IT security professionals may want to brace for more training and skills development on emerging forms of authentication following Google’s acquisition of Israeli startup SlickLogin and moves by organizations like the Fast Identity Online Alliance (FIDO). Companies are seeking ways to keep their customers and employees secure online beyond reusable passwords, as cybercriminals become increasingly sophisticated and attacks more massive in scope, as evidenced by the recent Target security breach.
Earlier this week, Google acquired SlickLogin, which uses a unique, nearly inaudible sound emitted by a computer that is picked up by a smartphone app and analyzed to authenticate the user and unlock a website.
FIDO, an open industry consortium focused on improving authentication, last week released draft technical specifications for a variety of ways to strengthen authentication. The specifications deal with methods such as using fingerprints to authenticate a user to entering a PIN number and others methods. FIDO has more than 100 members, including Mastercard, Microsoft, PayPal, RSA and Google.
In an InformationWeek video, Phillip Dunkelberger, CEO of Nok Nok Labs, says people increasingly want to keep their credentials on their own deviceand use them to unlock a secure communications channel rather than transmit them over the Internet.
Build It, Will They Come?
Despite the industry’s efforts, new forms of authentication can be a tough sell to consumers and employees, says John Pescatore, director of emerging security trends of the SANS Institute, a security training organization.
According to Pescatore, roughly 90 percent of employees at Fortune 1,000 companies are still using reusable passwords. “Part of the reason is user resistance. They don’t want to have to carry around another thing for authentication,” Pescatore says, citing security key fob tokens as an example. Another area of resistance is having to remember new passwords on a continual basis.
“I’ll be really happy if the percentage of people using reusable passwords goes down to 80 percent by 2015,” he says.
Among the various authentication technologies that are being introduced, Pescatore says text-based authentication is likely to be the one that catches on among consumers and employees, because it only requires them to carry their cell phone and no other devices. With text-based authentication, users are sent a text message containing a code. The user then enters the code into the website they are seeking access to.
Sebastien Taveau, FIDO Alliance founding board member and chief evangelist for Synaptics’ Biometric Products Division, of course sees a future for authentication technologies such as fingerprints, facial and voice recognition.
New Security Job Titles, New Skills?
As new ways to authenticate the user emerge, Pescatore says training will be needed beyond learning how to use the new products and services. IT security professionals will also need to be trained on potential workarounds when the authentication doesn’t work, such as when a user is in a building where it is difficult to receive a text message or the cut on a finger distorts their fingerprint.
And, of course, IT professionals will need training on the new vulnerabilities that will likely emerge, as cybercriminals look for loop holes in the new technologies, Pescatore says.
Although Pescatore does not envision new job titles or a whole new set of skills being called for, Taveau feels otherwise. So far, he says, companies have employed user experience experts and security experts and the two don’t communicate that well. He foresees a convergence in disciplines, however, especially as biometric authentication becomes part of mobile devices.
“There are different fields that need to come together – the consumer-facing designer, the physical hardware designer or architect, the algorithm engineer and then you have the function implementer or designer,” he says. Add to that the operating system engineer and the app designer. He notes, “The new skills will be in understanding how to put this type of human input inside an application experience, for example.”
With hackers increasingly going after consumer applications, risk management, security and IT people have to learn to think about security in new ways. “You’re talking about local authentication on a mobile device that’s not trusted, controlled by the consumer when you do not know the environment,” he explains. It will require creativity to react effectively, and those who rely on past solutions will struggle.
Dawn Kawamoto contributed to this report.