SAN FRANCISCO — In a few years’ time, you may have the opportunity to carry a device with you that authenticates your identity wirelessly to systems and mobile devices.
And your employer may require you to carry a wireless authenticator to apply the same degree of access policies to your headquarters building as it does to your network.
This may end up becoming the same device.
There are folks who believe that should be the mobile phone, but there may yet be solid arguments against it, including this one: Do you really want your wireless carrier involved in your employer/employee relationships?
Mapping the Future
During an unscheduled demo at the RSA Conference here yesterday, senior officials from Google introduced a working model for a next-generation authentication device — a device to go beyond two-factor authentication systems, which have been exploited by “phishers."
For now, this unnamed device provides an instantaneous second factor of authentication without needing to be plugged into a USB port, like current security keys today that follow the open FIDO U2F standard.
Google first incorporated support for physical keys like Yubikey into its draft of FIDO U2F in October 2014.
As Eric Sachs, Google’s project management director for identity, told attendees at RSA, his team of engineers are working with the FIDO standard in the effort to make logins — including the kind employees use to access SaaS apps and web sites — unforgeable or, to use the modern derivative, “unphishable.”
“Google last year launched support for the first version of FIDO with USB-based security keys,” said Sachs. One prominent example is the Yubikey, produced by Yubico which collaborated with Google on the implementation. (I’ve been a Yubikey user myself for some time.)
Today, web sites requiring two-factor authentication issue (or, more often these days, works with Google to issue) a one-time password (OTP), often sent to the customer’s phone as an SMS message. The customer copies down this OTP code from the phone, types it into the Web site, and in so doing relies on the authenticity of the phone number to vouch for the customer’s authenticity.
The Phish Factor
But these OTP services can be “phished,” meaning that it’s feasible for an SMS message to contain not only the code, but a URL linking to a false web site.
The user enters the code there, and may then be asked to enter some other important bit of data. And from then on, the phony site has this data, and perhaps the customer’s own loyalty for a short time.
A Yubikey eliminates that problem, assuming one important thing: that the web site is authenticating the user for the first time through a desktop PC. The form factor of this key is USB 2.0, with a plug size that’s too big for smartphones’ USB sockets.
The wireless authenticator shown yesterday would solve that problem immediately. As Christiaan Brand, Google’s product manager for security and identity, showed attendees at an RSA panel featuring Sachs, any Google service using 2-factor authentication can accept the proximity of this new device as the second factor.
The first factor, therefore, may be as simple as an ordinary password. (And you thought passwords may really be dead this time.)
During this demo, Brand told CMSWire that the FIDO 2.0 standard, to which Google is also contributing, is working toward the use of the smartphones themselves as physical authentication mechanisms, replacing the need for smart cards, key fobs, or any other physical object.
However, he said, one key obstacle to enabling this to happen concerns carriers’ control over the phones they sell or lease to customers. Today’s phone users replace their units at surprisingly frequent rates.
If customers’ phones are also their security identifiers, then there would need to be some mechanism for translating those identities between devices. If this process were made too easy, anyone could do it — and that would be a problem.
(Think of wireless identity theft on a completely different scale.)
It’s certainly technically feasible, said Brand, for a transfer of identity attributes to take place. But since Google is the authenticating party here, it would need to be in charge of that transfer.
And facilitating that ability would conceivably change the relationship that Google currently has with the carriers selling its Android phones to consumers and businesses. So until either a victor or a truce is declared in the battle between identity and economy, a FIDO U2F wireless key fob may be in your future.