Authenticating those youngsters

IAM consulting for mobile authentication solution

Why can't a device replace a password?

I had a really interesting conversation with a client last Friday.  I’ve helped them to build a public-facing identity management system for access to a range of web applications.  It has been running for over two years and has (literally) hundreds of thousands of users.

The chat went something like this…

CIO: As you know, our users are a bit of a younger demographic, and we’ve been noticing lately that they are having trouble remembering their usernames and passwords.

Me: Well, we’d expect them to use the forgot user ID or forgot password links on our login page…

CIO: But they don’t. Or if they do use those links it is confusing to them. We are seeing a spike in help desk calls.

Me (mystified a bit): Ummm… why is that? We use a pretty standard web page with links for these functions.

CIO: Yes we do. However, an increasingly large segment of our user base has grown up with smartphones, not browsers. They are used to apps and auto-remembered credentials.

Me (feeling elderly): Oh.

CIO: So what we need is a way to login to both web apps and device apps using just the mobile phone.

Okay, so it took a few minutes for this to sink it, but I get this. Younger users use mobile phones and apps predominantly, and the web browser experience is not the same for them as it is for us oldsters.

My own teen-age kids are proof of this — texting is definitely preferred over email, and I think I saw my 15-year old daughter tear-up last year when I upgraded her iPhone to a full data plan…

Teens, it seems, are most comfortable with a device.  And that device presents information and services differently than a web page does.  So differently in fact that it poses problems for authentication. This is really interesting…

There are two use cases to explore here.

  • The first is the identity-aware app.  The app needs to authenticate the user in a way that is consistent with best-practices for protecting sensitive information.  It can’t just provide access without authentication because that would be against policy and create risks of breach that aren’t acceptable.  But it does need to be seamless and easy — because that is the way of the app, right?
  • The second case is web login without username and password… Interestingly, a user ID / password combination is only single factor (something-you-know).  The replacement of this standard approach with something-you-have, i.e. a mobile device, shouldn’t be that hard.  For example, a user who has pre-registered their phone with us could get a one-time code sent via SMS to the phone.  They could then enter the code in order to authenticate.  No more forgotten passwords, no need to remember what username I picked.

Can these use cases be met within the policies and best practices established by enterprises? Or do we need to reconsider our approaches in light of a changing demographic?

Mike

3 Responses to Authenticating those youngsters

  1. Hi Mike,

    At SURFnet (research network in The Netherlands, http://www.surfnet.nl/en/) we were pondering the same thing: how to leverage all those devices out there that our students and staff are carrying with them.

    We trailed a technology based on using the SIM as a trusted module, which worked very well and is very secure (called Mobile PKI or WPKI) and works very well. Unfortunately, it requires a SIM swap for most users and that requires the co-operation of the mobile network operator (which is almost impossible to get).

    So we continued our search and came up with what we think is an innovative app-based solution, you can read all about it on our site https://tiqr.org/

    Cheers,

    Roland van Rijswijk
    SURFnet

    • Hi,
      I think the world is ready for a revolution using smart phones. The smart phone becomes an authentication platform for a wide variety of different authentication mechanisms.

      Examples include voice authentication, digital certs, facial recognition, finger scans, use of the phone itself and how it’s moved, virtual key board authentication, etc.

      Further, the release of OpenID Connect means that now use of the smart phone can be relatively easily integrated into social media authentication and authorization.

      I have a number of papers on my website that speak to this at http://www.authenticationworld.com.

      Kind regards,
      Guy

  2. Good stuff, Roland, thanks for sharing your solution. I know this is an expanding solution space and I expect you will get a lot of interest.

    Mike

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: