The tech goliaths Google, Apple and Facebook are all starting to take steps towards killing off password authentication once and for all. They see the opportunity to shore up security while also cutting down the number of password resets that consumers have to deal with.
Is there a big crossover here to the Internet of Things (IoT)? Will we really have to remember or store hundreds of complex, unique passwords for everything from our fridge to our watch or washing machine?
Here, Jeremy Cowan talks exclusively to Simon Moffatt, EMEA director, Advanced Customer Engineering at identity management specialists, ForgeRock. We’re rapidly approaching a time when the conventional login-and-password approach to authenticating users and authorising access will no longer be workable. So what will come next?
IoT Now: Does ForgeRock believe that managing passwords is already unworkable? If not yet, when?
Simon Moffatt (SM): Passwords have been used since the birth of computing. They are such an integral part of how we access digital services that they will not become extinct overnight. However, it is now generally accepted that password-based security, on its own, is a low security option. Issues constantly arise with respect to how services store password data, with data breach incidents in the news daily.
Many service providers enforce password complexity rules for their users. However, this can often result in password reuse and the dreaded anti-pattern of writing the password down! A new sub-industry of security focusing entirely on password management via browser plugins has looked to alleviate some of the end-user burden with respect to generating and storing complex passwords. But, whilst this increases user convenience, it does not solve the underlying issue of passwords being a weak form of authentication.
From a workability perspective, passwords still play a big part in many end-user login journeys and whilst more secure login processes exist, until user convenience increases with those more secure processes, passwords will be around for some time yet.
IoT Now: Isn’t this still a consumer concern? Does it already affect enterprise IoT, or just connected consumers?
SM: Password management really affects all users, devices and systems, from both an internal, external and IoT standpoint. From a consumer perspective, the big paradox is between user convenience and security. End users want to trust that their passwords and personal data are being kept safe.
The service provider, on the other hand, wants to reduce the time and friction that often occurs during sign up and sign in. If the security mechanisms are too inhibitive, this can turn users away from their service.
Internet-facing or consumer based services often have a bigger attack vector from malicious users and software that can access their publicly facing applications and sites. This is where increasing security is now a big driver for many providers.
IoT Now: What are the shortcoming of 2FA and biometrics?
SM: Many services look to enhance password based security, through the use of multi-factor or 2nd factor authentication (2FA). This has traditionally been done through the use of a 6- or 8-digit one-time-password (OTP) that is transmitted to a pre-registered mobile number or email address.
The main shortcomings are really twofold – one is user convenience: There is often a time delay and pause during the login sequence as the OTP is transmitted via SMS or email. If email is used, there is then another hop that is required with respect to logging in to the designated email account. The second shortcoming is that SMS-based OTP delivery has been scrutinised with respect to security.
Biometrics, especially the use of fingerprint and facial recognition, have been introduced over the last couple of years via the big mobile phone operating system vendors. This has increased usage and understanding amongst consumers, but still many concerns exist with respect to the storage of biometric data. Is it being securely stored? Can it be breached? Is it being used for other services?
A second issue is that of implementations with poor cross-over rates – a ratio that measures the number of authentications that were failed but should have been allowed, against the number of authentications that were allowed that should have been failed.
IoT Now: What is ForgeRock’s solution?
SM: The ForgeRock Identity Platform is an open source identity solution that has built access management, identity management, identity gateway, directory and other services into a single, modular platform. Where most identity products on the market today are built to protect internal identities, meaning employees and staff within an organisation, our platform is optimised for customer identity and access management.
There are a number of key challenges around securing external identities that we’ve had to overcome. First, our platform can scale to handle hundreds of millions of individuals, devices and things. We regularly work with customers that require their identity platform to process as many as 50,000+ transactions, such as token validations and authentications, per second.
Second, each and every one of the millions of identities, devices and things needs to be secured at all times. ForgeRock’s platform helps companies continuously protect against threats, using a risk-based system. We also help organisations to manage and personalise highly complex relationships between identities – whether people, devices or things.
As the IoT becomes central to modern life, all of these challenges will continue grow, and digital identity will become even more critical to securing all kinds of interactions, including mobile banking, smart cars, smart homes, industrial logistics, healthcare and more. Our platform is specifically designed to perform in the IoT environment.
Trust is also key to all business and personal relationships. Our platform enables businesses to give customers and employees a convenient way to determine who and what gets access to personal data, for how long, and under what circumstances.
Digital identity has long played a key role in managing secure access. Increasingly, however, it is being used to supporting frictionless user experiences. Our Identity Platform is the first open source identity management solution to support passwordless login and frictionless second factor authentication. This means that we can provide continuous security. For example, where other identity management products offer passwordless login at the beginning of a session, we invoke passwordless, second factor authentication any time during a session, should an anomaly occur.
To give a real-world example, if your laptop switches from a secure company wifi network to an unsecure network in a coffee shop, re-authentication would be invoked. This might require a response to a push notification sent to your phone – through a biometric TouchID, a swipe, or other action – in order to maintain access to the online service.
This kind of continuous security without passwords is essential for a frictionless customer experience in a number of business cases – from securing the smart car and smart home applications, to healthcare devices, wearables, mobile banking and industrial IoT situations where ease of use and the highest level of access security are essential.
IoT Now: Is it available now? What are the costs and technology requirements?
SM: The ForgeRock Identity Platform is available for free trial download on the ForgeRock website. ForgeRock solutions are built on a family of open source identity products (OpenAM, OpenIG, etc.), and are available in both free open source and fully licensed proprietary versions from ForgeRock. The downloads on the ForgeRock site are the most recent builds available.
IoT Now: Which customer groups is it aimed at?
SM: The platform is optimised for customer identity and access management implementations where millions of customers (or citizens), devices and things need to be securely managed. That means that our target customer groups span multiple industries and countries, and range from Fortune 500 enterprises to fast-growing startups, government organisations and non-profits in higher education and healthcare.
The need for secure, trusted relationships is universal, so we have customers within almost every industry, including automotive (Toyota), manufacturing (Axalta), telecommunications (Kabel Deutschland, KPN, Spark New Zealand), Internet of Things (TomTom), retail (Zalando, AutoZone), banking and financial services (Allianz, GEICO, BinckBank, PNB Paribas) healthcare and pharmaceuticals (McKesson, Philips Healthcare). The scalability of the platform has meant that another obvious customer group is national governments and government agencies. For example, the Government of Norway, the European Parliament, and entities within the governments of New Zealand, Australia, Canada, Switzerland, the U.S. and the U.K. are all using the platform.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow