Don't Cut Off That Hand: The (Potential) Future of Identity & Authentication

Hand Biometrics? Facial Recognition? Triple Factor? What's on the Horizon?

A recent news item on palm scanning for identification and authentication, by way of Intel's development work, has received broad coverage. The UK-based Telegraph and the San Francisco Chronicle ran the article in their respective technology sections, and many other news outlets world-wide covered this trend piece as well.

While we've seen this type of "wave your hand over a panel to gain access" technology represented for decades in Hollywood blockbusters like Mission Impossible, some Sci-Fi films and shows and nearly all movies involving espionage, the reality is that most of our professional lives are still governed by (and secured by) single factor authentication via user created passwords, the most common of which remains "Password". (Don't believe it? Read this.)

By the way, a word of caution to all aspiring criminal elements: do NOT repeat what you have seen in the movies and cut off someone's hand to gain access via biometrics, it won't work.

Current authentication practices are evolving and today we see broader use of two factor authentication, sometimes utilizing one time password tokens and even some pattern-recognition style authentication which aligns with the 'something you have plus something you know' approach.

But where are we heading with this and how will future authentication solutions integrate with our daily lives?

Authentication, at least for the foreseeable future, will require one of three things: something you know (a password), something you have (a device) or something you are (biometrics, such as fingerprint, voice face, or iris recognition, etc.)

There are several factors that go into choosing which kind of authentication mechanism you are going to use, such as how important security is for the application. Obviously, you'll need strong authentication for applications containing sensitive personal information (healthcare, for example) than you will for your social media apps. Another factor is the cost of deploying and maintaining the authentication mechanism. Maintaining passwords is a lot cheaper than acquiring and distributing hardware tokens that many remote and mobile workers are used to. Other considerations include the convenience (or inconvenience!) to the end-user, as well as how easy or hard it is for a malicious hacker to break the authentication barrier and access the system.

Given these considerations, it's very likely that a middle ground approach to strong authentication will become increasingly popular. Passwords are a pain to manage and users generally hate them. Biometrics is much more secure, but requires more complex hardware and software systems to deploy, although the costs are coming down. The emerging middle ground that appears to be growing is the use of soft token-based 2-factor authentication. Using a soft token, rather than a dedicated hardware token, allows the system designer to leverage the fact that mobile devices are becoming ubiquitous and most users have persistent access to those devices. Some leading edge service providers, such as Google, now support the use of cell phone-based 2-factor authentication. If we can set up centralized repositories where users can register their cell phone number for strong authentication, then we'll be a long way towards the goal of deploying a universally accepted strong authentication capability that is convenience for the user, providers a higher level of authentication than a simple userID/password combination, and can be implemented at a reasonable cost.

I look forward to seeing other future developments around access, specifically what the very smart development teams at Intel and also at McAfee may come up with, but I think my hands are safe from enterprising criminals for the time being.