Homing in on the future of identity
In case you missed this week’s Google news, the company is investing in virtual reality and artificial intelligence.
All of these rely on computers that are dramatically more independent and more capable of making decisions than ever before. This got me thinking about a use for these capabilities that receives much less attention than self-driving cars, but could potentially have a much broader impact: online identity and then how we, the corporeal denizens of the real word, identify and protect our integrity online.
Just as the key to identity in the real world is physical identification, like a birth certificate, the key to online identity is authentication, or being able to prove that you are who you say you are.
“Five years ago, you only needed a password,” says Pam Dingle, a senior technology architect at Ping Identity. “But there’s a third dimension now, a creative or intuitive assessment of the authentication situation [when you log in.]”
Last year, Google changed its Gmail login screen, moving the password field to a second page that would appear after you entered your username, instead of showing you the text fields for both on the same page.
While people were still asked to enter the same information as before, the move added an extra step to the authentication process, potentially eliminating some phishing threats. Depending on where you log in from, you might see an additional verification screen like a Captcha.
In this case, Google uses someone’s IP information to construct a profile, which along with the password becomes the basis of its authentication.
Profiling is clearly the way that authentication, or proving that you are who you say you are, is going. If you can be authenticated as yourself, the integrity of your online identity remains intact.
This is no hypothetical problem. Cybercrime is expected to balloon to $2.1 trillion by 2019, more than four times what it cost in 2015, according to a report by Juniper Networks. Ransomware attacks, data breaches, and other high-cost crimes often start with phishing attacks, which usually begin with an impersonation and succeed when victims unwittingly share their log-in credentials and thus their online identity.
Innovations in authentication have led to some very science-fictional places.
Many are variations of the idea of mapping your unique body signatures and tying them to existing login information like passwords. Nevermind fingerprint, voice pattern, or facial recognition, researchers have developed a method of using a headset, such as Google Glass, to authenticate identity using the unique head movement patterns of the wearer. Charmingly, they call it, HeadBanger. (I envision call centers filled with long-haired heavy metal enthusiasts logging into their computers, whipping their hair around as hold music plays Slayer and Motorhead.)
Your heartbeat, too, creates a pattern just as unique as your fingerprint. A company called Nymi has developed a wearable wristband that keeps you logged in based on your heartbeat. Companies including Apple and Samsung have patents on heartbeat authentication. Google’s advanced research division for years has been working on swallowable pills that can log you in, and released a temporary tattoo login in 2014.
And of course, there are updates to the familiar physical login key, a USB device such as a YubiKey that must be near or inserted into your computer to allow access.
These technologies hold promise for making the internet more secure. But they also raise many legal and ethical questions.
For instance, none of these new authentication techniques have the same legal standing as a password. Courts can force you to turn over a physical login mechanism, such as a door key, your fingerprint, or likely, your heartbeat. But they can’t force you to turn over knowledge, such as a password.
They also go a long way towards eliminating one of the most important cultural aspects of the Internet: anonymity. We’ve never had true anonymity on the Internet, but it’s not hard to see how even the current pseudonymous state of play could shrink if you’re forced to prove who you are before you access the Web.
One possible solution to protect online identity and ensure anonymity would be to turn on encryption everywhere, for everything. To return to Google, for all its explorations into improving authentication, the company just introduced yet another messaging app this week—not something that the world was exactly clamoring for—that only offers end-to-end encryption as an opt-in.
It’s a big ask to encrypt everywhere, for everything. Getting encryption right isn’t easy, but as we’ve seen, neither is authentication. Designing for the needs of the consumer, and not the business model, will be the only way to ensure that both are properly built for the future.