The Continued and Future Growth of Authentication
“The rumors of my death have been greatly exaggerated”
-Mark Twain
“1, 2, 5″
-King Arthur in Monty Python and the Holy Grail
It’s a new year and a new RSA Conference…in fact, it’s our 20th RSA Conference; and it looks like it will be bigger than any before at this rate! To my shock I realize I’ve been to more than 20…but that’s because I’ve been to the Japan and European conferences in addition to the US one (since the third conference, with only 2 missed).
As I mentioned in a blog late last year, the theme this year is Alice and Bob, reaching back to our heritage as RSA and the early days of crypto. Of course, we’re known for the algorithm and the conference both but we’re also known for our authentication: if SecurID were a person, it would be old enough to run for the US Congress (though not for the Senate yet). So let’s look at the continued development of authentication after the point I left off in my general case evolution of authentication blog 18 months ago!
Let’s start with Authentication “pre-history”: username/password was king, and they weren’t particularly sophisticated in their size or complexity. If security (as I’ve suggested) is best reflected in “cost to break,” the cost was cheap and rapidly became cheaper still. As ease of access and exposure grew, especially with the rise in distributed computing, something new was needed: it had to increase the complexity (and therefore the cost to break) sufficiently to have business impact where it counted – secrets would stay secret!
In many ways, the work of the cryptographic greats (Rivest, Shamir, Diffie, Hellman, etc.) in the 70s and early 80s meant that the pathway was paved to make the act of “cracking” credentials and therefore compromising security sufficiently computationally complex that it became massively more expensive.
The next decade brought a furious advancement: more tokens, more platforms, more form factors and more ways to authenticate. The venerable ACE Server was replaced by Authentication Manager, and then appliances were made available too!
And then the software token, mobile token, SMS authentication and out-of-band authentication came in rapid succession
And now on to iPhone and Android too. I got this logo (which I love) from Shrenik Vikram and Blake (my apologies that I don’t know the original source!):
Of course, most of the use cases here came from the top of the market pyramid, down to end-users. However, since 2003 RSA has been authenticating the other way (from consumers up) with invisible authentication through primarily financial service (in a B2B2C sense). This led to innovation around risk-based authentication (with RSA Adaptive Authentication) and knowledge-based authentication (with RSA Identity Verification). The idea that context matters most is critically important, and the notion of verifying identities “on the fly” and providing choice and ranges in authentication options based on the relative risk level was vital.
Key: Red is traditional SecurID major steps, beige is other authentication, blue is “IPV” (i.e. B2B2C) and tan is “Enterprise” server advances.
A massive theme here is about convenience. It’s not just a nice-to-have, and a lot of what is happening around SmartPhones right now is proving this: not being distracted by the tool means that you can not only focus more on the task…you are actually better at performing the task (for more on this see my post on the Philosophy of Tool Use).
We added a community effect here with the eFraudNetwork and made it all available via hosted (SaaS) service too!
So where are we today? Keep in mind this will (no spoilers!) change by the time the conference comes along (Feb 13th, 2011), but I think it will give us some basis for looking at the next 25 years of SecurID:
So now we go into the 20th RSA Conference, and it’s a time to enjoy our past and heritage but it’s also time to look forward: beyond the old problems of locking devices down or getting into the hardware. Instead, it’s about embracing leveraging cloud computing, the consumerization of IT and becoming easier to use and more ubiquitious and easier to use.
If you want to see the next chapter here, come see RSA at RSA Conference! Stay tuned for a whole lot more when we unveil the latest and greatest next week around convenience, simplicity and efficiency for the small and mid-sized companies out there!
PS – if you haven’t seen it, you really should check out the ZeusiLeaks article by Uri…if you thought WikiLeaks was bad, something far worse is happening around Zeus.
