authentication in 2020 - predictions by the nexus cto
DESCRIPTION
A presentation on how authentication can be done in 2020.TRANSCRIPT
1
2
Good morning everyone, I’m Per Hägerö CTO of neXus. I want to share some insights with you around the area of authenBcaBon and how I think we can use authenBcaBon in 2020.
3
First of all, just to state I will talk about what’s alive – no more talk about the death of things.
4
How does 2020 look, what are the driving forces that will change how we do authenBcaBon in 2020?
5
Today most authenBcaBon infrastructures are focused on idenBfying people, we of course for instance authenBcate devices using for instance PKI, but in general focus is on idenBfying persons, a people centric Infrastructure.
6
The people centric infrastructure have focused on a number of factors to determine the authenBcaBon strength which is then a measurement of how sure we can be that the person in possession of a factor and that claim an idenBty linked to the factor really is the person the claim to be. We talk about 1-‐factor, 2-‐factor, 3-‐factor (something you know, some thing you have, something you are) There are a variety of different authenBcaBon methods which you can see an example of in the slide here. We have soWware tokens, OTP hardware tokens, SMS tokens, smart cards, biometrics and so of. These are all built from providing authenBcaBon of people, but how does this fit into a world where its not just people that need to be mutually authenBcated, in a world when other enBBes need to mutually authenBcate each other so that they can communicate and exchange informaBon.
7
How does tradiBonal authenBcaBon fit into Internet of Things (IoT) or Internet of Everything and Everyone (IOEE)? Being on the forefront of the future predicBons since the 90’s with the rise of mobile and smart homes we are now at the beginning of a the broad adopBon curve of a connected world. We have intelligent homes where we can control the lights when we are on vacaBon to create a random use and protect us from burglars vs. having the Bmer that made use look very even in our daily life. We have fire sensors and climate controls that are connected and we control it using various channels such as mobile. And there are many more examples. What we know today is that this will explode the next coming years and by 2020 connected things will by far outnumber connected people. We also know that these connected things will start to act without human interacBon and make decisions on there own. Its no longer a theory with driverless cars and even though we will not see a wide adopBon by 2020 they and other things will drive development within authenBcaBon. Why? 1) they need access to services and data to act 2) they need to be protected and validate who they communicate with. A drivers less car is not likely to pull-‐up an OTP token to authenBcate to the garage upon arrival.
8
The other aspect I want to point out as a driving factor is the within how end users uses you services. Today most services are access by one or two interfaces and you are able to add an authenBcaBon layer at the user interface, for instance using a portal such as in the slide. This is valid also in the foreseeable future as it provides an easy way for end users to authenBcaBon and it also provides an opportunity to reduce the number of logins for users using Single Sign-‐On and IdenBty FederaBon. But, as we talked about on the Internet of Things slide, its not only person driven access we need to provide authenBcaBon for, and this requires a different approach.
9
API-‐access is becoming a more and more important area to address from many perspecBves so also from an authenBcaBon perspecBve. APIs allows other applicaBons than your specific UI to access your services and data which is great because this will open up new opportuniBes for you. But it also means that authenBcaBon needs to be done differently as the point where the iniBal authenBcaBon is made is no longer at your control. Yes you can of course direct an API to your authenBcaBon infrastructure, but since you don’t control the UI of the accessing API , if it even has a UI, your beeer of trusBng the API using so called IdenBty FederaBon which means that the API will provide its idenBty in form of a token issued by someone you trust. What does this mean for your AuthenBcaBon Infrastructure? You need to make sure you AuthenBcaBon Infrastructure supports authenBcaBon methods that can be used by an API. Some APIs can use CerBficates while others must use FederaBon Technologies such as SAML, OAuth and OpenID. My recommendaBon is that you make sure your infrastructure supports all.
10
11
12
So is all is good then? Since consumerizaBon drives a lot of development and adopBon of technology making things easier for the end user will be an even more important area to address to 2020. The direcBons I outlined earlier does this to some extent but we are sBll with the factoring discussion. So how can we make authenBcaBon easier. So what can we learn from the world around us… Think about you authenBcaBon infrastructure as a new born child where the child as zero knowledge about people that will claim their idenBBes to it. They sure don’t use a hardware token or ID-‐card to prove their idenBty and nor would the child be able to put any trust into those claims. So how do they build up trust?
13
The mutual authenBcaBon of mother to child could of course be established by some biometric means during the 9 months of pregancy
14
But how on earth does the child build up a trust and authenBcaBon for other people in its world? Most of it is self-‐claimed authenBcaBon such as “I’m your dad” or federated authenBcaBon “This is you brother” which is repeated over and over again unBl the child has stored the idenBty of the other party in its user table (or what ever we should call). AuthenBcaBon is likely to be a combinaBon of visual characterisBcs in combinaBon with others such as voice, smell and other aeributes. The more certain the child will be on the authenBcity of the other party = RecogniBon
15
As the child grows they increase their based of authenBcated parBes and can also start add more intelligence to its decisions. As they fill up their “user base” and that’s when we start to partly de-‐provision users in our mind and forget them.
16
So what…?? How does that relate to my authenBcaBon infrastructure?
17
When your authenBcaBon infrastructure is intelligent it can look beyond the number of factors and begin the journey towards genng to know your users by gathering data about them. You will hen be empowered to deliver a beeer User Experience while you will actually will increase the security, so it’s a win-‐win situaBon.
18
What points in this direcBon?
19
We are increasingly adding new devices that collects data about end users – both persons and things. These devices are increasingly smarter and will provide you with data about the users without interfering with what they are doing.
20
The sharing generaBon – we are sharing more data and are willing to share if the value is good enough and we can trust who we share with.
21
Big Data – the growth in data is ever increasing and soluBons are now coming to manage and process large amounts of data.
22
So its not impossible.
23
24
25
Ardeidae It’s a heron standing on an Island
26
27