Most people who use IT or Internet applications would agree that the current username/password mode of authentication is cumbersome, ineffective, and obsolete. According to ESG research, 55% of information security professionals working at enterprise organizations (i.e., more than 1,000 employees) believe that username/password authentication should be completely eliminated or relegated to non-business critical applications only.
Recognizing the foibles of usernames and passwords, ESG research indicates that 57% of enterprise organizations use multi-factor authentication technologies. Unfortunately, multi-factor authentication technology has been too expensive and complex to roll-out across enterprises or offer to online consumers.
While username/password authentication remains a cybersecurity conundrum for infosec professionals and consumers, it represents a potential goldmine for tech entrepreneurs, startups, and VCs. It seems like there is a new company or innovation announced each day – all offering cheaper and simpler multi-factor authentication alternatives.
Yup, there are many promising new multi-factor authentication technologies available today but many new authentication firms will likely end up in the VC dustbin. Why? They are still focused on a “top-down” model where identification authorities deploy technology infrastructure and mandate what users must do to access applications. So even though multi-factor authentication is cheaper and easier than it was in the past, these vendors are still setting up the same old environment characterized by disparate authentication infrastructure, a lack of integration, and user complexity as they manage tokens, one-time-password technologies, and biometrics.
Note to VCs: There is an ongoing trend called IT consumerization that has been in play for about 10 years of so. Sarcasm aside, I believe that IT consumerization will lead to a derivative movement called BYOA: Bring Your Own Authentication. Rather than enterprise IT, users (i.e., consumers and employees) will drive ubiquitous multi-factor authentication because of factors like:
- Mobile biometrics. Apple’s iPhone 5 thumbprint reader will be remembered as a seminal event in the consumerization of multi-factor authentication. Not only will this technology improve, but it will soon be available on Android and Windows phones. Other biometric technologies like eye scans, facial recognition, and voice recognition will join thumbprint readers adding choice, competition, and pricing pressure to the market.
- Mobile authentication infrastructure. Biometrics will act like a key but there will be an increasing number of doors and locks in the cloud. For example, Apple is extending its multi-factor authentication infrastructure into iCloud to align identity and policy. Furthermore, it appears that Apple has filed a patent to extend its authentication technology by adding location as another type of identity attribute. This technology has the potential to use mobile phones to identify an individual, device, and location – a rich combination for anti-fraud and policy enforcement decisions.
- Industry standards. The big kahuna here is the Fast Identity Online (FIDO) alliance with “who’s who” members like ARM, Blackberry, Google, Lenovo, Microsoft, RSA Security, and Samsung. When mobile devices are instrumented with FIDO clients, they can become universal authenticators to a potpourri of consumer and enterprise applications.
- Consumer services. While enterprise struggle with multiple authentication infrastructures and legacy application integration, consumer-oriented services for online banking, credit card clearing, and eCommerce sites will take a leadership role in multi-factor authentication. Case in point, Bank of America, Discover Card, MasterCard, PayPal, and Visa are all board-level members and soon-to-be adopters of FIDO. These highly-visible firms will eschew username/passwords for multi-factor authentication, setting the pace and tone for everyone else.
We’ve seen this movie before! A few years ago, users brought Android devices and iPhones to work and demanded connectivity to applications. Pretty soon they are going to bring biometrics to work and demand that these technologies be used in place of username/password authentication. Thus, BYOA.
The foundation for BYOA is being built today and will mature quickly over the next few years. With this in mind, CISOs should think twice about banking on some promising but proprietary authentication technology for enterprise-only use. As an alternative, large organizations should closely monitor BYOA trends, commit to industry standards, and prioritize legacy and BYOA integration strategies.