What will it take to move authentication from UI to GI?

What will it take to move authentication from UI to GI?

Summary: Is turning humans into signal-emitting authentication devices possible or even desirable?


Solutions to the age-old authentication process (read; passwords) are flying fast and furious.

Web sites are making available two-factor authentication, most recently Twitter, with the promise of improved security. There are biometrics including voice, fingerprints, and facial recognition. There is geo-location based on smartphone mapping. There is talk of mouse tracking, keystroke patterns, gestures and your own heartbeat to serve as identifiers. There are devices you can carry in your pocket, wear on your wrist, your ankle or draped around your shoulders.

Wearable technology is staring you in the glassy-eyed face, literally, whether you like it or not.

In combination, these authentication tools become even more powerful, if not a bit more cumbersome to execute.

And therein lies the rub. With all the talk about upgrading from passwords, can these authentication tools become too powerful? Who's at the controls when authentication signals are read? How are you linked to your identity and in what ways can you be tracked, targeted and impersonated?

Where is the line if wonderful theories are to become useful technologies?

Last week, Motorola talked at the D11 conference about its cutting-edge authentication research. Temporary tattoos - high-tech patches already used in the medical field, that might support authentication. Also, the Google-owned company went all "outside-in" with its peek at the future of identity.

A pill, ingested once a day, that turns the user into their own authentication device, activating laptops, devices, and perhaps even the coffee pot, whenever and wherever they might go. You are your own UI.

No doubt the current state of the password could use something to cure its ills.

Regina Dugan, a senior VP at Motorola who showed off the future at D11 (video here), called the pill "your first super-power." The question is "yours" and "who else."

And while using the pill as an authentication device is merely a project to marvel at now,  application of the technology and issues like privacy will determine if it ever sees the pit of your stomach.

Can the pill's authentication be turned on and off? How do I prevent every reader from picking up my signal, an issue the government faced when it mandated RFID-chips for passports. The first solutions were to wrap the identity documents in a metal case. Talk about your tin-foil hats.

If the user is authenticating just by moving around, how does the user prevent being tracked as they are recognized by various sensors or log into various applications?

And foremost, how are these devices linked to the user. Are they doled out like contact lenses with your prescription (re: identity) printed on the side.

And what if these pills are lost or stolen. What is the revocation process, or the re-activation process, especially when the user discovers that their pills just fell down behind that old pile of floppy disks.

And what are the long-term health risks? In the 50s, fewer than 50% of people thought smoking caused lung cancer. In the 90s, people wondered if cell phones were giving them brain cancer. Are they? The arrival of digital phones has taken some of the steam from that debate.

Better and easier authentication is quickly becoming a mandate, but can it go too far? And if so, what are the ramifications? For one, passing a token and token retrieval could take on a whole new meaning.

Topics: Security, Privacy, Next Generation Networks


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It'll likely be cards or apps.

    "And while using the pill as an authentication device is merely a project to marvel at now,"

    That particular technology would only last about 12 hours, though, before the body disposes of it. Not the most elegant of solutions. I'm sure that whatever we settle on in the future will not be a pill.

    Chances are we'll likely settle on some sort of card or cell phone tech. Either a card you place in your wallet (where you keep all of your other forms of ID anyways) or an app on your cell phone.

    Maybe RFID if we can work out the kinks - there have been reports of RFID readers reading the wrong RFID card when other people nearby have RFID. RFID will likely be either built into a card or into a cell phone.

    Government organizations already are universally using smart cards for authentication - you can't log into a gov't computer without a card. And yes, they support the revocation needed to work with lost/stolen cards. Smart cards are currently the most mature of all of these alternative authentication technologies.

    I seriously, seriously doubt the future of authentication is a pill.
    • Is this just over-engineering a solution to a simple problem?

      I wonder if fingerprint scanners aren't the closest and most economical solution. Nothing to lose, nothing to forget, and the hardware is already becoming pretty commonplace.
    • Already in use

      Cards and phones are already in use by many retail outlets. The need to swipe your card in a reader and enter your PIN is (slowly) being replaced by Smart Cards and phone apps.

      I've only read about them, but don't really know how they work. What is the range? Would I end up paying for someone else's purchases by walking past a sensor?

      I remember when card readers (cashless sales) were first introduced. There was a lot of skepticism, but they finally became common place. If these authentication methods (I agree, not the pill) are tested out in a small community, the "bugs" can be worked out, just like the card readers were.
  • A connected future.

    Though I agree the idea of a pill for UI seems over-engineered I do think that the future will hold more invasive interactions then fingerprint or retina scans. Years ago the Japanese tested a way to transmit information by touch. You shook the someones hand and transfered info you have arranged to send. Think of it as a way of exchanging business cards. I don't know what became of that tech or if it is being used anywhere but when I bump cell phones with another Samsung user and instantly transmit the contents of my screen it makes me wonder.
    I think in just a few years we will have healthcare, exercise, location tracking and more in the form of pills or implants. I can imagine cameras that aid people with sight limitations, blood monitors that check insulin, INR levels or other factors that currently require a trip to a clinic and a blood draw.
    The list of ideas and applications is much larger then the examples I have given and will grow as the tech and ideas gain traction but one thing is certain the idea of wearables, injectables, patches or pills is becoming more mainstream.
    Now if they could come up with a way to charge devices using your bodies bio-electicity you could become your own power station and possibly even lose a little weight when your body burned calories to replace it's power. I am probably off base but stranger things have been know to happen.
  • There's no foolproof

    No matter what anybody devises for authentication, the bad guys will figure out a way around it. Two-factor authentication sounds good, but what happens when the bad guy steals your phone? Or when you access the internet from a location that has no cell service? (I regularly visit wilderness resorts that have internet via satellite but no cell service.) A dongle is great until someone steals it, or you want to log in from a tablet without a USB connection. Implanted RFID chip? The bad guys will figure a way to scan you and then fake the signal.

    Personally, I think that right now the strongest security is a really strong password that does not reference anything in your personal life that someone might guess, combined with an OS that does not allow drive-by installation of keystroke loggers or other malicious software. (In other words, Windows is out!)