Social Icons

Saturday, December 27, 2014

Why passwords won't die next year (or the years after that) | ZDNet

$8.65 billion. That is the estimated cost it will take to convert the current U.S. credit card system to EMV chip-and-pin -- roughly $27 per U.S. citizen.

What does that have to do with passwords? Killing the password won't come without its own hefty price tag for corporate and cloud service providers --
back-end/front-end technology replacements/transitions, integration,
maintenance, end-user training and support costs.

In the EMV world the costs are wrapped up in new point-of-sale (POS) terminals, ATM card-reader upgrades, and issuing new cards.

With authentication, the other important factor is liability, who pays when
things go wrong, a question the credit card industry is answering next
year.

These are transitions that take years not months.

Six Clicks

How do you keep track of all your passwords?



If you have just one password for
everything it's easy to remember, but we all know that isn't safe. So
how do you keep track of a large number of them - and not have to worry
about it?

Cloud providers like Google and Yahoo bristle
at the potential support costs and user angst that would come if
passwords were to die -- it's the virtual entry point to their
services. The bigger the service, the greater the costs.

Corporations have millions of dollars sunk in identity and access management
infrastructure. In many cases, authentication changes will be grafted onto technology such as single sign-on, which still requires a password.


Innovation won't seek to kill passwords, only contain them within a broader equation around authentication type plus value of
resource. (i.e. you'll face more authentication challenges on your bank
access than your Flickr account).

For authentication changes, liability is the true sticking point just as it has been with EMV.

The reason merchants haven't plunged into card changes that are projected
to reduce fraud by up to 40% is because merchants aren't on the hook for
fraud.

So why the EMV conversion?

On October 2015 a shift in liability will go into effect and for the first time merchants who
do not have EMV-enabled POS readers will be liable for fraud and not
Visa, MasterCard, Discover, American Express and their banking partners.

The stat that broke that camel's back was $7.1 billion in fraud in 2013, a 29% increase over 2012.

A billion anything is a powerful motivator.

On the password side, the incentive to move to more sophisticated
authentication options is in play. How the Targets, Sonys and lawyers of
the world resolve breach issues will factor prominently in strong
authentication options for the masses.

One major prediction I made in January is that the discussion around passwords will semantically
shift to authentication. Access control will be defined by specific or combined forms of authentication applied at specific times to specific classes of devices, access and transactions.

We're talking everything from security questions to capchas, passwords, biometrics,
tokens, gestures, behaviors, and other innovations. Passwords will
become authentication's failed 1.0 implementation.

Risk mitigation will define use cases, and liability will be off-loaded whether to a single identity and access management cloud provider or across a number
of services.

Privacy concerns also will influence these decisions, especially around techniques such as continuous
authentication, which raises the tracking flag.

Passwords will be used to signal that you would like to access a service, much like lining up in front of a popular nightclub. But it will take another authentication credential (a government-issued ID in the night club example) or more to gain access authorization.

There will be a range of credential options to ensure a "level of assurance" to "grade" authentication, such as in-person verification for Level of Assurance 4 credentials.

I
know of one U.S. military installation that uses a neutral "pod" (accessed with a PIV card) that sits between two rooms. The pod has a built-in scale to check the persons weight (against a database; plus or minus five pounds margin of error) followed by an iris scanner authentication. All this happens after the door to the pod is shut and before the door opens to the next room.

So don't look (or wait)for passwords to die, look at authentication as a whole, as a layer to be architected or inserted via a service provider. Think about use cases
and combinations of authenticators.

Things at first may look a little more complex (especially as authentication is integrated with other risk-based tools/strategies), but innovation should eventually put most of that complexity in the background.

It's going to be a process. But given recent events, the alternative looks much worse and the costs much higher.

 | ZDNet

No comments:

Post a Comment

 

Sample text

Sample Text

Sample Text