Authentication needs a cultural shift.
We're looking at you end users, with your crappy passwords and security apathy. We're looking at you businesses and services that should get out of the password game and reduce the amount of personal data you store. A rash of breaches is showing you have nothing better than a rotting Swiss cheese defense. (stinks with lots of gaping holes).
We are talking major shifts in habits and thinking, but they are required to help plug the leakage of personal and sensitive data that saw 1.1 billion records stolen in 2014, according to a report by Risk Based Security. This year's numbers aren't complete, but expect a new high water mark.
There are many ways to cut this, but lets focus on authentication and changing habits around end-user access.
Technology has answers if it can subtract the complexity and deliver a decent user interface. How do we get end-users to help fuel a shift?
Can Microsoft's milestone release Wednesday of Windows 10 add that fuel? (No pressure, Microsoft).
Nearly 76% of desktops are running Windows 7 or 8.x, according to NetMarketShare. Users with those versions of Windows can get a free upgrade. And Windows 10 has been architected to work on most "modern" computer configurations, so that means no need to upgrade entire machines (although some new authentication support will function best with specialized hardware).
Windows 10 features Hello and Passport, two significant platform upgrades that address authentication to the device, apps, and online resources. Here's hoping it all works as advertised because the tide of end-user acceptance could get significant momentum here.
Hello offers face, iris, or fingerprint to unlock a device or desktop. Once in, Passport (a programming system) supports development of all types of secure logins, and they don't share their passwords with services. Passport lets users authenticate to a Microsoft account, an Active Directory account, an Azure Active Directory account, or non-Microsoft services that support FIDO Alliance protocols. Microsoft is a FIDO member helping develop open, interoperable and secure strong authentication protocols.
These non-Microsoft-centric options are what Microsoft has been missing in the past.
Microsoft doesn't have the greatest track record when it comes to authentication. Passport Version 1 suffered from a poor user experience and eventually morphed into LiveID to try and hide its sins. CardSpace/InfoCards was another grand plan that introduced an Identity MetaSystem but never garnered end-user favor.
However, Microsoft has tenacity, learns from its lessons and typically finds its way. Is this one of those moments?
Microsoft has a ton of smart people who work in the identity and access management space, not only internally, but in the small sub-set of specialized technologists that debate and ruminate over digital identity and access controls.
If end-users find this technology usable and useful, can definitions and realities of secure authentication shift away from passwords and fuel on-going innovation around authentication technologies?
Will end-users demand back-ends, desktops, mobile devices and Internet of Things with more secure logins and more hacker resistance? Will they listen for essential words such as tokens, biometrics and key pairs even though they don't know what those terms mean beyond more secure authentication?
I'm hopeful and optimistic for a cultural shift. It's needed.
End-users, you're on the clock.