The story of digital authentication started in an MIT lab in 1961, when a group of computer scientists got together and devised the concept of passwords. Little did they know the anguish it would cause over the next 50 years. Today, most people possess more than 90 username-and-password combinations and would rather click “Reset password” than try to remember them all.
Unfortunately, passwords are not only inconvenient, but dangerous as well – it’s a problem the world has been grappling with for the last 20 years, at least. Somewhere in the background, though, the authentication wheel has been turning and recently, at the Apple Worldwide Developer Conference (WWDC), two promising announcements were made.
But first, let’s backtrack a bit…
Everybody loves pizza
Authentication has evolved in several interesting ways. Two-factor authentication, for example, was developed in response to account takeover fraud – and it had its place. But when people started doubling up on the knowledge factor, we started seeing instances of knowledge-based authentication where, if you forgot your password, you could enter your mother’s maiden name, the title of your favorite book or your favorite food. Attackers could still succeed by guessing because, as it turns out, most people like pizza!
What if those scientists had started out differently and looked more closely at how other valuables were being protected?
House and car keys, for example, still represent strong possession factors that grant access to high-value assets. They’ve been used for ages with great success and, as a result, make the concept of possession as a primary factor easy for users to understand: “keep your keys safe, it grants you access.” There was never a need to add an extra layer of authentication.
Fast-forward to the digital era, and car keys have evolved to enable keyless entry. Houses, too, are commonly accessed with a remote. In both cases, unique challenge-response mechanisms are used for every transaction, making them impossible to intercept or copy.
Which brings me back to the first of two Apple announcements mentioned earlier.
Where physical meets digital
After much experimenting with identification and endpoints, the iPhone can now act as a car key. Though Apple devices are protected by biometrics and PINs, isn’t it ironic that after all this time, the iPhone – in all its sophisticated glory – has become like a physical key in a sense?
Had that MIT team been able to use an uncopiable “digital key,” perhaps today’s digital world would not be littered with billions of passwords, and attackers would have had to physically approach their victims to steals their keys. That would have cost money and exposed them to capture, making attacks much more costly and risky when compared to attacks that are carried out by sending out thousands of phishing emails at a time.
Of course, there have been several attempts to come up with alternatives. Many dedicated hardware devices have been used over the years with varying degrees of success, but no-one has ever hit the nail on the head.
Some companies allocated a number but did not generate it themselves. Instead, they used a number found or calculated on the device (like the phone’s IMEI or browser fingerprinting), breaking the challenge-response paradigm and nullifying the isolation principle. Others issued physical hardware (like keys) that created cost and distribution challenges, not to mention them being yet another thing for users to carry around.
A vision of endpoint perfection
Companies entering this space need to recognize the value of secure endpoints and find a solution that will:
- Ensure that each endpoint instance is allocated a unique, once-off value
- Ensure that each challenge-response mechanism is unique every time
- Limit the “key” to a single use and having a unique “key” for each mobile app
- Have the ability to issue new keys for each new use case and make the linking easy
- Have the ability to issue keys to devices that users already have in their possession
This can result in stable endpoints. Though certain requirements may force a business to include passwords here and there, the endpoint always needs to be the anchor.
When looking at companies that applied the security principles mentioned above, many arrived at similar solutions. The FIDO Alliance, for example, launched eight years ago to tackle the world’s over-reliance on passwords. They chose to focus mainly on protecting website logins. However, there are ways that businesses can obtain certifications and become FIDO compliant.
Android announced that FIDO would be built into their devices. Microsoft then followed suit, adding it to their authentication setup in Windows (Windows Hello). Only one dominant player remained – Apple – and they were silent. Then, suddenly, with iOS 13.3, Safari started supporting external FIDO tokens. So, when Apple joined the FIDO Alliance in February this year, many were already anticipating a WWDC unveiling – yes, the second announcement.
Now, the endpoint puzzle is finally complete and later this year, all major desktop (Windows and macOS) and mobile (iOS and Android) operating systems will feature built-in FIDO authenticators operating as secure endpoints.
Trusted endpoints: Where we need to be
The vision of trusted endpoints is becoming a reality and finally, context-specific identities can be provisioned into most consumer devices. Consumers can now trust in a physical device, not in some digital thing that can easily be lost or forgotten.
To succeed, attackers will need to gain access to the physical device, which is not easily done.
Of course, there are many challenges we still need to tackle. However, they pale in comparison to the potential that now exists to create exciting new customer journeys using a universal platform authenticator.