The world has a huge authentication problem, namely, that we’re utterly terrible at authentication. In 2016 alone, 3 billion passwords were stolen.
Shared Secrets
The reason we’re so bad at authentication is that we’ve built a number of deeply ingrained habits around the use of shared secrets as a method of authentication. A shared secret is just something that’s known to both you and the service you’re authenticating into.
The first problem with shared secrets is that they are, by definition, not unique. I know my credit card number and my credit card company obviously does too, so that means two parties know it. If two parties know it, then three parties can know it too and this is where shared secrets begin to unravel as a trustworthy authentication tool.
The second problem with shared secrets is that they create treasure troves of centrally stored user credentials. Hack one merchant and get millions of credit card numbers. Hack one website and get millions of passwords. If that’s not attractive to a cyber-criminal, then I don’t know what is.
There is an alternative to shared secrets; a better way to do authentication. Modern day technology and a confluence of breakthroughs have given us the resources we need to put a stop to identity fraud. To design a system that is both secure and usable requires the following steps.
Uniqueness
Since passwords and credit card numbers can be duplicated, how can you really know who’s in possession of them? The most important thing to get right is uniqueness. By combining asymmetric cryptography as the authentication method and secure elements as the authentication hardware, you can create a truly unique physical token that can always be trusted when performing authentication. Now the question is, who’s holding the token?
Two Factor Authentication
Someone can simply steal or find this identity token and use it as if they were you. To prevent this, you first prove your physical identity to the authenticator with a biometric check like a fingerprint scan, and then the authenticator proves its uniqueness to the service you’re logging into. Simply put, it’s 2FA done right since it eliminates the most egregious attack vectors we face today in transitioning to a digital world.
Easier than the Status Quo
We’ve been using keys, cards, and passwords long enough to make them habits and habits are hard to break. If someone offers us an alternative that isn’t easier, we shun it. Why wouldn’t we? We’re creatures of habit and we tend to choose the path of least resistance. That’s why most people don’t turn on 2FA on their web accounts. No one wants to go through the extra step of typing a 6 digit code on top of their password every time they log in.
We won’t get consumers to adopt better security for the sake of security. We won’t even be able to get them to adopt better security by giving them a comparable experience. In order to get people to change their behavior, you have to offer a simpler and easier experience or the conversation is a nonstarter. Given the fact that typing a password, swiping a card, or using a key takes just a few seconds, beating the status quo from a user experience standpoint is a daunting challenge.
The light at the end of the tunnel is miniaturization. The billions of dollars that have gone into making your cell phone smaller have resulted in secure elements, fingerprint sensors, accelerometers, and Bluetooth modules that are mind-blowingly small. They are finally small enough to fit into a wearable device and that’s a game changer when it comes to user experience. A wearable can create an authentication experience that’s significantly easier than the status quo in ways that a carried device like a phone can never replicate.
A carried device needs to be retrieved from a pocket or purse. A wearable doesn’t need to be retrieved – it’s always at hand and that eliminates a step. A carried device also doesn’t know who’s grabbing it so that fingerprint check has to happen for every transaction that you do. A wearable is smarter than that. It can detect when it’s been removed so you only need to prove the biometric second factor once when you put it on instead of every transaction. That eliminates another step.
Intent Driven
The moment that you decide to log into a website or unlock a door is called intent. When you communicate that intent to an authenticator through a gesture, you perform the ritual of authentication and authorize it to sign one challenge with its private key. That’s intent driven authentication.
The alternative is passive authentication, where the physical proximity of an authenticator is enough to authorize an action; intent isn’t needed or captured. A car smart fob is an example passive authentication.
A good authentication system captures intent and performs one authentication for each authorizing gesture it receives. In our quest to create good authentication systems, it’s important not to sacrifice intent for the sake of usability.
Aggregation
The last important attribute is aggregation. We all have to prove our identity many times throughout the day. We do it when we buy something, log in to a website, unlock our car, enter our home, ride the subway, or enter our office - each of these is a totally different authentication experience and each one requires you to carry or memorize a unique identity artifact. This in itself is a burden.
In trying to change these deeply rooted authentication behaviors, the last element that will be needed is aggregation. Being able to create a consistent, natural authentication experience across all authentication touch points throughout your day will be the final tipping point that gets people to change their behavior in exchange for better authentication practices.
Your credit card issuer, your access card manufacturer, and the financial websites you log into all care deeply about your security. They’re all working to bring you secure cryptographic authentication, but you’ll need to bend a little on your habits for this to work.
There’s no way we’ll be using misspelled words, plastic cards, and metal cutouts to prove our identity 5–10 years from now.