] can tell you you bought this piece of furniture, you might want to buy this other piece of furniture. So knowing that it’s you allows me to tailor my experience to you. But there’s no risk in that transaction. But if I am paying, it’s a high-risk transaction, it’s okay to be bothered a little bit more to make sure that it’s you.”
As internet of things devices become increasingly part of our everyday lives, this need for flexibility will only increase, and Auth0 is preparing for that:
“A trend that I think is becoming more and more prevalent is that we really want to be surrounded by smart things. So we have phones, we have TVs, we have music devices that interact with us. And so the world of authentication becomes more complicated…All these things are built by different companies, but it’s me at the centre. So all these devices need to know that it’s me. So it’s becoming a more complicated interconnected world of things that you’re interacting with. Transferring the knowledge of who you are is going to be more and more complicated.”
Multiple factor authentication
However, regardless of the method by which users log in, advice for ensuring that accounts remain secure remains the same. With the age-old advice of not reusing passwords still going unheeded by many, Pace champions the use of multiple factor authentication:
“If you’re an end user, my very first recommendation is don’t use passwords that you might think are difficult to guess but are not. Use a password manager if it’s available. Never use the same password on different sites, and change your passwords often. And if the systems that you’re interacting with offer multiple factors of authentication, like phone, in addition to your password, turn that on. It takes a few seconds, but it improves the security by ten orders of magnitude.”