As always Bob has an interesting post out there. Taking up the issue of authentication, he issues this challenge:
“I believe that this community should commit itself to achieving the goal, before this decade is out, of providing every computer user with a strong authentication device and the infrastructure required for its universal acceptance.”
The post started my mental wheels turning. I 100% agree with Bob that current state of affairs for user authentication is unacceptable. He provides some great guiding points on what a better authentication system should look like. He says:
We need to get a strong authentication device into the hands of every man, woman, and child on the planet.
To do that, we’re going to need lots of strong authentication device providers and lots of innovation. The devices are going to need to be cheap, they’re going to need to be trivially easy to use, and they’re going to have to come in all shapes, sizes, and colors to fit with the widest possible variety of lifestyles.
Trivially easy to use. To me, above and beyond the abilities of the authentication system, it has to be easy to use. Why? Consider who has to use it. Your parents. People who are not necessarily technologically savvy. Consider that when identity people get together they talk of metasystems, infrastructure, standards, and a whole slew of topics that only they understand. (I am not laying blame here, but we talk about what we know.) The vast majority of people out there have no idea what strong authentication means. Think how hard it is to train corporate users to use a strong auth system. Now imagine rolling out that system for the entire Internet. Remember you have to train everyone on it… including your parents. Now you start to begin to see that challenges we face in solving both the technical and social issues around with moving beyond passwords and into improved authentication land.
After hearing a few comments from America’s Growth Capital last week, I started thinking that we have an authentication obsession. We have to learn from the network world and not let the application tier develop a perimeter defense mentality: “I have strong auth enabled this application; we’re safe.” sounds an awful lot like “We’ve got a firewall; we’re safe.” Yes, strengthening authentication and getting away from passwords as soon as possible is extremely important. But let’s face it, the identity house isn’t anywhere close to complete. We are obsessing about the plumbing and there’s no roof or power in place yet. Knowing what happens after authentication is just as important, if not more so, than what happens at authentication.
As I went through Dulles today, I had a chuckle at the most hackable authentication event you will ever see… airport check-in. Bruce has written about this. I am Jim Badguy and want to travel. I am a wanted bad person. I’m not on the TSA No-Fly list because that list is actually generated from a list of people who receive Publisher’s Clearinghouse mailers. I have Bill Goodguy’s credit card info. I buy an e-ticket with Bill’s card info. I save the e-ticket out of my browser. I print a copy out with Bill’s name on it. I manipulate the saved version of the e-ticket, and put my name on it. I head off to the airport with both copies of the ticket in my bag. I get to security and show them my valid driver’s license and my manipulated e-ticket, the one with my name on it. Everything is cool and off I go to the gate. I get to the gate use the valid ticket, the one with Bill’s name on it, to board the plane. Authentication totally hacked. What I do after the point of (mis)authentication because critically important.
Yes, authentication is important, but we cannot lose sight of the fact that authentication is just the beginning. Recognizing an identity is the start. Observing how that identity interacts with other identities fills in more of the picture. Getting the complete picture involves both recognition and observation.