The user authentication issue still hasn't been solved in any effective way, but I expect 2011 to be the year some serious attempts are made -- by separate players -- to add an identity component in the fight against e-commerce’s perennial fraud issues. (It's already happening now to some degree with PCI DSS, for example, where separate players are investing their time and resources to make improvements.)
As a footnote to my last blog post, I'll say I expect 2011 will be the year we catch the first glimpse of biometric movement in the industry.
Of course, for something as game-changing as biometrics, it will take a lot of work -- from a lot of parties -- to be successful.
But if those parties can actually pull it off, if they can actually create a fingerprint sensor and connect it to an application on the Web using the right middleware, they just might have the beginning of what I believe could be a new, sustainable security industry, one that uses explicit biometric authentication for individuals. Enterprises could then modify that product to suit their needs.
In any event, it's imperative that 2011, in some significant way, inches us forward to the goal of not bothering people while they're conducting commerce on the Internet -- of not interrupting their momentum to actually buy things -- by having a single, explicit authentication from which we can infer identity, guarantee fraud isn’t being committed, and wrap our arms around e-commerce issues.
Predicting what 2011 will bring us is a tall order. But I do believe, simply from my discussions with colleagues and watching what's going on, many grassroots operations addressing these authentication concepts are currently in play, and that 24 months won't pass before they start to take a truly palpable form.
PKI, on the other hand, I do not expect to make much progress in 2011.
Consider the PKI dilemma. It will probably continue to be a dilemma because it's an infrastructure that needs to be promoted. There are some areas in the world where PKI has started, but it's not obvious whether a universal PKI will come to pass. The one-time-password type of authentication will continue to exist for quite a long time because a lot of back ends depend on it and, obviously, it's much better than having a password. Additionally, we'll start to see an overlay of these things on top of each other maybe phasing something in or phasing something out.
It took 15 years to get here, so it's not going to take us just one year to advance any one of these things a whole lot. But I predict we will start to see the beginning of a real evolution, if not a bona fide revolution, in 2011.
Recognized in the industry as the "inventor of SSL," Dr. Taher Elgamal led the SSL efforts at Netscape. He also wrote the SSL patent and promoted SSL as the Internet security standard within standard committees and the industry. Dr. Elgamal invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. In addition to serving on numerous corporate advisory boards, Dr. Elgamal is the Chief Security Officer at Axway, a global provider of multi-enterprise solutions and infrastructure. He holds a Ph.D. and M.S. in Computer Science from Stanford University. View more of his blog posts here.