From Gort to Two-Factor Authentication: How to Avoid Security Havoc
"Klaatu barada nikto" was an early form of voice-based authentication and one that for techies and science fiction movie fans quickly moved into pop culture.
The phrase was used in the 1951 film "The Day the Earth Stood Still," and if that command had failed, then the giant robot Gort would have wreaked havoc on Earth, as Gort was not a robot to be messed with. The phrase, according to the Robot Hall of Fame, is "one of the most famous commands in science fiction."
I bring up Gort because, despite technology's advance, authentication remains a morass of passwords and incompatible two-factor processes while the promise of simplified, secure identity is always just around the corner.
Most recently, Twitter added a two-factor authentication process. The three big social vendors—Google, Twitter and Facebook—all have a two-factor process in which the user can enter a name, a password and receive an additional code on an alternate (usually a smartphone) device or application to access the service. Let me say up front that despite the hassles and incompatibilities of two-factor authentication, it is worth the effort.
The Twitter method beefs up the two-factor approach introduced two months ago. The earlier approach used Short Message Service (SMS) texts as the medium to transfer the code. The new method uses an app-based approach. Some reviewers have praised the new method; others could not make it work. You can still use the SMS method if you prefer. But it's only as secure as the SMS system, and spoofers can still set up a fake site to imitate authentication. Two-factor authentication is a good step but not an ultimate security solution.
As I remember, it was Art Coviello, then CEO of RSA Security and now executive vice president of EMC, who first patiently explained that identity was based on something you knew (passwords), something you possessed (security tokens, which powered RSA's business) and something you were (biometrics). Most two-factor systems cover the what you know and what you have categories although the biometric chunk has moved from the far horizon to near horizon.
In the consumer market, the issues around two-factor authentication include business concerns: how many users would I lose by having them jump through an additional identity hoop? Then there are service issues involving lost smartphones, authentication without the device, authentication on new devices and user-based authentication resolution versus having to staff up a call center.
The issues for the enterprise CIO and technology executive are equally complex, maybe more so. Enterprise infrastructure is increasingly a cobbled-together network of on-premise older systems and off-premise (cloud) systems. While there are good approaches to adding a security and authentication layer over that network, the rise of BYOD means that users will still be juggling corporate authentication and authentication services, which differ on each of their favored social networks.
The rise of the hybrid cloud infrastructures has given rise to, yes, another service. Identity management as a service (IDaaS) vendors include OneLogin and others. These services promise and mostly deliver on freeing corporate help desks from constantly trying to untangle passwords, resetting stolen passwords, dealing with a mobile workforce, which is often operating in different time zones, and responding to sudden emergencies.
I'd expect that between now and the next RSA Security conference in the early part of next year, you will hear more about services that juggle multiple passwords (there are lots of these now), corporate security procedures and two-factor authentication incompatibilities. Not soon enough if you ask me.
In the meantime, for both the consumer and the business user, it is worth your time to set up two-factor authentication on your social applications and take some comfort in operating in a slightly less threatening environment. The differences in the two-factor systems will make it easier for you to decide which types of system will be right for your company. And for sure, remember that voice command should you run into a rampaging Gort.
Eric Lundquist is a technology analyst at Ziff Brothers Investments, a private investment firm. Lundquist, who was editor-in-chief at eWEEK (previously PC WEEK) from 1996-2008, authored this article for eWEEK to share his thoughts on technology, products and services. No investment advice is offered in this article. All duties are disclaimed. Lundquist works separately for a private investment firm, which may at any time invest in companies whose products are discussed in this article, and no disclosure of securities transactions will be made.