Without change there is no innovation,
creativity, or incentive for improvement. Those who initiate change will have a
better opportunity to manage the change that is inevitable.
William Pollard
William Pollard
Security Week blogger Kevin Townsend, a
guy who’s been writing about information security for 15 years, published a
blog post entitled Is
Passive Authentication the Future for User Authentication? My initial reaction was to be skeptical. The concept of being passive about security
goes against everything I’ve been taught in the last few years. I took a deep breath and decided to explore
with an open mind.
Everybody hates passwords.
They are a necessary evil. Like
shaving or changing the oil in your car, something that has to be done. Those who reject this concept in the name of convenience
threaten everyone’s security by being the weakness in the security
structure. But mobile computing has
changed the landscape as people have pushed for easier security. Passwords have been exchanged for PIN codes. Banks and others who have higher security
requirements have started using 2 step
verification—you log in with a password or PIN and then must also provide a
code that is sent to your Smart phone. It’s
much harder to steal login information because you have to have both parts to
get in.
Everything I was able to find on passive authentication was
very technical in nature like this blog
post by KidoZen which has a pretty good explanation. But if you want the less technical version,
read on…
Meet Bob, a young professional sales representative who is
fully connected to the digital world through his technology. Bob’s company feels strongly about security,
but knows Bob will get around security if he’s given any opportunity to do
so. Bob logs into his corporate VPN with
his chip
enabled smart card and password on his corporate laptop when he’s away from
the office. Bob hates having to carry
the card and has lost it on several occasions.
Bob’s company is tired of replacing them at $20 each.
Bob’s company decides to replace the smart card with a one-time-password
application. OTP apps work on a
smart phone or other mobile device. Bob
had to set it up at work so the network trusts his phone and syncs the OTP
which was a pain, but once it was done, all Bob has to do is open the app when
he wants to login. He provides his usual
login password and the one-time password, a randomly generated number that the
company and the smart phone both know.
It works great until Bob loses his cell phone.
If Bob’s sales figures weren’t so high, they would fire
him. So they decide to try passive
authentication. When Bob logs into the VPN
on his corporate laptop, the network recognizes the laptop as a trusted corporate
computer. The VPN also recognizes the
network that Bob is logging in from, one of his regular customers. Because the laptop and the location (network)
are recognized, Bob only has to enter his password. The laptop and recognized network provide the
second factor. Later, when Bob is at the
airport bringing his latest sales contract back to corporate headquarters, he
has to use the OPT app on his smart phone again since he’s not on a trusted
network.
Passive authentication relies on some known factor about the
user or the user’s device to act as the 2nd factor. If only one factor is required it could be
the device, so Bob wouldn’t need to use his password at all. This will most likely be used first for mobile
devices like smart phones (after it’s registered to the user) when they are on
known networks (networks that are deemed secure).
I don’t know if passive security is as safe as current active
security measures, but I have no doubt that the convenience will drive the
change to make it more secure. Devices
and networks will be configured to work with passive security systems.
Someday Bob’s children will ask him to
explain what a password is.
No comments:
Post a Comment