Having spent my whole life coding, implementing, developing, and patenting authentication solutions, I think I have the right to say: “that stuff doesn’t work.”
That is, if the criteria of “work” is that the user identity processed by the authentication solution actually passes a 100% reliable, trustable identity to the relying party – no, this is not “working”.
Sure, we can prove (and I have done this thousands of times in my career) that the validation portion of the authentication process “works.” That is, we can mathematically and empirically prove that the entity being collected by the auth mechanism MATCHES the values within the relying party’s data store. (Be it password, one-time password or “OTP”, X.509 cryptographic exchange, biometric, gait, mobile push value, facial scan, etc.)
Yes, the “auth” process can be validated and show that the technical credential validation system is “working.”
But let’s ask our hacker friends, the white hats and the grey and black hats, whether these identity validation tools are keeping them from achieving their results.
The answer is: Hardly.
Isn’t Authentication Enough?
To the product/business owner, authentication is not just the “friction” of the authentication, but the actual entire process of validating that user identity that we authenticated is the same user consuming the IT resource.
The industry tries to distract the audience from the real problem by hypnotizing the market with the “shiny object” – e.g.: “look at my how many vectors I collect in my facial recognition model! The number is bigger than my competitor’s!” But the problem is still growing.
For example, phishing attacks remain the most common forms of identity theft. Information gained from social harvesting and the user themselves allows hackers to build up a great profile to use, in (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Garret Grajek. Read the original post at: Cylance Blog