The Future Of Web AuthenticationAfter years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.
It may have been drawn two decades ago, but the old New Yorker cartoon still rings true: "On the Internet, nobody knows you're a dog."
"It's really easy to be whoever you want to be on the Internet," says Paul Simmonds, a board member of the Jericho Forum, a group of security thought leaders dedicated to advancing secure business in open network architectures. "We've known about it as an industry for 20 years. We've done almost nothing about it. So shame on us."
The process of authenticating users online -- that is, verifying that you are who you say you are -- has remained largely unchanged for years. When Internet users register to get access to a website, they provide an online service, called a "relying party," with personal information to prove their identity. They create user names and passwords, and forever after use that combo to prove their identity to the relying party when logging in. It's simple, it's intuitive -- and it's highly insecure.
The user name-password approach is "the lowest common denominator for authenticating," says Clain Anderson, director of software at Lenovo. It's "like using sticks and rocks versus a rocket launcher," he says.
In the near term, vendors and researchers are supplanting or augmenting passwords with easier and cheaper authentication factors, such as fingerprints, mobile phone tokens and digital certificates based on asymmetrical cryptography. Along the way, a number of industry coalitions are working on replacing passwords altogether.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
1 of 6