Is a second-factor assist enough to rally web users against passwords?

I changed jobs to get a front-row seat to see if end-users can lead a culture shift and bring on stronger, more secure authentication
Written by John Fontana, Contributor

Today was earmarked for my transparency story to reveal my new affiliation with Yubico, a strong authentication vendor that develops a unique hardware token known as the YubiKey. (Disclosure: I joined the company this week).

But my story's narrative so parallels what's been happening this week, it is best to examine it against that backdrop.

I have found a perch with an interesting perspective on the modernization of multi-factor authentication, which looks like the first in a set of steps toward giving end-users the pitchforks and torches they need to chase passwords out of town and quiet the breach epidemic.

The Apple hack this week and last month’s Russian hacker pilfering of 1.2 billion passwords from 420,000 websites are just reinforcing my notion that strong authentication is the first upgrade needed to DARPA’s relic – the password.

If just half of the people who secretly raced to iCloud earlier this week to delete their own naked selfies would agree to adopt at least two-factor authentication (2FA), we may have a revolution on our hands.  (Of course, Apple also has to retool and take the lip service out of its 2FA implementation.)

But let’s be real, it won’t be proselytizing that saves the day, it will be the demands of embarrassed celebrities, frustrated social media junkies, empty-pocketed credit card customers, privacy victims and shamed corporations.

What’s needed is a cultural shift, an attitude adjustment and a willingness by end-users to slightly alter their behavior. It's the third-factor: humans

The bad news is that has never been easy, and it’s not often successful. The good news is innovative technologists have never shied away from disrupting the status quo.

Coincidently, many of the reasons I was attracted to Yubico have been revealed by this week’s events, and events over the past year or so that have resulted in millions of stolen passwords. The current username and password schemes are old, tired, and need an exit strategy. Something needs to be done.

If we can’t kill passwords today, the best thing going now from an awareness and usability perspective is pairing passwords with a strong authentication bodyguard. That combination has potential to slow the bad guys, and help protect data and privacy.

Let’s quit with deaf-ear advice on crafting longer, more secure passwords and make the strength happen in the second factor.

The emergence of modern easy to use, two-factor and multi-factor authentication options coincides nicely with the popularity of smartphones and other devices offering a second authentication factor. A nice combination of technology and end-user desire.

For me, I was drawn to the USB-based Yubikey that requires just a one-touch gesture to execute strong authentication. But there are other models in this space, SMS on mobile devices, software tokens and other methods to authenticate users with something that is better than a static password.  

The field for solutions is wide-open given a multitude of use cases based on varying levels of security demands. While the industry always seeks a killer app to wipe out the incumbent, in this case a range of multi-factor options will come in a number of form factors and target specific use cases, industries and job titles.

The other half of the equation involves standards. In this blog, I have written on the pros and cons of other recent standards work, namely OAuth 2.0 and OpenID Connect, which combined begin to define an “identity stack.”

The next piece of that puzzle could well come from the FIDO Alliance, which could help erase some sins in 2FA’s past. The group plans to add to the “stack” a standardized authentication layer. This is where websites, applications and services, along with hardware and software devices, can plug in and spread 2FA solutions across the internet at scale.

FIDO technology is designed to work with web browsers and web-based applications. The FIDO protocols leverage existing device hardware such as TPM chips, fingerprint readers, microphones, and cameras; and capabilities like Near-Field Communications, Bluetooth and One-Time Passwords; to enable multi-factor authentication.

Is there a pie in the sky with this 2FA infrastructure and client-side advancement? Sure, but that is the birthplace of innovation.

Multi-factor authentication is not the end game, but part of a journey that may eventually include multi-factor attributes and contextual authentication. All these models carry challenges. The inevitable failures, however, will foster advancement.

The technology, however, is not the hard part. Buy-in from end-users is the Holy Grail.

Perhaps Vladimir Katalov, CEO of ElcomSoft Co. said it best when he told TechTarget’s SearchSecurity reporter Brandan Blevins, "It is all about the human factor; it is not possible to protect your privacy and security using technical measures only."

But a good set of tools is always a great asset.

(Discloser: My employer is a member of the FIDO Alliance)

Editorial standards