Of Google, governments and authentication

End-users will ultimately decide on the success of multi-factor authentication. Will the newest efforts toward that end help them make up their minds?

The past two weeks have been a shot in the arm for stronger authentication, first the government mandating its agencies tighten log-in security and then Google unveiling its better mouse trap for signing into its applications .

While we know the pendulum will swing toward mass adoption when end-users provide the force to move it, the massive user populations maintained by the government and Google should not be dismissed as a means to create that force.

ock and screw 8.12.29 PM

Adoption of better identity, authentication, identity management and security won’t be another Big Bang Theory, it will happen bit-by-bit via specific use cases and rollouts such as we have seen in the past two weeks. Also, defined corporate needs, sharp end-user pain points, and the sting of attacks on private and financial data will help feed adoption.

Often times technology looks for a single event ­– the killer app – that changes everything. But it rarely, if ever, happens that way. Pieces of the puzzle fill in as part of a slow process that eventually accelerates toward a fast finish, a new reality and the slow churn of the next evolution.

There is no end state here, only safe eddies the provide solutions and finite contentment.

Are we at one of those junctures?

President Obama last week signed an executive order that will require the use of multi-factor authentication and effective identity proofing by any agency making personal data accessible to citizens via digital applications. Agencies have 18 months to comply, so this certainly won’t be a Big Bang, and with the deadline arriving before the next election, rollouts might just happen. 

Jeremy Grant, who for nearly the past four years has led the effort behind the National Strategy for Trusted Identities in Cyberspace, captured the importance of this use case. “Identity is the great enabler here – if we have easy-to-use identity solutions that enable secure and privacy-enhancing transactions, we can enable citizens to engage with government in more meaningful ways,” Grant wrote on is blog.

While many will be thankful the government is not pushing a national ID, this program holds the chance of filling in a piece of the identity/security picture, introducing end-users to the technology, and, if it fails, educating the rest of the industry to what doesn’t work.

Google’s effort is in a similar vain.

While the early adopters are likely to be the technologically savvy, if the company can show ease-of-use and tangible benefits there is a chance of a global shift in attitudes toward multi-factor authentication, especially one where Google or any other large cloud service is not the identity provider but relies on cryptography controlled by the end-user.

The promise is better protection of personal data and privacy.

E-mail isn't often just an end-user's in-box, but a storage locker for digital life. Putting a better lock on it is a use case that resonates in today’s climate of breaches, end-users' sense of violation, and the mass media coverage of such events.

There are countless other use cases for smaller user populations within enterprises: protecting access to intellectual property (IT), sensitive documents (R&D), and financial data (finance).

The solutions built to solve these specific use cases hopefully will conspire to fuel the next definition (and expectations) of identity management, privacy and security.

But it will be the end-user who crafts such a definition and approves it.

Disclaimer: My employer develops technology that works with Google’s new two-factor authentication support.