Where does trust come from? In Ericka Chickowski’s article on the future of the internet’s authentication mechanisms, she raises the debate about trust being driven by our browsers instead of through our passwords. As I wrote recently on the death of the password, I thought it important to touch upon the user’s ability to make a decision about who to trust without information being ‘assumed’ for them.
Today, if you want a higher level of security than a username and password then some form of trust needs to be established. A user’s ‘trust’ typically comes from a strong authentication device like a one-time passport (OTP) or a certificate based device like a USB token or smart card. But in order for a user’s online identity to be trusted, the strong authentication provider (the origin of trust) needs to be secure. A compromise at this point has the potential to undermine the entire trust system. For certificate authorities (CAs), the ability to maintain trust has to be aligned with strict policies to verify the identity of those who are issued a certificate. Secondly, the CA must have strong security controls in place to keep from being compromised (i.e. as we’ve experienced with DigiNotar and other recent attacks). If these best practices are adhered to, then there should be a high level of assurance that certificates from the CA are valid.
If the security industry has indeed reached a point of maturity, then why are so many companies still relying on username and password as their front line of defense? While I think the security industry has made significant strides in building stronger layers of security, there is still work to be done in order to move users to strong authentication technology. Today, one of the biggest challenges is getting users to adhere to security practices. It is essential that users move away from username and password, but it has to be done in a way that is convenient and easy to use. The recent demo at Microsoft’s Build conference of a one-time password (OTP) functionality being built into Windows 8 holds promise for this combination of security coupled with convenience.
While there are many technologies out there, until we move away from user controlled security (i.e. where the user gets to set their password), we will continue to have issues. There are many things that can be done to strengthen the technology layers, but there needs to be a strong focus on strengthening access controls through strong authentication.