I’ve been in this business for a long time and watched a lot of promise collapse and a fair number of snake oil salesmen flourish.
Strong authentication is one of those technology conundrums that always seems to be partially solved. The drawbacks of traditional one-time passcodes are well understood and we’ve always truly known their shelf life was limited.
I have been searching for something that would be more appropriate in today’s Internet, that would move past “partially solved” and would blossom into elegant simplicity spanning the technology, the plumbing and the user.
My eyes were opened to the answer while watching a room full of engineers work with their code — checking out, checking in, deploying live —and authenticating each time as they supported a massive cloud service that counts billions of users around the globe.
To cross each virtual security boundary the engineers simply press a small flashing Yubico YubiKey tucked into their USB ports to activate strong authentication. They were taking advantage of their body’s ability to hold an electrical charge and trigger a capacitance sensor.
A few years ago when I first saw this technology, I underestimated the capacitive touch. I did not think it had the needed security properties, but what I missed was how important it was to the end-user.
Once I realized that error, I began adding in the significance of the hermetically sealed, driverless YubiKey that is impervious to viruses and malware. I thought about its improvements over second-factor mobile devices that hackers can compromise, and over single sign-on, where conventional wisdom says authentication should happen as infrequently as possible then shared across domains boundaries.
I now understand security isn’t about limiting authentications but making hundreds, even thousands of them per day as easy as pushing another key on a computer keyboard. It’s a user-experience that requires zero training, even for technology’s bellwether grandmothers.
In addition, a previously missing piece is coming into focus with the FIDO Alliance’s Universal Second Factor (U2F) protocol, adding the standards-layer to enable one key to authenticate to all applications in our ecosystems while maintaining trust and end-user privacy.
Today, Yubico is releasing its YubiKey NEO with support for U2F and delivering it in two form-factors. This key will hold the promise of a significantly more secure online consumer experience, and a dramatic increase in enterprise security and ease-of-use.
This combination of all these factors (pun intended) leads me to believe we have our device and our extended shelf life for a proper “what you have” factor from a multi-factor authentication perspective.
And it has been a powerful enough epiphany for me after 30 years promoting and advancing strong authentication that I have joined Yubico as Chief Business Officer to explore this innovation and see it through to what I believe will be its rightful place in the security landscape.
As you will see in the coming weeks, my faith in these advancements will be validated by some of the most successful and influential Internet companies with arguably the largest end-user populations on the planet.
We can now challenge conventional wisdom around authenticating once then propagating credentials. I am a firm believer in SSO technology for gluing together computing across boundaries and would argue our SSO engines should play the primary role in directing identity traffic. They are, and will remain, essential in modern web architectures.
But, I argue fresh primary credentials trump older secondary credentials every time. Application designers have never thought of a world where it is possible or desirable to verify primary credentials not just one time but many times. That world is coming into focus and I’m exited to have a front row seat, again.