The Way Forward: Stronger Authentication
Strong authentication is the first pillar of trusted networks
Weren't computers supposed to save us time and add convenience to our lives? Technology was supposed to liberate us. Rather, it appears as though we're becoming beholden to the devices around us because of the pesky password.
Recent findings about passwords and online security certainly indicate that we're trapped in our own devices. Consider these sobering statistics: The average computer user has 25 accounts, uses 6.5 passwords, and logs in eight times a day. So say researchers at Microsoft. Add to this rosy scenario the fact that these days there are so many
new types of gadgets. From the perspective of storing and remembering
passwords, things aren't so rosy.
The Burnett study tells us that account hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities have been around of a while and they still continue to prosper. What absolutely scares me is the fact that a teenage hacker in some eastern European country armed with a run-of-the-mill desktop computer can in theory bring down powerful, multinational companies. It's been done before and, unfortunately, it can happen again.
The culprits? We have ourselves largely to blame for this mess. The plethora of personal digital devices has made us slightly lazy when it comes to doing our part: that is, keeping a tally of many strong passwords. Credentials and passwords are often re-used, which amplifies the impact of such attacks. Another study by Trusteer revealed that more than 45 percent of online transactions fail 'very frequently' or 'frequently' because of authentication problems.
Strong authentication is the first pillar of trusted networks. Identities must be trusted by independent partners. It is the foundation for a more secure network, where all users and all devices are strongly and mutually authenticated in an open, interoperable, and federated environment.
The Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop open reference architecture by leveraging existing open standards for the universal adoption of strong authentication. Besides the OATH Reference Architecture, the industry is busy publishing standards regarding robust protocols and algorithms in the fight against ID theft and cyber-crimes. For example, if an user has authenticated to the first relying party (typically called Identity Provider, IdP), the same authentication can be federated to other relying parties. Popular federation protocols include SAML, OpenID, and OpenID Connect, some of which are concerned with authenticating the so-called first mile, while others concern themselves with the second mile and beyond.
In order to drive adoption of strong authentication across the entire user community -- from corporate employees to Internet users accessing healthcare records to government services -- the industry must collaborate to lower the complexity and the financial barriers of strong authentication. The answer, I think is that open technical standards and deployment profiles that promote interoperable components can go a long way towards becoming powerful tools for lowering complexity and cost. The development of an open and royalty-free specification for strong authentication should be the focus, without compromising security. It's a tough job, but the entire world needs better standards to take us into the next, safe Internet Age (which, I hope, will be more liberating than the one that currently exists).