Mad Musings Episode 1 - Authentication
29 September, 2021, by Stephen Swann
Stephen: Given that we are talking about Multi-Factor Authentication as being one of the key decisions that CISOs have to take on the road to a Zero Trust framework, what do we think about the different authentication mechanisms that are being offered to consumers and are those authentication mechanisms appropriate across all the various end users that you might encounter?
Natasha: Oh, that’s a good question, because as we’ve talked about, not everybody has a smartphone. So, if you have a user community that don’t have smartphones, or don’t want to use them for work purposes, that’s a bit of a tricky one!
Stephen: And I guess that’s where I’m going with this. Certainly, my father doesn’t have a smartphone, he won’t have it about him, he finds it far too confusing, and we know that very young children don’t have smartphones, shouldn’t have smartphones.
Natasha: Quite right.
Stephen: But if we want to give them the opportunity of learning how to maybe do some kind of banking by giving them money to put into their savings accounts then all of a sudden, they do need to have some kind of way of being able to have visibility of how much money is in their accounts. So, what do we do to allow authentication mechanisms to be used by all?
Natasha: That’s a great question Stephen!
Stephen: It is a great question and I’m not even too sure that there is a proper answer to that question because there are so many different authentication mechanisms out there and it’s really about trying to pick the right one for the right business for the right end users.
Paul: But there’s vertical markets out there that don’t have an internet presence.
Natasha: What! Still?
Paul: Yeah, still. Who are now just coming to it. They’re on that road as well – how do we start out? Do we start out with something simple? Is it just a username and password? Or is it a username and you ring up a help desk.
Stephen: Well, I would say ideally you want to get to a point where you’re just not using passwords anymore anyway. Because I know in my own personal password safe, I’ve got about six hundred passwords. Ideally, I don’t want to have a password anywhere near me ever again.
Natasha: My Mum writes them all down on a piece of paper!
Stephen: We should probably bring this to an end and go and have a stern word with your mother.
Natasha: I already have! Don’t worry.
Paul: To come back to the passwords, it comes down to usability.
Natasha: There’s definitely a cultural thing now that passwords are the thing: ‘I need a password to get in’. That needs some kind of shift, so how’s that going to work? If you said ‘Right, now we’re going passwordless’, most people would go ‘What?!! How do I do that??! I don’t want to use my smartphone. I do not want to authenticate via somebody who I probably can’t name because I don’t want to do that either’. So what’s the answer?
Stephen: There’s also resistance to things like biometrics because where is that biometric data being stored?
Paul: But then there’s the demographic as well. You’ve got a certain age group who are quite happy to use their smartphones all the time. 16-25, 16–30-year-olds, they don’t need convincing.
Stephen: I think even the younger kids can already imagine what a world without passwords looks like.
Natasha: But, as a parent you would worry about how are people keeping that data safe? And as those consumers get older that will come to the forefront as well. It’s all very well handing over this information but where’s it being kept, how’s it being kept, who is doing that? I think we’ll move to a place where we all have our own identity that we keep, and we decide who we give it to instead of making an identity with every single provider. It’s mine so I want to keep it, I don’t want some data centre in California keeping hold of that. That’s going to be the next question, I think. That is the question now, right?