We don’t need better authentication

I saw a tweet today concerning authentication.

Monaco, at White House cybersecurity summit at Stanford, calls for replacing passwords with more secure technologies.

— Paul Krill (@pjkrill) February 13, 2015

When reading that the first thing that came to my mind was “with what?”  When will that one be hacked and then replaced by something else, which will then be hacked and replaced by something else?  For all of its faults a good password is already stored in the most secure storage repository around; your brain.

The problem, however, is that our brain is really good at remembering concepts, abstractions, gists, it is horribly bad at fine precision details.  When it comes to identity, I know who I am and you know who I am (if you know me).  On the other hand, computers are really good with precision information but really, really bad at concepts, abstractions and gists.  And so when we identify ourselves to the computer we have to stoop to its level.  And so we need to continually improve our techniques to identify ourselves to these dumb machines.

Multi factor authentication is a good thing to examine.  However, it has a flaw.  It requires two or more means of authenticating yourself.  You need something you know (a passcode), something you have (a phone) and/or something you are (biometrics).  This is all good stuff.  It really is.  But what if you were out to dinner and you were about to pay and you realized you forgot your phone (because you were so engrossed in the conversation that you even forgot to check email or to Like your accompanying’s checkin at said restaurant).  What biometrics would you use to authenticate yourself?  Eye?  Biochip?  Anyone seen Demolition Man?

“Would you leave me alone, I’m trying to go to the bathroom here!”

Perhaps what we should be doing as well as looking to increased authentication criteria is building a system that is expected to fail.  So if a company is storing credit card information and it leaks into the public have a second methodology that invalidates fraudulent activity and resets the account.  Have the proper security, but also know that security alone is insufficient for dealing with the modern world.

In truth I don’t know what that would look like or how it would operate.  But I don’t think that the problem of identity management is going to be solved by providing more complex authentication methods.  I honestly think that we need to presume failure in security as one of the layers of defense in depth.

Note, again, that my title is link-bait.  Yes, we do need better authentication, but we also need better corruption recovery methods.