Anyone who has fumed at the clumsy authentication paradigms prevalent today will be a cheerleader for progress—with especially loud cheers for the demise of passwords. This evolution serves to highlight the supreme importance of authentication in today’s cybersecurity world. It matters not if the data, the application, and the communications are secure if the system cannot reliably authenticate the person or computer seeking to gain access.
Passwords fall into one of the three buckets of authentication paradigms—“knowing” (e.g. passwords, PINs, etc.), “having” (e.g. tokens, PDAs, etc.), and “being” (e.g. biometrics). Often as not, the way in which these paradigms are applied to the task of authentication determines the degree of friction created for the user. Suffice to say, as friction increases, user resistance increases rapidly.
We can see this principle at work in on-line shopping. A potential customer gets into a website, falls in love with a product, moves it to his/her shopping cart and then is confronted with a series of menus full of questions to answer, demands to open an “account”, and rules for creating a password that border on the psychotic. Often, the result of this friction is that the shopping cart is abandoned. Users will only put up with so much friction depending upon the importance (e.g. value) of the transaction before them. This is why friction-reducing products such as PayPal are so popular.
Often “want to know” questions intrude upon the authentication paradigm when “need to know” is all that is truly important….this also raises the friction coefficient. Users will put up with “want to know” questions only if by answering them, friction is decreased.
In selecting authentication technologies, providers of value must continually evaluate the friction/value equation and minimize it. In developing the next generation of authentication paradigms, minimization of friction must be a primary concern and weighed against the value of the transactions being addressed.
The Seneca Group Principals are often called upon to evaluate new technologies in authentication using specific metrics of friction and value. In our next blog, I want to explore some thoughts about the difference between algorithmic beings and biological beings and what this means for authentication paradigms.