The Password is Dead community and organisations such as FIDO are coming up with far better ways of authenticating electronically than the password, particularly when the level of trust required to transact is not particularly high.
Passwords, however, are inherently risky. They are easily guessed, or reverse engineered by brute force, or coerced, or any other number of issues. The risk of using them are your only mechanism for establishing identity is now far more than the cost of using something better.
The challenge is how to establish systems that seem natural that remove the risk. It must seem natural, as to many senior decision makers, passwords seem natural as it was enough when they were entering the workforce. Death by Password – having to create new accounts just to look at content on each website you visit – is still a major issue, and using social media authentication does seem to be a natural fix. If you are looking at B2C Directory and Single Sign On solutions for your customers, registration against a social media account is well worth looking at. A step up factor can always involve some shared secret, such as an invoice number or an out-of-bounds code generated by a third-party (like Google or Microsoft Azure Authenticator).
Everyday life is full of transactions – where by an entity trades services and goods with you, or allows egress. In order to establish trust that the transaction is in good faith, it is necessary to authenticate the identity of the parties before the transaction is authorised to occur.
This may sound like a fairly inhuman way to describe our lives, however even the most cursory view of daily life will show this to be true. The mechanism which does the authentication usually matches the level of risk involved in the transaction.
Just looking at my day today:
- I went to the local corner store today to buy drinks – in order to obtain these goods I transferred money electronically to the retailer by using my credit card in their EFTPOS machine. The person behind the counter didn’t care who I was, only that I was able to prove my identity to the bank sufficiently to transfer him funds. For the bank, just possession of the card is enough for a transaction of that value – I was able to use PayPass.
- I had to get back into my apartment – this is done with a series of proximity devices and a good old fashioned key. Again, just possession of these devices and the knowledge of where they were to be used suffices.
- This afternoon I needed to get to Brisbane Airport as I am about to embark on a multi-leg business trip. In order to get there, I used an application on my phone to order transport from home to the airport. As I had previously already set up this application, I only needed to prove to my phone that I should be authorised to us it. For this phone, it is using a fingerprint scanner that will give me access.
- Once at the airport, to check in to my flight, I needed to prove my identity to the desk. This time, I used my drivers license, which has a picture on it. This is just a domestic flight, so they are more concerned about luggage, which gets whisked off and likely x-rayed before being sorted (and hopefully not lost!). In a couple of days I’ll need my passport to travel as I head to New Zealand. The very pleasant check in assistant gives me a ticket, and I then use that to enter the airport lounge.
- In order to log in to the system used to draft this content, I must first sign into my laptop, by using a 6 digit PIN (it’s a Windows 10 Enterprise device joined to our corporate Azure AD), then allow this CMS to log me in using our Single Sign On solution.
This doesn’t include countless times unlocking my phone to see if anyone had messaged me or send e-mails. This is always using the fingerprint scanner.
In all of this, the only thing remotely approaching a password is the PIN for accessing the notebook. There are many reasons why this isn’t actually a password – it’s for access to the device which is associate to an account. You need to be physically present to access it – whereas the password to the account could be used for anywhere. When registering the device, you are establishing trust that it is actually you – however at some future point the device may become compromised so your password could become compromised. It is far better to just distrust that device and stop it from accessing those transactions that your Microsoft or Azure AD account authorise you for.
This does seem like a lot of different devices and things you have to know just to continually establish your identity so you can perform mundane tasks. I accept these because they now seem naural in a way that passwords do not. People are inherently no good at remember things – particularly not unique passwords to hundreds of different systems, most of which you do not transact with regularly. I know I’m not good at remembering detail like this.
Adaptive Access Control is a fast maturing field, originally only the domain of banks (see why SMS is not a good mechanism for authentication for financial transactions – indeed my bank can use the fingerprint scanner on the phone now to give me access to mobile banking)
Internal users in the enterprise seems to be the space moving the slowest towards killing the password. Windows 10 seems to be a step in the right direction, but as some organisations are only just moving to Windows 7, it could be decades before this using a first factor other than password for enterprise authentication is a reality. By the time it happens, younger people may have already forgotten what a password is!
If you are looking for multi-factor authentication, there are a number of considerations. Standard protocols, risk based access control, cost and the value of what is being protected are all things that should be considered, including ensuring you only procure applications that support these modern protocols.