Web authentication set for sea change
Web authentication is headed for a sweeping change, as consumers and businesses increasingly look to a more effective way to establish identity and trust on the Internet, which in becoming a quintessential tool in everyone's lives. The extent of transformation, however, is still evolving.
Craig Spiezle, president of Online Trust Alliance (OTA), told ZDNet Asia in an e-mail interview that the definition of authentication, identity and reputation is set to evolve over time.
Alvin Ow, technology consulting director at RSA Asia-Pacific and Japan, concurred, saying authentication will change in the future out of necessity.
"With the spike in recent cyberattacks on consumers, private businesses and public bodies, people are...beginning to realize that the basic user-name-and-password form of security is not enough to protect oneself," Ow added. "The way forward, will be multifactor authentication."
In fact, at the Cloud Identity Summit 2011 in July, Gartner's Bob Blakely went as far as to state that users will cease authenticating in the future because authentication does not work and is "a pain in the neck to use".
The vice president and distinguished analyst said recognition would be a better approach, where digital footprints would be used for identification and to establish trust. He further added that digital footprints on social networks can be used to authenticate people, and such data would be more reliable than standard authentication.
Spiezle, however, said it would be a "misstatement" to say people will stop authenticating. The OTA executive believes, instead, that there will be more stringent checks to verify identity as well as the use of other information for Net users to be able to carry out transactions.
"I see a future where high level credentials will be required for both the user and device," he said. "Think of authentication as the driver's license and reputation [as] the driving record."
Spiezle's stance is similar to calls made by security experts such as Eugene Kaspersky, who has been a vocal advocate for Internet passports and an Interpol for the online realm.
McAfee CTO Scott Chasin added that recognition through digital footprints or crumbs will not be the sole means for enabling trust and, instead, contribute only to the context of the authentication request.
"I believe that digital footprints will have a place in context-driven security models which will help define trust management ecosystems," he explained in an e-mail. "Digital footprints are simply another metadata attribute which cloud-based identity and trust brokers will leverage in order to authenticate or authorize users, devices and applications.
ID-as-a-service emerging
The McAfee executive, who also spoke at this year's Cloud Identity Summit, proposed during the event that social networks will provide a third factor for establishing trust and identity--after blacklisting and whitelisting.
Paid ID-as-a-service tapping social data will emerge within the decade, Chasin predicted in July.
Elaborating, he told ZDNet Asia in his e-mail that the world is moving beyond reactive security and "quickly" toward context and identity-driven security models. "It's not necessarily about just keeping the bad guys out, but also letting the good guys in.
"The cloud will enable identity brokers to collaborate with identity providers (IDPs) whereby context and identity can be leveraged in a clearinghouse-type of deployment," said Chasin.
According to him, Google certainly has an opportunity to capture a key position in the IDP landscape. To do this, the Internet giant needs to move beyond Gmail as a primary authentication layer and "start to develop an IDP ecosystem that can be exported and leveraged with application integration"--a strategy Facebook is leveraging with OAuth integration with the rest of the Web.
Google Wallet, he added, will be a key technology that can help propel Google's position.
Google Chairman Eric Schmidt expressed the company's identity aspirations in late August, when he pointed out that Google+ is essentially "an identity service with a link structure around your friends". Such a service, he explained, is "central for Google" to improve its products, and can help rank identities based on whether or not they are who they say they are. This was why it insisted on implementing a real-name policy for its beta social network.
RSA's Ow agreed that there is an increasing number of social media Web sites such as Facebook and Google+ including the element of authentication. However, he said enterprise clients prefer multifactor authentication where their customers are probed for information specific to the organization during the verification process, as opposed to social network-related data.
"In the future, businesses might make use of the social digital footprint as a secondary layer of identification and multifactor authentication. However, for the moment, we believe that businesses are going to look inside their organizations to identify one's digital footprint," he noted.
For example, a bank looking to make use of multifactor authentication might ask the customer questions such as his last purchase or when his last login took place, said Ow.
ID-as-a-service "still has a lot of maturation ahead of it", Chasin acknowledged, noting that the industry is currently in the early stages of cloud-based single sign-on and application cloud authentication.
"Application-driven models of authentication and authorization within the boundaries of context will provide new models for value-added services and solutions," the McAfee executive added. "The big question is how context will play a major role in ID-as-a-service opportunities.
"In some scenarios, we are moving faster to context-driven security models, where identity is just one attribute along with many others--reputation, relationship, etc."