And now for something really special. My colleague Ant Allan has written a blog on the recent NIST moves to fund alternatives to passwords. Enjoy!
So, NIST intends to provide tens of millions of dollars in funding for people to develop and commericalize something better than legacy passwords, as part of the National Strategy for Trusted Identities in Cyberspace. [http://www.washingtonpost.com/business/capitalbusiness/nist-seeking-to-move-beyond-passwords/2012/02/06/gIQAtjU1NR_story.html]
But surely we already have enough alternatives to passwords? NIST’s spokesman, Jeremy Grant, notes that other technologies, “such as smartcards and tokens that generate [one-time] passwords [OTPs]” are used but haven’t caught on. In the 12 years I’ve been with Gartner – and mostly in the past five or six years – we’ve seen a huge growth in the availability and uptake of other alternatives that do without dedicated hardware devices, including enhanced password methods (simple approaches that allow a user to scramble a memorized password), a few different ways of using someone’s mobile phone as a kind of authentication token, and new biometric authentication modes such as typing rhythm. And these undoubtedly offer organizations better tradeoffs of total cost of ownership (TCO) and user experience (UX) against authentication strength — we’ve seen clients migrate away from legacy hardware tokens as a way of reducing TCO, improving UX or both and others moving away from legacy passwords as these methods lower the price point of improved security. (They might not be as strong as X.509 smart cards and OTP tokens, but they can be strong enough.) And in many countries’ financial services systems, regulators identified that passwords alone are insufficient several years ago, so there are already many mature implementations of authentication methods beyond legacy passwords.
And yet… and yet legacy passwords — which both logic and empiricism tell us are critically flawed — remain the most widely used authentication methods over a wide range of use cases where they are no longer appropriate. (Legacy passwords can still be appropriate where risks are minimal, of course. Although there can still be reasons to seek an alternative method: For example, clients tell us that many users struggle to remember passwords that they use only every several months or every year.)
So, will this NIST funding stimulate the evolution of existing technologies or will we see something wholly new? Possibly something that combines both or exploits existing technologies in a novel way. Our Burton IT1 colleague Bob Blakley has suggested that recognition technologies, which combine passive biometric technologies and broad aggregations of contextual information about a user, will lead to the demise of (traditional) authentication (see “Maverick Research: The Death of Authentication” [http://www.gartner.com/resId=1818025]). I’m not convinced about this — and Avivah Litan, Bob and I will be debating this on stage at the upcoming Gartner IAM Summit in London [http://www.gartner.com/technology/summits/emea/identity-access/]) — but I think it’s inevitable that these recognition technologies will increasingly play a part. Indeed, they are already used, albeit from a different angle — Web fraud detection tools already make use of a variety of contextual information to dynamically assess risk, so determining if the user’s initial authentication (say, by password) provides a sufficient level of trust. Adoption of such techniques is part of a best-practice layered approach to security (see “The Five Layers of Fraud Prevention and Using Them to Beat Malware” [http://www.gartner.com/resId=1646115]). (So, Bob’s research may not be as “maverick” as some might think!) I’d certainly expect NIST’s initiative to attract proposals along these lines.
But NIST’s initiative has a broader scope even than this. NIST’s Grant also says that any new authentication methods might, for example, work at multiple business and government bodies. This extends the initiative from the realm of authentication and recognition methods into the realms of identity federation using established standards (SAML, WS-Federation) and emerging protocols (such as OpenID and OAuth), where bodies such as the Kantara Initiative are already working on the supporting governance and legal frameworks. NSTIC will encompass all of this.
I’m not sure if this doesn’t muddy the waters. My feeling is that the pilots for authentication methods and interoperability frameworks should be discrete, resulting in services that organizations can plug together according to their needs. If single proposals do address both aspects, I’d hope that the parts could be easily decoupled. If the NIST initiative stimulates the development of the ideal authentication (or recognition!) technology it will not be as useful if it’s inseparable from a novel interoperability framework — that will be a barrier to adoption by organizations that have already invested in SAML federation, for example (unless vendors can be unusually prompt in adopting the new technology!). I’d expect to see the first real world implementations being messy hybrids… and those might be rather persistent.
I’d be very interested in hearing people’s thoughts on this!
PS. Thanks to Gregg and Avivah for their suggestions. Any errots that remain are purely my own.
Category: IAM Tags: