2014 and identity: the year of password breaches, Internet of Things and biometric handsets. True, some of these started earlier, but this year saw these technologies blossom and breaches widen.
These are three separate things right now, but they lead up to one thing: the mobile handset as the identity of the future. And yes, I know we have been here before, but I believe we’re close now.
When executives at the largest card companies start talking about the mobile replacing the plastic they produce, a change is on the horizon. The smart phone –likely coupled with biometrics – will be the consumer’s key to the Internet of Things and an additional factor of authentication to embolden the password.
The U.S. is on a cliff’s edge. Jumping off requires both a proverbial leap of faith and the acceptance of mobile devices to secure online access. The other option is to stagnate, remaining on the precipice with lists of complex passwords and frequent breaches.
The technology to enable secure, easy access exists. It’s a matter of the relying parties – financial institutions, retailers, government agencies, health care and corporations — choosing to use it. But the past year has demonstrated that no company is safe from breach, so the hand may finally be forced.
The mobile is the ideal additional identity factor because it is virtually glued to the vast majority of consumers. As biometric handsets are becoming the norm, every authentication can readily include multiple factors.
And yes, biometrics are not perfect. The latest Chaos Computer Club spoof that has hackers recreating fingerprints from high-resolution photographs has the mainstream media in a panic. The reality, however, that a hacker would need multiple high-resolution images, the means to recreate the fingerprint and knowing which fingerprint to use — not easy tasks – and then access to the device means this spoof is not as simple as some would make it out to be.
If a PIN was used instead of a fingerprint it would be much easier to shoulder surf that information. So, yes, biometrics are vulnerable but still better than most other authentication schemes available. Unless you are a corporate executive transferring millions of dollars from you handset or a government official with access to classified data the odds that someone will want to go to the length to copy your fingerprint are slim.
In the future biometrics may just be one factor of authentication. Accessing information will be a simple exercise — receive a one-time passcode on the mobile, authenticate to an app and access a system or service … or maybe it won’t require any exercise at all.
Just sit down at a computer with mobile in hand, or pocket, and access what you need. The authentication or identity verification will take place in the background, as long as typical patterns are observed.
The Internet of Things dovetails with this as well. While the term has been floated for more than a decade, in 2014 it truly surfaced. The new devices connected online – cars, wearables, thermostats – can serve as identity attributes for authentication.
Adjusting the thermostat, driving to work, and a morning run can all be used as authentication factors, evaluating individual patterns throughout the course of a normal day. It’s similar to the fraud alert systems that credit card companies use, monitoring events for normal and out of norm behaviors.
It’s essential that these connected devices are secure and that no one else can gain access to them or the data they generate. Again, a biometric-enabled mobile will be key to this process.
There’s a palpable optimism in the air. I think change is on the horizon and it’s just a matter of time before banks, retailers and others embrace mobile as an identifier to make accessing information easy and secure.
The cliff’s edge can be frightening, but the alternative has already proven unacceptable.