As part of his 2012 Predictions, Traenk takes on tough Authentication issues
If you're a frequent reader of my blogs and articles, you know that I am no fan of password-dependent authentication processes. There has to be something better. Now that IBM predicts the end of the password era, we're ready for a Brave New World.
I'm predicting that the PKI era will come to us as a first step. Digital Certificates will bring us to the Cyber-Passport age. But there will be problems...
PKI's are easy to understand and but very difficult to master. If the DigiNotar attack taught us anything, it proved:
- Hackers are attacking security systems as a prelude to actual system attacks.
- If the security of the Security System is lacking, system security crumbles quickly.
How are most digital certificates secured? Often, the private key is made accessible with a password. Will your organization's users grow good password habits? Will the hacker phone calls to get a normal password now fetch a certificate password as easily?
I think PKI can improve security, but only when the Awareness program improves the security practices.
Another alternative is biometrics/bioinformatics. I've read stories of hackers who collect beer bottles and empty glasses from bars. Why? For the fingerprints of course. Remember those old print scanners that were a glass platen, one that collected your prints as well as my Android phone's touch surface records the traces
of my login swype? Expect some mighty pitches from this industry. Remember! Once compromised, most biometric signatures/hashes cannot be updated!
What do you do in this situation? Here again, expect these systems to become two- or even three-factor authentication systems, with "Something-You-Know" becoming a primary factor.
And what will you know? Well, that often boils down to a password or series of challenge answers your organization's users have recorded in FaceBook, right?
In short, the challenge is not
technical. Instead, it is the security practices of your people. Want a low-cost, big return on security spend? Rework your Awareness program, and let others be the early adopters of gee-whilikers authentication systems.
Even better? Implement improved Awareness and Awareness Compliance checking along side the new Authentication system.