Authentication advances put 2016 light at end of breach tunnel

Savvy consumers, companies willing to shed bad habits can fight back with secure access options in 2016
Written by John Fontana, Contributor

The password was dragged down 20 miles of bad road in 2015. It's not worth recounting the horror.

Looking forward, however, there is promise for those willing to drive toward better access controls and security.

Consumers and companies willing to shed decades-old login and access habits will have a better chance to protect themselves in 2016 than maybe they've ever had short of unplugging from the Internet.

Innovation will abandon passwords and focus on authentication, which will be defined by controls applied at specific times to specific classes of devices, access and transactions. And the so-called identity stack, including single sign-on, federation, strong authentication, identity proofing, and user management, will get the hooks -- APIs, connectors and shims -- to build a strong set of defenses from a collection of tools tuned for precise use cases.

Here are some of the things that will fade: the password as a security boundary that guards access, security tools too costly or dated to deploy, lack of awareness around risk, disregard for privacy, and the search for the mythical silver bullet solution.

In their place, will be extensions of the good things that happened in 2015: Lost faith (and patience) in passwords, industry collaboration and innovation, government involvement (the productive kind), and the hints of a legal framework around protecting data.

One of the most positive trends is that consortia and standards bodies are starting to combine forces and efforts like never before to integrate a range of identity and access control options.

Last week, the World Wide Web Consortium accepted a donation of Web API and format specifications from the FIDO Alliance. The end game is to get authentication hooks in place within all Web browsers and platforms making it much easier for Web and other app developers to incorporate secure access controls.

In addition, the OpenID Foundation is creating a protocol so that strong authentication options, built by other entities including FIDO, can easily combine with the group's OpenID Connect standard, a single sign-on and identity profile mechanism built on OAuth 2.0, which was standardized three years ago by the Internet Engineering Task Force.

And look for open-source based platforms such as Gluu and Shibboleth to offer options to bring together this mix of resources.

Governments also are stepping up. A new iGov Working group at the OpenID Foundation includes the public and private sector and 10 participating governments. The U.S. National Institute of Standards and Technology (NIST), and the U.K. government are active at the FIDO Alliance.

Paul Grassi, senior standards and technology advisor at NIST, and Michael Garcia, the deputy director of NIST's National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, have emerged as a dynamic and vocal duo engaging the private sector to help solve secure access and privacy issues.

NSTIC has now handed out more than $34 million to 15 pilots to facilitate creation of an identity layer for the Internet run by the private sector. Nearly 130 organizations across 10 major industry verticals are involved. The pilots have incorporated approximately 2.3 million individuals.

There also are existing tools to combat passwords, the weakest security construct known to computing, be it password managers or phone-based codes. Biometrics and cryptographic hardware tokens go deeper with strong authentication options.

Windows 10 promises stronger access controls with biometrics. Adoption could create significant momentum given nearly 76% of Windows desktops are running Windows 7 or 8.x, according to NetMarketShare. Users with those versions of Windows are eligible for a free upgrade.

Apple is exploring facial recognition to go along with Touch ID, FIDO is working on its next generation strong authentication protocols, wearables that people would actually wear are hitting the market, and future technology like Internet of Things is a non-starter without an authentication foundation to control what talks to what and how data is shared.

Will all this thwart hacking problem for generations to come? That is a fool's prediction. The cultural shift needed from organizations and end-users can't be underestimated, but the technology is beckoning with promises that can ease the pain of transacting business and sharing data online.

As always, I am optimistic. I'm hoping 2016 doesn't let me down.

Editorial standards