The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.
Tie It All Together With A Long Leash

The approaches vying to replace user names and passwords aren't mutually exclusive. With some integration work, multiple forms of authentication, such as mobile biometrics and a federated identity, could be tied in with a framework like OAuth to make it easy for people to sign on to all their online accounts.

But there are so many pieces to Web authentication that some sort of pattern is needed to keep things from snarling. It will be tough to do, but a number of coalitions and nonprofit brain trusts are working on it.

Jericho Forum's Simmonds and a consortium of U.K. security colleagues are trying to create technology that's similar to OneID through anonprofit called the Global Identity Foundation.

This group maintains that there's no good way for people to assert their identities online. It supports building a stronger identity foundation by identifying and enrolling a user's core identity in a system on his computer, and then breaking up user attributes into contained personas. So, for example, one persona might be related to a person's login information to a social media site, and it would only contain attribute information around the user's online handle and email address. The same person's "citizen" persona would handle login information for government sites and might have attributes such as Social Security number and voter registration information. A retail account may have attributes such as credit card information.

The ideas is that core identity information is encrypted on the user's system, and something like biometrics technology must be used to unlock the appropriate encrypted information. When a person wants to make a transaction, that system would connect with the online server and only offer information within the personas that are relevant to that online system -- so an online purchase may be able to pull from the citizen and retail personas, but posting on a social site could only pull from the less-risky social persona.

"The bad guys can't spoof it," Simmonds says of this type of distributed system. "So even if they take the identity, they can't assert it because they don't have the crypto components that go with it, because you hold those yourself."

On another front, a newly formed group called the Fast IDentity Online, or FIDO, Alliance is trying to tackle Web authentication by creating a comprehensive open architecture specification designed to act as the glue between technology built into devices, strong-authentication devices and software, and the relying parties' server infrastructure. This group wants to create a platform for FIDO-enabled devices to provide interoperability between all the products that make up the authentication ecosystem.

"It's standard plumbing," says Dunkelberger of Nok Nok, a founding member FIDO. The alliance hopes to standardize the way relying parties enroll users and their devices, and provide a standard way to inventory devices to find out what FIDO-enabled authentication elements -- such as software tokens, fingerprint readers, cameras and microphones -- they contain.

Such a spec tells the back-end system, "Here's all of the elements you can use to establish a multifactor connection to this person and device," Dunkelberger says. Then it enrolls the user and provisions the encryption keys on both sides for the challenge-response. "And it does it in a standard way, regardless of authentication, regardless of single sign-on, regardless of any of those things," he says. "Everybody wins because we're not out there goring anybody's ox. We don't pick winners on any of those things in the stack."

chart: Convenience: Wins What are your top two reasons for using a multipurpose identity credential that's accepted by many organizations?

FIDO solves the problem of relying parties being unable to trust users' endpoint devices because they don't really know whether there's malware on them or other issues, says Anderson of Lenovo, which is also a founding member of the group. The open architecture provides a trusted authentication method that can work with assurance on any device, so fingerprint readers, for instance, can be tied in to verify that the right person is accessing the right machine and the right process, he says.

Most important, the open architecture can be adopted across the industry and not just by those with deep pockets, says Michael Barrett, CISO of PayPal, who's also FIDO's president.

PayPal can manage quite well using advanced risk-based authentication systems, Barrett says, but most companies aren't able to develop highly sophisticated options. "The clear mandate for the FIDO Alliance is to make the Internet a safer place for everyone by enabling the development of an ecosystem," he says, "which fosters authentication that's simultaneously easier to use than user IDs and passwords and stronger for relying parties."

Whether it's FIDO or something else, this is the combination necessary to attain the Web authentication holy grail. Tomorrow's authentication option must be more effective than today's passwords -- and as easy, and hopefully easier, to use.