Mat Honan leading you out of digital hell

Mat Honan leading you out of digital hell

Summary: The Wired senior reporter is taking up the case against passwords - and with good reason.

SHARE:
TOPICS: Security, Networking
0

Back in August, I theorized that Wired senior writer Mat Honan, victim of the self-described “epic hack” that wiped out his digital life, should become the face of an identity revolution.

Last week, a giant picture of Honan’s face accompanied his pitch to start the process.

His 6,000-plus-word article appeared in Wired much to my delight, but I don’t have any designs he heard my plea. In fact, his digital life was laid so bare that he doesn’t require any encouragement to fight back.

His message was that passwords are old, tired and worn out. His article began with the sentence: “You have a secret that can ruin your life.”

The secret is your password; and he’s right, but I have caveats around Honan’s thoughts that privacy erodes when fixing the problem.

Honan joins a chorus that includes technical architects who have demonized the password for years, and a list of vendors, analysts, governments, financial institutions and others who see benefits and business interests in plowing under passwords and nurturing new seeds for personal authentication and authorization.

But Honan is the missing link, someone with a pure end-user interest born from enough pain and suffering to potentially make others turn around and run for higher (and more secure) ground. We should heed his story.

Judging by the reader comments on his recent article, Honan has converts, but still some misguided holdouts imploring him to quit whining and move on.

Where we need to move is beyond current password realities and into a system that recognizes our personal qualities, much like people we meet for the second and third time in the real world begin to recognize us.

The fact is digital life and securing it will come down to a set of attributes, or qualities, that define you.

Attributes are the real value, user control is the key and privacy is obtainable.

Last year, Reuters reported a Sony PlayStation Network breach where hackers obtained people's names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more.

The story tempered the value of the data by saying that at least credit card information wasn’t stolen – a flawed risk assessment that centralized value in a single data element (sounds like passwords). What was the most important data element on the Sony list?

I would argue they all have the same value. Those pieces of data – taken together or in smaller chunks – define you and provide paths into your digital life as Honan learned.

In fact, the credit card, with its $50 max fraud protection, is the one piece of data I would give up over all the others.

The higher the desired security, the more attributes and attribute providers that will be needed to confirm that you are who you say you are.

Noted identity expert Bob Blakley, formerly with Gartner and now with Citi, calls this “identity recognition;” where systems begin to recognize your characteristics, such as location, device, behavior, time-of-day.

While Honan believes that ‘s where compromise comes in and privacy suffers; I don’t agree.

Honan wrote that real identity verification will “allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity.” In essence, attributes.

I believe that will happen, but there won't be tracking and I don’t think it will require wholesale privacy concessions.

End-users ultimately will be in control of their personal attributes and will hand them out when needed, or authorize trusted sources on their behalf to share or confirm those attributes.

A user asked to provide location could authorize their cell company to release that real-time information or to validate that the user’s location matches attributes a provider already recognizes from its own database. Same with cable companies, which, for example, could verifying your billing address.

Honan is right that significant investment is needed to fix the password problem. It’s not easy to build the infrastructure for these systems as evidenced by efforts in the U.K., the U.S. and other countries.

And he’s right that times have changed, that the password system is broken, that without action comes chaos. And that it is time to fix things and eliminate passwords.

He’s the face of the revolution.

Topics: Security, Networking

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion