I write, from the RSA Security Conference in San Francisco, on the topic of Authentication and Identity, or as one speaker put it: turning people into the 1s and 0s that represent their identity.
This particular talk covered the huge range of options for authentication, from old-fashioned password (apparently not going anywhere, anytime soon), through to biometric identity solutions, token-based solutions, mobile, cognitive, smart-cards and many others. In his conclusion, the speaker (Michael Schwartz from Gluu) suggested that the reason passwords have not gone away is that although there are many other solutions that are more secure or more usable, passwords remain the most deployable.
He also suggested that there is no ‘silver bullet’ for authentication, and that while two/multi-factor authentication systems are desirable, the sheer number of different mechanisms (I counted around 50 just in his talk!) indicates that none of them are suitable for all usages. As application providers it’s our job to ensure high security mechanisms are appropriately applied.
As I develop the roadmap for multi-factor authentication in OX AppSuite, I’ve been struck by the sheer number of possible technologies we could implement. For businesses and prosumers, U2F authentication stands out. For mobile users, simple SMS tokens, TOTP-based authentication such as Google Authenticator or even biometric authentication are more appropriate. Each of these solutions could work better for different users in different situations. Needless to say, all of the technologies we implement will be based on open-standards, and will not be tied to specific technology vendors.
Michael’s talk also made me consider how the data gathered from different authentication processes can effectively inform the anti-abuse and fraud protocols we’re developing for our OX products. For example if we detect that a user is authenticating in an unusual manner, rather than only being able to ‘block’ or ‘alert’, we could require a second-factor of authentication. This should probably be contextual, for example if we see a login from a user’s smartphone that is suspicious in some way, we may consider that the phone is compromised, and perhaps we shouldn’t just send an SMS message as the second-factor authentication.
All of these observations are ways of stating the core security tenets that underpin our approach to security at Open-Xchange. Firstly, there is no single method or feature that ‘solves’ security (and not just authentication.) Security should be about ‘defence-in-depth’, with many overlapping defences throughout products. Secondly, security features can’t exist in isolation. The more data we can use to contextualize what is happening, combining and using data from all the security features deployed, the better we can walk the eternally tricky line between improved security and enhanced usability.
