Usernames and passwords are shaping up to go the way of the dinosaur, the dodo and parachute pants. But the transition to stronger authentication measures has largely been uneven.
For the most part, strong authentication measures have been largely leveraged by governments and a few major financial institutions, said Richard Parris, founder and CEO of Intercede, a U.K.-based digital trust company.
Intercede provides cybersecurity products and services globally to governments, financial institutions and enterprises, service providers, and app developers. A majority of their revenue, Parris said, comes from their work in government.
“From my own space,” Parris said, “I've been frustrated that the work we've done hasn't rolled out into private industry in many respects. Consumers, in general, have been digitally disenfranchised from the security that's enjoyed by the government.”
The main reason for this, Parris said, is regulation — or lack thereof in the private sector.
“For many years, Intercede has been providing solutions to the U.S. federal government all around a standard called HSPD12 and a standard called FIPS-201,” Parris said.
In a nutshell, these regulations require strong authentication in the form of a smart card with a PKI credential and a PIN. A later variation of the FIPS standard required the same credentialing measures on smartphones as a means to enable a mobile federal workforce.
“I would argue,” Parris said, “that [these measures are] easily good enough for most financial institutions, especially compared to where they are today.”
However, these systems haven't been developed. Research has found, instead, that some 70 percent of treasury and financial professionals are hesitant to adopt mobile payments for their enterprises due to a lack of confidence in the security of mobile payments.
But it's not as though today's mobile devices are incapable of strong encryption.
Parris gave the timely example of U.K. police being unable to access WhatsApp conversations of a terror suspect: “Mobile encryption is already strong enough that law enforcement can't readily breach devices. So why not flip that around and use that power as a capability to deliver security?”
In Parris' experience, service providers and consumer-facing enterprises have largely been reluctant to move to alternative authentication models because of the fear of adding friction to their user interactions. In these spaces, the cost of fraud has been historically perceived as less onerous than consumer churn.
“I've not been seeing any fundamental move away from that,” Parris said, “aside from when there's another regulation.”
This is why Intercede is excited about the authentication aspects of PDS2 in Europe and GDPR in the U.K. Parris analogizes these two upcoming requirements as the consumer-facing and private-industry versions of past federal authentication regulations stateside.
“If you look at PSD2 and GDPR, you see that passwords are not deemed fit,” Parris said. “Usernames and passwords are really a source of cyber-vulnerability; we need to put stronger nodes in place.”
On their end, Intercede recently announced a partnership with identity management specialist Centrify. Together, the two will work to secure and manage mobile access in highly regulated industries.
“Centrify sits between what we're doing and the enterprise space,” Parris said. “They've got a great product that's protected by usernames and passwords, so we are bringing our strong authentication technology to them.”
Intercede’s mobile identity agents MyID and SDK will be integrated with Centrify’s Identity Service’s derived credential, enabling Centrify to provide strong authentication measures to its user base as a means comply with upcoming regulations.
“Today, there's a coming together of regulation, lack of utility by not being able to work mobile and new generations of smartphones which have more power,” Parris said. “The idea that we can't deliver strong cryptography for consumers is no longer the case. Intercede and Centrify share a similar view of how to take PKI technology and make it appropriate for this new world.”