The future of online authentication
Recently, Twitter has introduced 2-factor authentication – the latest in a long list of large-scale web services that have taken this step including Google, Microsoft and Dropbox. Why have these organizations all added complexity to their login experiences? Because the current state of online authentication isn’t meeting the needs of either businesses or consumers.
The industry has reached a point where we need to confront a legacy of 50 years of computing – the username/password problem. We’ve lived with this problem until now because it is the lowest common denominator. Everyone understands how it works, however it hasn’t scaled to meet the growing demands of modern computing.
As users, we have a large number of sites that we interact with to pay bills, shop, store our music or photos. All of these sites have different password requirements – multiple characters, secret words, additional dates to remember – it’s no wonder that many of us have given up, re-using passwords across multiple sites or defaulting to simple phrases. In addition to this, our primary tool is increasingly the mobile device with an even worse user experience around complex passwords.
The problem with password re-use has therefore become a major business issue. If I use the same credential across multiple sites, then no matter how much money and resources a company invests in their own information security, it is only as good as the other sites that share that password.
This problem has been exacerbated by the huge number of large password databases that have been hacked over the last 18 months – we’ve seen Yahoo, LinkedIn, Evernote and many others suffer at the hands of hackers, and academic research has shown that more than 76% of the passwords across these large databases are the same. The hackers know this and can exploit these common passwords, resulting in data breaches for businesses and the potential for identity fraud for consumers.
When speaking with various relying parties, I have heard quite a bit of anecdotal feedback about the situation. Current authentication systems assume that the mobile device can be used as a second factor (as we see with Twitter/Dropbox/etc.), however the problem is that this doesn’t reflect the use cases seen by backed systems. The consumer wants to use their mobile device as the primary device; therefore we need native capabilities on the device to make this simple. Increasingly this looks to be biometrics, i.e. voice/facial recognition and, with the next generation of smartphones, probably fingerprint sensors.
Another challenge for relying parties I hear quite often is that they have built sophisticated fraud analytics engines for web-based transactions, but these are based on the capabilities offered by traditional PCs. Mobile devices don’t offer that same capability today which is another reason why the current mobile app experience in, for example, the banking industry, is often unsatisfactory.
So what’s the answer? There are a large number of alternative technologies that exist in the marketplace including hardware tokens, authenticator apps for smartphones, SMS verification, biometrics and many more. So why have we not seen greater widespread use of these technologies? One of the biggest challenges for businesses has been mapping their authentication needs across a diverse user population against the technology available in the marketplace.
If we look at the different options available for companies today, they share many common factors. Typically they offer proprietary approaches to solving the username/password conundrum. Companies will have to consider their user population as a single, homogenous entity if they want to roll out strong authentication, as they will have to invest in infrastructure, back-end management tools, client distribution and end-user education. This approach stifles innovation, as it makes it too costly for companies to roll out newer technologies to better anticipate customer needs.
What’s missing is not another authentication technology, it’s a common infrastructure to allow backed systems to use different solutions based on business risk. This is the problem that the FIDO Alliance is focused on solving by establishing wide, industry standards that provide a framework for innovation.
This industry alliance was formally announced back in February with six founding members – Lenovo, Infineon, PayPal, Nok Nok Labs, Agnitio and Validity Sensors. Their ambition is to deliver a standardized authentication protocol which supports different authentication technologies including biometric capabilities such as voice, face and fingerprint recognition, as well as USB tokens, Trusted Platform Modules (TPMs) and traditional One Time Passphrase (OTP) tokens.
The fundamental principle is that relying parties, such as banks or e-commerce sites, should be able to leverage the capabilities present on their customers chosen devices that meet the risk associated with a transaction. This ensures that they are not trapped in a specific authentication “silo,’ but are able to be flexible to new customer requirements.
Since the launch of the FIDO Alliance, we have seen significant momentum in the marketplace. Google, NXP and CrucialTec have joined as board members, and the overall membership has more than doubled with significant representation from device manufacturers and authentication vendors. This growth is noteworthy as it shows the demand for a standards-based approach to solving modern authentication challenges.