Authentication + Mobile Phone = Password Killer

It is arguably the Internet's most common problem: how to simplify authentication. The much-abused password is still the most prevalent way we identify ourselves -- via mobile devices and otherwise. But it's definitely showing its age.

Passwords were introduced to modern computing nearly 50 years ago. Their initial purpose was to control access to key functions on mainframe computers, and they've remained a constant up through the present day. The reason for this -- surprising as it seems -- is because, at some level, they work.  

They are also the lowest common security denominator for the online places we regularly visit.  We've all been trained by banks, credit card companies, Internet service providers, and social media sites to construct passwords or phrases of varying levels of complexity, often accompanied by additional questions to verify our memorable dates, secret words, mother's dog's maiden name, and the rest.

Passwords are the problem

The problem is that passwords can no longer scale. It's become impossible to create memorable, strong, unique passwords for the broad range of sites with which we interact, so we don't. Instead, we rely on one or a small number of strongish passwords to suit the unique and maddeningly complex rules created by websites that seem to want to make it extremely difficult to consume services and buy products.

It’s not just users who are frustrated. Though companies are eager to make authentication as streamlined as possible, commercial security tools seem to create as many problems as they purport to solve. They add costs such as hardware tokens, create steps for users, invade privacy, and could compromise the solution's security profile.

Worse, if the weakest point in a web infrastructure is the password, then there is considerable benefit in hacking these large-scale password databases. The list of compromised passwords is endless -- from LinkedIn, Yahoo, Evernote, Sony, and many more. Criminals know that, if they have your username and password from one site, there's a better than good chance it will work across other sites. The online banking account, email provider, or any other sites that you allow to build an identity for you will soon wish they didn't have it.

What's the answer? Many of you probably have had some experience with two-factor or multifactor authentication, a security technique recently adopted by Twitter, DropBox, Gmail, and others with some success. The problem with two-factor identification is that it doesn’t scale -- and for the same reason people can't be expected to recall 20-30 unique passwords. Who can remember to carry a hardware token with them all the time to log in to the dozens of sites they regularly visit? 

Smartphones to the rescue

But here's the good news. Today we all carry a mobile phone. Increasingly, in the United States and Western Europe at least, this device is likely to be a smartphone. What these devices offer is a range of ways to strongly authenticate ourselves to both the local device and to the Internet services we want to access. A good example of this is the latest Apple iPhone. We now have a fingerprint sensor (Touch ID) in a mass-market smartphone.  

This is not just about fingerprint sensors, though industry reports state that Tier 1 device manufacturers will have this feature by the end of 2014. It is about everything else that is present in smartphones. You have increasingly powerful cameras and microphones supporting voice and face recognition. You also have a range of additional capabilities -- GPS, for instance -- that can be used as part of the authentication process to determine if the user is in a normal location.

Last, but not least, is the fact that most device manufacturers have invested in secure elements and trusted execution environments. These are hardware- and software-based secure storage areas and operating systems that allow the secure creation and storage of a credential of the device. An example of this would be the TrustZone® architecture from ARM. These allow us to give a smartphone a similar level of trust as a smart card, which is crucial in meeting the business risk of payment services providers, insurance companies, and government agencies.

With all these advantages, freedom from password drudgery is no longer an impossible dream. Let's chat about how to make this vision of a secure and simple web authentication process our new reality.