If you haven’t heard, October is National Cyber Security Awareness Month (NCSAM). NCSAM is sponsored by U.S. Department of Homeland Security and the National Cyber Security Alliance, and each week of the month has a different theme. The STEALTHbits team will be observing the month with a new blog post on the theme each week. So stay tuned in to catch all the NCSAM info coming your way.
The third week theme for National Cyber Security Awareness Month (NCSAM) is “Today’s Predictions for Tomorrow’s Internet.” The biggest prediction for the future of security is also the one that’s been made year after year and still has yet to materialize. Despite that, it does feel like we’re closer now than ever. The prediction is that the password will disappear from many authentication experiences. From a technologist’s standpoint, there are many implications to this. Many security processes will be impacted – most in a good way. The password has often been the weakest link in the security chain. This will build on work happening now which is putting identity at the heart of much of the application and security layer. You see this every time a website remembers your name, an automated voice on the phone understands what you want based on your past interactions, or each time you skip a log on because the application remembers you from your context. Technologists are very ready to adopt this for the most part.
The question for the future is less about the technologists and more about the end users and the regulation. End users react differently to the removal of a password. One advanced authentication vendor rolled out a very elegant log in system for a new consumer application for a travel company, but had to scrap the whole thing when a board member insisted that it could not be secure without a password. Explanations about the layers of identity proofing, biometrics, and other security controls in place were ignored in the face of the question: “but if there is no password couldn’t anyone hit that log in button and get in?” Similar to this was a comment from a CISO on a panel at the CORE Connect conference who said “I would love to go passwordless, but so many regulations are built around the password.” Even though these regulations are meant to prop up the known issues with passwords, if you remove the passwords you end up unable to comply to the letter of the regulatory law.
With all the new standards and protocols, advanced application development approaches, reliable and high integrity services delivered through the cloud, and advances in biometrics and every end point from the laptop to the latest phones, getting a secure log in with a password is more possible than ever. All experts agree it’s an overdue transition. The final blockers are in the minds of users and the technicalities of our compliance frameworks. So we may still be a few years away, but the prediction is that there will be a decreasing number of passwords in our future and that it will be a good thing for security for everyone.