Thursday, September 12, 2013

Usable identification - the key to a world without passwords

Consumer devices offer the best vehicle in bringing non-password based authentication mechanisms to the mainstream much the same way social networks have brought identity federation to the masses. It is the best shot we have of eventually killing passwords off for good. If that day comes, passwords will more than likely be replaced by a combination of biometric and token-based mechanisms.

The inevitable rise of wearable computing in addition to the ubiquity of smart phones will result in an abundance of options (compared to a world before smart phones) in available tokens to use as part of the identification dance known as authentication.

Signing on to a site using your social network is not commonly referred to as identity federation; that's what security people call it. But it works because it's usable, although this is at the expense of some security. Social identities help consumers clear the security hurdle to the point where the word "security" doesn't rate a mention during the authentication and/or registration process. Social networks however, still use passwords.

Passwords on their own are insecure. In the absence of other ways to identify ourselves (i.e. multi-factor authentication), a lot of damage can be done to our digital lives that are difficult to recover from. Also, let's not forget about the number of hacks suffered by multiple sites that included leaked passwords. But they remain because the username and password combination is a design pattern we have been trained to understand and accept. Because we have been conditioned this way, passwords are inherently usable. Therein lies the challenge in moving past them.

Good authentication practices have always included multiple factors. In other words, passwords on their own just won't do. In addition to usability, cost is almost always a prohibiting factor. It costs an organisation a lot of money to procure the hardware required to support authentication mechanisms beyond passwords. Wouldn't it be nice if consumers had tokens they could use that were as secure as these expensive ones organisations currently have to buy?

Some organisations have weighed the risks against costs and decided that SMS tokens are good enough to be considered as an acceptable second factor beyond passwords. If you've looked into this, you know SMS messages are not actually that secure. But for a lot of scenarios, they are "good enough" when combined with the primary password. If organisations want to move beyond this however, it gets very expensive.

It took well-known brands with a significant amount of consumer influence (e.g. Facebook, Twitter, LinkedIn) to bring identity federation to the masses. Similarly, it will take at least one well-known brand with a significant amount of consumer influence to fork-lift-point us down the non-password oriented identification path.

In the case of authentication however, there is the cost consideration that was not present in the consumer identity federation equation. How can we put stronger authentication factors in the hands of consumers in a cost effective manner? Ideally, we would make consumers buy these tokens, but who would want to do that just for a bit of extra security and a more disjointed user experience? Enter large, well-known consumer brand with the requisite influence.

Apple, the king of making technology usable is that organisation. Their announcement yesterday of the Touch ID fingerprint sensor on the iPhone 5s is the latest (and loudest) in a recent spate of devices that have the potential in helping achieve the right balance of usability, cost and security at scale. Rich Mogull's article on TidBITS is the best one I've read if you want to understand some of the security aspects.

Beyond Cupertino, there are a few recent developments that will hopefully be caught up in the Apple authentication snowball that is rolling down security mountain:
  • Nymi is a device which wraps around our wrist and uses our unique cardiac rhythm to authenticate and identify us to things around us. There are unknowns around how or if this will actually work, including some more knowledgable about cardiac rhythms than I, who remain sceptical. Dave Kearns however, is a little more enthusiastic, as are most other people on Twitter. I for one, hope it actually works because the potential scenarios are interesting, exciting even.
  • Let's not forget about the impending barrage of smart watch releases over the next year, starting with Samsung's Galaxy Gear. Apple of course, has also been working on the rumoured iWatch. Even car manufacturers like Nissan are clamouring to wrap themselves around our wrists. While smart watches aren't inherently security devices, they are effectively another token that could be used in the authentication process. For example, the fact that a smart watch is mine and is paired with my smart phone (or car in the case of Nissan) at the point of identification (authentication) gives the system identifying me a level of assurance that I am who I claim to be.

As with any new technology, there are potential security implications that need to be analysed and I'm sure this will be done by many when the devices are made available to the general public. But Apple Touch ID, Nymi, smart watch manufacturers and other wearable devices we have yet to hear about have the potential to make security invisible.

Security is the enemy of usability. Studies have shown that when presented with a secure option or an easy option to perform a task, people almost always choose the easy option. The trick is to make the easy option also the secure option. The devices mentioned aim to make our lives better. The fact that they have the potential to make our lives easier while improving security is exciting.

Here's to a future where we don't need passwords, but can stay secure while remaining blissfully ignorant of that fact.

No comments: