BYOA: Bring Your Own Authentication

Most people who uses IT or Internet application would agree that the current user name/password mode of authentication is cumbersome, ineffective, and obsolete.  According to ESG research, 55% of information security professionals working at enterprise organizations (i.e. more than 1,000 employees) believe that user/name password authentication should be completely eliminated or relegated to non-business critical applications only (note:  I am an ESG employee).

Recognizing the foibles of user names and passwords, ESG research indicates that 57% of enterprise organizations use multi-factor authentication technologies.  Unfortunately, multi-factor authentication technology has been too expensive and complex to roll-out across enterprises or offer to on-line consumers.

While user name/password authentication remains a cybersecurity conundrum for infosec professionals and consumers, it represents a potential goldmine for tech entrepreneurs, startups, and VCs.  It seems like there is a new company or innovation announced each day – all offering cheaper and simpler multi-factor authentication alternatives. 

Yup, there are many promising new multi-factor authentication technologies available today but many new authentication firms will likely end up in the VC dustbin.  Why?  They are still focused on a “top-down” model where identification authorities deploy technology infrastructure and mandate what users must do to access applications.  So even though multi-factor authentication is cheaper and easier than it was in the past, these vendors are still setting up the same old environment characterized by disparate authentication infrastructure, a lack of integration, and user complexity as they manage tokens, one-time-password technologies, and biometrics. 

Note to VCs:  There is an ongoing trend called IT consumerization that has been in play for about 10 years of so.  Sarcasm aside, I believe that IT consumerization will lead to a derivative movement called BYOA:  Bring Your Own Authentication.  Rather than enterprise IT, users (i.e. consumers and employees) will drive ubiquitous multi-factor authentication because of factors like:

• Mobile biometrics.  Apple’s iPhone 5 thumbprint reader will be remember as a seminal event in the consumerization of multi-factor authentication.  Not only will this technology improve, but it will soon be available on Android and Windows phones.  Other biometric technologies like eye scans, facial recognition, and voice recognition will join thumbprint readers adding choice, competition, and pricing pressure to the market. 
• Mobile authentication infrastructure.  Biometrics will act like a key but there will be an increasing number of doors and locks in the cloud.  For example, Apple is extending it multi-factor authentication infrastructure into iCloud to align identity and policy.  Furthermore, it appears that Apple has filed a patent to extend its authentication technology by adding location as another type of identity attributes.  This technology has the potential to use mobile phones to identify an individual, device, and location – a rich combination for anti-fraud and policy enforcement decisions.
• Industry standards.  The big kahuna here is the Fast Identity Online (FIDO) alliance with “who’s who” members like ARM, Blackberry, Google, Lenovo, Microsoft, RSA Security and Samsung.  When mobile devices are instrumented with FIDO clients, they can become universal authenticators to a potpourri of consumer and enterprise applications. 
• Consumer services.  While enterprise struggle with multiple authentication infrastructures and legacy application integration, consumer-oriented services for on-line banking, credit card clearing, and eCommerce sites will take a leadership role in multi-factor authentication.  Case in point, Bank of America, Discover Card, MasterCard, PayPal, and Visa are all board-level members and soon-to-be adopters of FIDO.  These highly-visible firms will eschew user name/passwords for multi-factor authentication, setting the pace and tone for everyone else. 

We’ve seen this movie before!  A few years ago, users brought Android devices and iPhones to work and demanded connectivity to applications.  Pretty soon they are going to bring biometrics to work and demand that these technologies be used in place of user name/password authentication.  Thus, BYOA.

The foundation for BYOA is being built today and will mature quickly over the next few years.  With this in mind, CISOs should think twice about banking on some promising but proprietary authentication technology for enterprise-only use.  As an alternative, large organizations should closely monitor BYOA trends, commit to industry standards, and prioritize legacy and BYOA integration strategies.