Authenticate Day 6: The Future of Strong Authentication
By: FIDO Alliance Staff
After six full days of insightful content and engaging speakers, the inaugural Authenticate Conference wrapped up on Nov. 19.
A theme that resonated throughout multiple sessions on the final day of the conference was the future of authentication. The potential future impact of machine learning on authentication, the future of PKI and the decentralized future, were all topics of discussions across sessions. Another highlight of the day was a morning session where Microsoft outlined its path toward password-less and the lessons learned as it has embraced FIDO standards for strong authentication.
At its core, FIDO standards make use of public-key cryptography though it differs from traditional Public Key Infrastructure (PKI) in a number of important ways. In a session, Arshad Noor, CTO of StrongKey outlined the future PKI and FIDO. Noor explained that unlike PKI, FIDO does not make use of x.509 digital certificates for end users. He added that FIDO keys do not expire like digital certificates and as such managing the lifecycle of FIDO authentication requires a different mindset and philosophy than PKI.
“A lot of the complexity that PKI brings to the table, doesn’t exist with FIDO,” Noor said. “There’s a different kind of complexity. I’m not going to make this sugar coat it, but there is a certain amount of complexity in FIDO too, but it’s not quite as complex PKI in my personal opinion.”
Microsoft Says Hello to FIDO
There are a lot of good reasons why Microsoft has embraced FIDO authentication standards. Aakashi Kapoor, Senior Program Manager at Microsoft explained that one of the reasons why Microsoft began its journey with FIDO is because the company realized that it had to help its customers move away from passwords.
“Everyone assumes passwords are easy to use but they are not,” Kapoor said. “They’re actually difficult to use.”
She noted that users often end up using the same password across multiple platforms. Adding a second factor is often seen as being inconvenient as users not only have to remember a password, but they also need a second factor that is available.
“So when we were working on our passwordless options we wanted to ensure that there is something that gives users high security while also being convenient to use,” Kapoor said.
To that end Microsoft has embraced FIDO to help enable its strong authentication and password-less approach. Kapoor noted that the biggest learning that Microsoft has had from the deployment was that credential management is equally important as authentication.
“It’s not only important for users to have a strong highly secure authentication method, but it’s also important for them to have a way to manage the entire end to end lifecycle of that credential,” Kapoor said.
The Future of Machine Learning, Identity and Authentication
While cryptography is at the core of FIDO strong authentication, there is also a role for machine learning and artificial intelligence, according to Asad Ali, Technologist at Thales.
One area where he sees machine learning having potential impact on authentication is with a concept known as device vicinity context. The basic idea behind device vicinity is that a user will have a similar set of devices around them whenever they are performing certain action.
“So I have l this array of peripheral devices around my working life and the question is can we develop an algorithm for an application, which would over time make sense of what it is that I have around me when I work,” Ali said. “And by doing so essentially predict what authentication method should we use, or if any authentication method is needed at all.”
While machine learning might have a strong role to play in the future of technology, for Steve Wilson, Managing Director at Lockstep Technologies, the future of identity lies in authentication and analyzing data quality. In Wilson’s view, it’s critical to have infrastructure that establishes the quality and reliability of data.
“A little epiphany I’ve had recently about digital identity is that digital identity can’t be anything other than data – it’s all we’ve got,” Wilson said.
The Decentralized Future of Identity
The final panel of the Authenticate conference was moderated by Brett McDowell who currently serves as the Executive Director of the Hedera Council. McDowell is well known in the FIDO community as being the founding executive director of the FIDO Alliance.
“The cryptographic authentication technologies of FIDO and the cryptographic technologies being deployed in distributed ledgers are complimentary building blocks that can be used to improve the overall state of identity management,” McDowell said.
Ramesh Kesanupalli, who was one of the founders of the FIDO Alliance and currently serves as the CEO of Digital Trust Networks commented that FIDO already has a decentralized authentication process.
“There is no centralization of authentication anymore,” Kesanupalli said.
Nat Sakimura, Chairman of the Open ID Foundation noted that identity now and in the future will remain decentralized. He explained that his version of identity is about the ability to identify a person or entity based on a set of attributes and claims.
“When you think about it, there won’t be any single source of identity for all attributes,” Sakimura emphasized. “Each place has got its own authoritative sources and it’s not going to be unified.”
That’s a Wrap
With six full days of content, over 50 sessions including technical deep dives, panel discussions and case studies, the first Authenticate Conference was a resounding success.
In his closing keynote, Andrew Shikiar, Executive Director and Chief Marketing Officer at FIDO Alliance reminded attendees that FIDO’s mission is to move the world to a modern form of authentication.
“Simply put, the old model isn’t fit for purpose and nor has it been for some time, whereas the FIDO model is built to address today’s use cases, as well as those emerging in the future,” Shikiar said. “I’d say FIDO has matured from a whiteboard concept, nine years ago, through early adoption to becoming a must have feature for user authentication.”
Shikiar also announced that the next Authenticate Conference is planned to be held in person in Seattle, Washington next October 19-20, 2021! Stay tuned for more details!