Authentication is multi-headed beast for purging passwords

Authentication shows a bright, secure future defined by options and combinations.
Written by John Fontana, Contributor

The future of authentication won't have a killer app, but it's certain to have a set of killer use cases.

One-time passwords (OTP), SMS messages, push strategies, and multi-digit codes will fade into the future, so plan on secure replacements and combinations in the form of cryptographic hard tokens, device-based authenticators, and biometrics.

Closed systems won't survive, so plan on the flexibility of open standards.

Today's authentication -- the act of logging in to an online or network resource -- may have a few rough edges, but plan on the arrival of secure and federated log-ins, including a reduction in the number of consumer identity providers and the rise of authentication services built on top of cloud platforms that provide companies private sandboxes to run and maintain their own identity services. (Think Amazon Web Services model.)

The future of authentication is bright, secure, and will be defined by many options and combinations.

Today, OTPs, SMS codes and pushed-based schemes are showing vulnerabilities, tainted by man-in-the-middle and phishing attacks that don't require a sophisticated hacker. In fact, NIST is deprecating SMS for out-of-band authentication and will strike it from the next update of its digital authentication guidelines.

In its place, biometrics is being anointed as the savior, but this misguided rush to purge the password misses the big picture.

Authentication will be solved in a number of ways depending on the resources being accessed, the use of mobile and other devices, and available network connections. And it might still involve a password.

Biometrics are gaining acceptance, but they come with rough edges, including false positives and enterprise deployment issues. Work needs to be done, but alignment with other technologies may bolster biometric innovation.

Behavioral biometrics -- such as keystroke speed, the way a user holds their phone, or mouse use characteristics -- add to the intrigue of biometrics. And the addition of attributes such as geo-location also aid in strengthening biometric-based user authentication from remote devices.

These combinations align with a future where a number of inputs, variables, and attributes will dictate who earns access to resources and how.

Open standards also are key. The FIDO Alliance, the World Wide Web consortium, the OpenID Foundation (OIDF), and various countries and entities, including the EU, the UK and the US, are driving a revolution in strong authentication.

Specific standards efforts are being integrated with other standards' work in the authentication space, most notably protocols built on the Internet Engineering Task Force (IETF) standard OAuth and its derivatives such as OpenID Connect for identity federation.

OIDF is adding a "bridge" to second-factor authentication standards, including the FIDO Alliance as the reference case. Microsoft's authentication platform, Hello, which ships next week with the latest version of Windows 10, is closing in on a standard FIDO-based authentication environment. These sorts of integrations streamline authentication into larger identity and access management systems and expand authentication options for enterprise users and consumer identity providers.

And finally, the future will see online identity service providers shrink to just a handful, likely anchored by Google with its new identity as a service (IDaaS) capabilities introduced in early June, and Microsoft with Azure AD B2C, an IDaaS model for consumer-facing ID services. Both Google and Microsoft incorporate standards like FIDO and OpenID Connect. Other ID providers that are ripe to join the fray include Facebook and Amazon.

In this model, other websites no longer ask users to create a username and password (or store your personal information as bait for hackers). Instead, they rely on an identity provider to verify and authenticate a user.

While present authentication mechanisms are solving real world problems, the prospect for improvements and innovation make the future look promising and may deliver much of what is needed to tighten security on the internet.

Disclaimer: I represent my employer as a member of the FIDO Alliance and OpenID Foundation.

Editorial standards