Single authentication protocols. Pipe dream or not too distant future reality?
One of my favourite films is the 1992 crime thriller, Sneakers starring Robert Redford partnered with a brilliant cast of A-list actors. The film is about a group of security consultants from various backgrounds who’ve been tasked to steal a code breaking device - an algorithm that can crack any password. The villain of the film, Cosmo, played by the amazing Ben Kingsley, recognises that due to poor passwords he can change the world and topple economic systems using this algorithm in the device. Funnily enough, Cosmo’s own fortress - a toy design business - is protected with voice biometrics.
When security was once a really strong door protected by a really big lock.
In 2003, Bill Burr was a mid level manager at the National Institute of Standards and Technology when he made the suggestion of changing your password every 90 days and using a variety of characters including upper and lower case characters etc. That password complexity model has become the cornerstone for many enterprise level sites.
Today, most of us have a collection of passwords for a variety of online services and subscriptions. And at times, it seems every website requires a slightly different password structure. The result for many, including myself, is a notepad filled with super secret passwords - which, I suppose, kind of defeats the purpose.
According to Andre Durand, CEO of Ping Identity, the idea of a single point of authentication is becoming a reality. This new authentication reality is largely being driven by today’s smartphone makers but until only recently, due to changes in legislation globally, is finally being more readily adopted by enterprises. I recently attended a media luncheon hosted by Ping Identity, a leader in identity defined security and Versent a provider of technology transformation services to enterprise clients. During the luncheon I heard more about the challenges faced by today’s businesses in Australia and abroad, the impact of the Internet of things, siloed systems and compliance requirements.
You might also be interested in this security article we published in July 2017…
Gambling With Your Customers' Security
Who are you and prove it!
In August of this year we learned that Bill Burr, the guy who recommended in 2003 that our passwords need to be more complicated, had spun 180 degrees and had a change of heart on the issue.
Bill now regrets having made those suggestions. If you’re wondering why and for a simplified explanation, check out this article by Jonathan O’Callaghan from IFLScience (http://www.iflscience.com/technology/your-password-doesnt-need-to-be-so-complicated/) where Jonathan outlines the better option for password creation - which I won't get into here - and what led Bill to change his mind.
As mentioned, today’s authentication methods are changing rapidly and Ping is at the forefront of managing consumer security, risk and compliance. Today’s smartphones require one of two methods to authenticate you, passcode or fingerprint. Many of the apps we use such as banking, insurance and even some email apps like Microsoft Outlook, allow us the option of using a passcode or our device-side, stored fingerprint to access them thus placing biometric data authentication in the spotlight.
For many, the idea of using biometrics to use our phones might be a frightening concept and often misunderstood by the general public with comments and questions about where stored personal data such as fingerprints and facial scans reside - server-side versus device-side biometrics.
Durand sees a future where only one point of authentication will be required thus breaking down the siloed system we currently experience. Consider that the majority of apps on your smartphone require some form of authentication to access. Each account requires a password. Each password may be different due to security preferences by the businesses that created the apps. With a single point of authentication blending device with server-side to include multi-factor authentication, single sign-on and access security - Ping seeks to simplify security while meeting and exceeding compliance and data governance requirements.
With Apple having just introduced facial recognition, a new era of authentication just began. The days of keying in complex passwords and codes is coming to a close. Durand aptly pointed out that ‘identity’ today is not a business model but rather an enabler and one that security players should assume greater liability. Durand sees that changing in the future. With recent security breaches such as with Equifax and very recently, Pizza Hut (US), security players providing the locks could soon be shouldering some of the liability and blame.
What’s to come?
Consumers should expect to see a blending of technologies on both the device and server side of the equation with face & voice recognition, fingerprint and password all continuing to play a role in authentication. Businesses and organisations need to step up and own authentication and make it a bigger part of their business model rather than just a policy statement. I would predict that security and data protection are going to become a bigger part of the business discussion over the next few years - especially with the new General Data Protection Regulation (GDPR) deadline approaching in the EU.
For now, authentication is arguably much more a transparent part of the interaction process we have with our devices than it was just a few short years ago and it’s going to become even more transparent. That transparency means that the players behind the scenes are going to need to step up their game to ensure protection and compliance.