There seems to come a point in time when all industries hit an inflection point – where the old ways of doing things cede to the new.
We’ve reached this point in Identity and access management and with password-based authentication. The password is going away, being displaced by biometric authentication.
We’ve seen this countless times – examples are not hard to find.
Look around and you’ll see specialty metals and 3D metal printing reshaping the aerospace industry and the electric vehicle changing the course of automobiles. Before that Apple transformed consumer telecom with the touch screen phone, glass fiber replaced copper wire for high-speed broadband, mini computers displaced mainframes … The pattern continues over and over the further back you look.
Passwords seemed to work through most of their first three decades of existence, principally securing email and a handful of one-off applications. But at scale, they fail miserably.
Passwords need to be easy to remember, but at the same time hard to guess. They need to be paired with a user ID and application some 70-80 times for the average adult, changed often, and not written down. For starters, nobody does this! It’s not surprising – there’s nothing comparable in the natural world.
So, we invented ways to cache and store them in keychains and browsers, and to hide them behind single sign-on. But, importantly passwords also need to be kept secret. Storing 80 or so secured by yet again one single password perhaps is not the best way to do this. But we are all actively targeted and tricked by phishing and BEC attacks making those secrets hard to keep.
We’ve learned to not trust passwords anyway, and we have added two-factor authentication (2FA) … those pesky one-time codes sent via email, text or voice message that agonize workers and send customers scurrying away from their online shopping carts.
Back in IT operations, where so many enterprise systems have evolved over time we end up with various siloed applications and user stores, niche 2FA, custom integrations, and more all adding cost and complexity.
This is not exactly a SixSigma “keep it simple” approach, and it shows because this heavily burdened IT / IAM security function doesn’t seem to work very well. The constant stream of data breaches and ransomware attacks that trace back to compromised passwords prove it … just a few from recent headlines to remind: Aramco $50m data leak, Microsoft espionage attack, Colonial Pipeline attack, Solarwinds attack.
But, this exposes a second, more sinister issue with passwords – they prove knowledge of the “shared secret” and that knowledge is used to infer “identity”. This was about as close to identity as we could get when passwords were invented in 1960, but in 2021 this is a very risky assumption.
To illustrate this point, imagine, if you will, a work environment where faceless people pass about having entered through doorways opened by a company issued card. People arrive, faces covered, show the card and get in. Then they interact with each other only in short, nondescript phrases: “here is your file”, “may I see the report”, “please allow me access.” Of course, nobody would find this an acceptable workplace, but it’s analogous to the way password-based authentication works. You have the passcode, you are in.
These logins based on passwords and one-time codes are not bound to proven identities. This allows anonymous and in some instances malicious users to operate behind legitimate logins. So as passwords get shared, hacked and stolen, the risk of business disruption by impostors posing as legitimate users increases. Eric Snowden, for example, logged in as his co-workers. If the login verified his identity, authentication would have failed and his scheme would have never succeeded. Mr. Snowden had the credentials, but not the identity. Systems checked the former, not the later.
So at the inflection point of the IAM industry, we are seeing the convergence of identity and authentication and a shift from password-based authentication to identity-based authentication.
When we log in with identity we eliminate the password on the one hand, and bolster authentication with an identity-proofed login so that administrators for the first time know with certainty who is accessing corporate IT networks … because the login is tied to an identity. But, what is an identity and how can it get tied to a login?
In Part 2 of this series, I’ll take a closer look at digital identity and its role in the journey to passwordless authentication.