2016 was year of progress vs. pilfering

FBI, Apple set tone for year that saw progress in on-going attempt to devise better access controls
Written by John Fontana, Contributor

2016 was a rough year for the digital credential, a flicker of hope for privacy, and a mandate to better protect access controls and data.

Credentials were hacked, cracked, phished, faked, stolen, re-used, resurfaced, and for a brief period No. 1 on the FBI's most wanted list.

A possible precursor to tougher data protection laws worldwide took hold in the EU, countered by troublesome surveillance practices that reemerged in the UK. Collaborations on standards and among governments hinted at an advent of stronger identity and authentication tools, while breaches continued to flourish.

It was indeed an active year, and a setup for more (hopefully progress) in 2017.

The FBI's request for Apple to unlock an iPhone owned by the shooter in a terrorist attack was the most debated security topic in 2016. Apple refused to create "backdoors" for accessing devices, but eventually the FBI cracked the phone's code. Opinions for and against ran near even, but some industry experts said the episode exposed future challenges.

"We are moving into an era of confrontation between people and machines," said Whitfield Diffie, one half of the Diffie/Hellman team that defined one of the first public cryptographic key exchanges. "The interaction of people and machines is a major issue of this era. Who controls the machines is going to be who controls the world."

At the same time, new-fangled public key cryptography implementations based on FIDO Alliance protocols were redefining the age-old clash between security and convenience.

In February, Forrester Research published a report called "Don't Ignore FIDO" and advised enterprises to include FIDO Alliance protocols in 2016 plans. Companies such as Salesforce.com, Bitbucket, and GitLab made FIDO U2F strong authentication available to their end-users, and Opera joined Google with support for the protocol in its browser.

In tandem, the World Wide Web Consortium (W3C) began working on a new Web API specification for infusing web browsers with standard crypto controls to secure apps. The W3C's Web Authentication efforts were based on specifications donated by FIDO.

A few months later, the National Institute for Standards and Technology (NIST) took aim at deprecating aging two-factor authentication standards, most notably SMS, in favor of more secure second-factor techniques.

There was no doubt that access controls were in the throes of a major evolution.

The importance of this effort was reinforced in early 2016 by Michael Rogers, director of the National Security Agency, who called data "an increasing commodity of interest to many with a strong desire to steal it."

And steal it they did. In May, 427 million My Space credentials, stolen years ago, re-surfaced on the Dark Web. Later in the year, hackers released 117 million LinkedIn passwords. A Russian kid-hacker traded 1.17 billion credentials for "likes" and "votes" to his social media accounts. The Top 5 breaches listed on the HaveIBeenPwned web site totaled more than 1 billion credentials.

Against this backdrop, the European Union approved its General Data Protection Regulation (GDPR), tough new privacy rules that gave citizens rights to control their data and promised significant fines for companies who lax in protecting it.

As a counter, post-Brexit UK leaders introduced controversial new surveillance practices that called for service providers to store for one year browsing histories on all internet users, decrypt data on demand, and remove encryption in some instances.

In late 2016, the US presidential election again exposed the issue of stolen credentials along with the consequences. WikiLeaks released emails stolen from Clinton campaign chairman John Podesta via a phishing attack that was blamed on the Russian government. The news was a damaging blow that came late in Clinton's campaign.

But standards efforts among groups and governments held out hope for curbing such credential thefts and social engineering attacks. Collaboration was inherent among groups such as FIDO, W3C, OpenID Foundation and Kantara. The same was true among government initiatives such as the National Strategy for Trusted Identities in Cyberspace (NSTIC), the UK's Identity Assurance program, and trust initiatives brewing among the Canadian government and vertical industries.

Overall, there was a confluence of encouraging advancements related to identity and security for enterprises and consumers.

I am hopeful that these alliances and advancements are a precursor to access control improvements to come. It feels like a breakthrough is near, something that brings better protections for our data and personal information in 2017.

Editorial standards