As Passwords Die, Are We Witnessing Revolution or Evolution?

It would be pretty funny if the next ad for Apple’s iDevices touting TouchID happened to make the point using Google Glass (“In a world, where Glassholes are everywhere – behind you in line at Starbucks, sitting next to you on the BART, even lying in bed next to you – no passcode is safe!”). This article about the consumerization of shoulder surfing using Google Glass (and other wearables, to be fair) means that any kind of pin entry or pattern swiping can be captured, analyzed and figured out pretty quickly. This Ars Technica article taught us that even so-called strong passwords are fairly easy to crack. Last year, many services rushed to add 2-factor authentication as a means of combating the ineffectiveness of passwords.


This was a good, and long overdue, step by these services. But as this story about Paypal 2FA and the Google Glass story above illustrate, advancements in the capabilities, ubiquity and accessibility of technology means that we are locked in an arms race, one where the latest state-of-the-art approach will become outdated every release cycle. All this against the backdrop of a shifting landscape where the Internet of Things, cloud computing, BYO*, mobility and customer bases in the millions are bringing completely new requirements and challenges for identity infrastructure.

The fundamental question facing the IAM community is whether initiatives like NSTICFIDO Alliance, IRMNymi and others are truly revolutionary in a way that will satisfy Ian’s bloodlust, or whether they are just evolutionary and it’s simply a matter of time before they are eaten up. The tagline for this years Cloud Identity Summit would have you believe that it is the former. I’m not so sure about that. Which means that with less than a month to go, I’m still not sure how Pam, Andrew and I will explore that very (existential) topic in the “Usable Identity” track we’ll be presenting at CIS.