Over the course of this rant, I have investigated abhorrent password practises and how they affect our users; despicable “enhancements” to passwords; and the contemptible use of parts of humans in our authentication practises. But, surely, we can do better? What if a user could just sit down and start working without going through any rigmarole of proving who they are? What if the system just knew who the user is who is currently dealing it? What if the system was just… omnipresent?
Utopia
Could a system know exactly where a specific person is at any particular time in order to know their identity?
This idea isn’t too “Big Brother” and exists in the form of radical “ubiquitous authentication”. Fundamentally, a system receives input from a variety of sources (or “informants”) regarding the user. These inputs include biographical data, location data, transaction data, and chronographic data. Using this data, the system can construct a digital presence of its users and allow the system to know exactly who is interacting with it at any point in time.
The digital presence can then allow the system to authenticate a user without requiring any input from the user. Yes, the user is ubiquitously authenticated without any express interaction! No passwords, no one-time passwords, no dirty fingerprints. Though utopian sounding, this idea is not very far off.
So, can a simple, everyday task such as typing be made into an authentication method? Keystroke dynamics authentication has been around for more than a decade, but still has not truly found any mainstream proliferation. This involves monitoring the user as they type, and determining which user is doing the typing or if it is still the same user making use of the device. A similar technique can be applied to mouse movements.
More extreme approaches have also already been seen. Researchers in Italy have set up an array of detection devices to recognise embedded devices (that is, devices implanted in the user). Videos have been uploaded to YouTube with instructions on how to implant an RFID chip into someone’s hand.
The reactions to the cited videos have not been overwhelmingly positive. But, that didn’t stop a company from Sweden from offering its office employees to have RFID chips (voluntarily) implanted to make their lives at work easier. These examples are undoubtedly taking ubiquitous authentication to\ldots an uncomfortable extreme, and it is positively not something I am advocating at all for users!
The inputs I propose would come from existing sources such as a mobile device the user happens to be carrying with them, Internet of Things devices, and smartspace interactions. All the sources will contribute to a central presence of the user which a system requiring authentication of a user can then query. Sources need to work together, providing information about the user to be useful for the authentication process.
Designing and implementing such a ubiquitous authentication system will be a grand undertaking, will take quite a considerable amount of time to complete, and is well beyond the scope of this paper. The design of such a system should look at, not only the usability, but its own security, as well.
The idea of non-interactive, ubiquitous authentication sounds grand, but it could lead to an Orwellian fear of the system. While it can be argued that users might it unsettling at first, it could very well become a norm. This argument can be lead by the fact that two decades ago the idea of sharing one’s everyday menial activities with the world would have seemed laughable. However, thanks to the social infiltration of social media, sharing of the mundane has become a social norm.
We should view ubiquitous authentication in this same light, where users will eventually become “used to it” – especially if it does not require any additional inputs (or implants) from the user.
In Closing
If it has not been clear yet, I defiantly put our foot down and said “no more” when it comes to passwords, tokens, and biometrics.
Passwords have been weak since its inception, yet more and more information systems rely on them. Authenticators only add deployment costs, high operation costs, along with heightened frustration from users. And, biometrics has never been as secure as the media makes it out to be. But, what do all of these “security mechanisms” have in common? The human!
Instead of looking how these existing technologies can be secured, improved, or enhanced, I should completely “re-examine” authentication, starting with completely cutting out the weakest link – the human. The idea of ubiquitous (omnipresent) authentication is nothing new. But, it will take a new way of thinking about our users to make it useful (and bearable) for them. Ultimately, it will take a big step to completely convert.
Given time and the right technology, the demise of passwords and its ilk will no longer only be a futuristic utopia.
However… given some thought… will it be the utopia that mankind expects?