Unfortunately, while all this development in the online world was taking place, the technology companies and other modern businesses simply forgot to provide users with an authentication method able to offer them any real sense of protection, privacy or control. Many of today’s consumers may fondly remember the days when most businesses dealt with us face-to-face in bricks and mortar premises or were familiar with the sound of our voices over the phone; but thanks to the advent of the World Wide Web, many of the big companies we often deal with these days have far too many customers to know what we look or sound like, and their “premises” are situated out there, unseen in cyberspace.
This transformation in the way we interact with organisations across the globe (or down the road), has seemingly taken the world by surprise. As a result, the vital task of authenticating users in a secure yet easy-to-use fashion, appears to have been swept under the carpet, dismissed as someone else’s problem or something to be fixed at an indeterminate point in the future.
All this goes far deeper than simply the need for businesses to know their customers. Individuals themselves need a system which will allow them to authenticate (or prove their authority) while at the same time not letting slip anything that a third party might use to impersonate them, steal their identities or otherwise do them harm. The current debate over whether social media sites exist more for the entertainment of users, or whether they are in reality huge personal data mining operations, set up to make money by collating and selling-on millions of users’ searches, purchases and private thoughts (as evidenced by the spotlight now being shone on Facebook, the UK company Cambridge Analytica, and probably many others behind the scenes) further illustrates the need for individuals in the modern world to retain a reasonable degree of privacy. None of us really wants to live in a total surveillance world, where our every move may be seen and recorded, then number-crunched and analysed. Imagine a branch of McDonalds, or a shop, where the closed-circuit TV cameras have been hooked up to a large database containing everyone’s facial image. The upside is that the shop assistants might perhaps greet you by name (as in the film Minority Report), and admittedly to some, this prospect might initially appeal. But might it not lose some of its shine when it becomes clear that behind the scenes the management at the same time has sight of each visitor’s spending limit, their credit rating, their employment status, details of any court appearances etc – and possibly even their deepest thoughts and political leanings? Might we all start to wear motorcycle helmets (or bee-keepers’ nets), not touch anything and not speak, for fear that our biometric data would identify us?
Yet isn’t this level of surveillance exactly what’s happening in the online world? Whether people choose to share their lives or not on sites like Facebook isn’t the point. Every search we do, every text, every email, every response we make, every document or photo we put in the cloud, every purchase we make, in fact every single action - may be recorded, for ever, then endlessly added to other data for analysis, as though little bits of “us” are being constantly stirred into a global information soup. Without our knowledge. How can we restore a reasonable degree of privacy in the online world, of the kind we continue to expect in the physical world? (Though this too needs to be guarded carefully if we are to enjoy human life in the future; or has the possibility that machines might one day become our masters already become reality?)
At present we have a range of methods, none of which offer all three characteristics listed in the heading above. Let’s look at what we currently use
more closely, and their flaws.
Passwords, used for most logging-in operations, can be easily captured and re- used by criminals. Efforts to make passwords stronger (or longer, using often pointless tactics like pass-phrases, or swapping “e” for a “3”) are useless in the face of Trojan viruses or devices able to log keystrokes (as well as social engineering, phishing, or simple “shoulder surfing”). At the same time so-called big data or personal information such as account details are just as vulnerable if communicated to others, as part of the authentication process. They too can be easily harvested and used for criminal activities, sold on to others or simply added to the “soup” (where we really don’t want them to be!).
At the same time, passwords are a burden to most users, who have no choice but to use them. Passwords are often hard to remember, and even harder to recall when users are told to make them “unmemorable” (which may simply lead to them being written down). The situation is exacerbated by technicians telling users to change their passwords at pre-set intervals (often resulting in the user simply adding a letter or number at the end, doing little to increase security). And what if the hacker gets hold of the “new” password at the start of the period, allowing him total freedom to use it unchallenged for weeks? Often organisations’ own password rules, if known to the hacker, provide useful
starting points.
Another problem which has reared its head recently is the discovery that many varieties and makes of computer chip can retain information such as passwords, even after they are powered down – meaning hackers may have yet more help in getting hold of fixed-string user IDs or login codes – further increasing the need to replace fixed passwords with dynamic codes. Those in the know may point to the existence of developments such as biometrics or two-factor, but neither of these achieve the three aims above, and both have major flaws, as we shall see. Biometrics One of the strength of biometrics (the