Well, the RSA Conference that occurred last week in San Francisco, CA last week is now finally over, and I had the chance to talk to some my contacts about how it all went. For the most part, they felt the event was successful, and they were able to generate a lot of solid leads.
But the common denominator was that everybody was sort of building the same kinds of products and services, but of course with a different brand and slightly different angle in order to differentiate themselves from the rest of the pack.
But there was another common theme as well: Everybody also discussing the heavy usage of Artificial Intelligence (AI) and Machine Learning (ML), topics that I have discussed to some degree or another in my blog postings. It is predicted that these tools will start to make a bigger splash this year, both for the good and the bad.
And yet there is one more topic that was hotly discussed as well: The use of Two Factor Authentication (2FA), and the use of Multi Factor Authentication (MFA). The intent of course, is to totally eliminate the use passwords in its entirety. However, as much as I thought Biometrics was being used in this regard, it still has not yet “caught on fire” yet. The only two modalities that are used to varying degrees are Facial Recognition and Fingerprint Recognition.
But fear not, there is another tool that has emerged which could totally eliminate the usage of the password all together (or at least that is the hope). According to various sources, the World Wide Web Consortium (also known as the “W3C”) just approved the brand-new Web Authentication API, (aka the “WebAuthn”). This is the latest way in which you can log into your important websites without having to use passwords of any kind.
More information about the WebAuthn can be seen here:
In turn, the WebAuthn supports an entirely new Web Browser platform which is called the “Recommendation”. I for one have never heard of it before, but apparently it is supported on the following Operating Systems: Windows 10, Linux, the Android, and also the iOS. It also works as a secure form of authentication into the following Web Browsers: the Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safarii. However, with the latter, it is only available in a preview style format.
The WebAuthn API even supports the use of other wireless devices so that the end user can even log into that, and from there, connect to their favorite Web Browser. It has also been designed to work very closely with the Security framework that has been established by the FIDO Alliance. FIDO is an acronym that stands for “Fast IDentity Online”. The latest framework that has come out is Version #2 (this is also referred to as the “FIDO 2”. There are two components to it, which are as follows:
*The WebAuthn API;
*The Client to Authenticator Protocol, also called the “CTAP”. This allows for the end user to connect to their Web Browser of choice by using an external device.
Thus, given the very powerful combination of the FIDO2 framework and the WebAunth API, the following Security features are offered in which the end user does not have to use a password anymore:
*Cryptographic based login credentials;
*The use of Biometrics such as Fingerprint Recognition, Iris Recognition, and even Facial Recognition;
*Security Keys such as FOBs and other tokens such as the ones that are created by RSA;
*Secure cameras that are IP based;
*An Asymmetric Cryptography Infrastructure, in which both Public and Private Keys are used to further secure the login credentials.
My thoughts on this?
From what it sounds like, this could be another useful, and even more secure way in order to gain access to all of the websites that you use on a frequent basis, such as those contain your financial information and data. But it is important to keep in mind that this effort to replace the password has just been approved and has not seen full blown adoption yet. For that matter, it may even take a long time for it to even witness a partial adoption rate.
The primary reason for this is that the WebAuthn requires that the end user to make use of newer tools, and a radically different way of logging in. It all comes down to psychology and the matter of perception. Humans, by nature, tend to be creatures of habit. Once we get used to do something one way, we always want to do it, even if it may not be the best thing to do.
The same holds true for passwords. Everybody acknowledges that the use of passwords is no longer an effective Security mechanism, and if anything, it is becoming literally, a pain in the a$$ to use. Of course, there are Password Managers, but that means learning an entirely new tool as well, and that is why the adoption rate of that has not picked up either.
But despite its many flaws and obvious Security weaknesses, the use of the password will never be totally gone. People are fine with using things such as 2FA, as long as it employs the use of entering in a password, just because they are so used to it. But if you take that away and make them authenticate with an RSA Token and Fingerprint Recognition, you can totally forget about people making use of 2FA.
In the end, people will always complain about using passwords, but the use of it will remain, at least in my view, forever. This is despite all of the hard work and money spent in developing newer technologies in order to eradicate its complete existence. So, my advice to those Cybersecurity Vendors that are involved with total password elimination, change your marketing and product development strategies.
In other words, don’t eliminate the password, create a “cooler and sexier” technology that will still make use of it, but also another layer of security that will be visually appealing to the public. Build a better mousetrap which will last awhile, and when another Vendor comes out with something else, build something else which is marginally better to surpass it.
This is the cycle that the Cybersecurity Industry will witness for a very long time to come.