That is the estimated cost
it will take to convert the current U.S. credit card system to EMV
chip-and-pin — roughly $27 per U.S. citizen.
What does that have
to do with passwords? Killing the password won’t come without its own
hefty price tag for corporate and cloud service providers —
back-end/front-end technology replacements/transitions, integration,
maintenance, end-user training and support costs.
In the EMV world the costs are wrapped up in new point-of-sale (POS) terminals, ATM card-reader upgrades, and issuing new cards.
authentication, the other important factor is liability, who pays when
things go wrong, a question the credit card industry is answering next
These are transitions that take years not months.
If you have just one password for
everything it’s easy to remember, but we all know that isn’t safe. So
how do you keep track of a large number of them – and not have to worry
Cloud providers like Google and Yahoo bristle
at the potential support costs and user angst that would come if
passwords were to die — it’s the virtual entry point to their
services. The bigger the service, the greater the costs.
have millions of dollars sunk in identity and access management
infrastructure. In many cases, authentication changes will be grafted
onto technology such as single sign-on, which still requires a password.
Innovation won’t seek to kill passwords, only contain them
within a broader equation around authentication type plus value of
resource. (i.e. you’ll face more authentication challenges on your bank
access than your Flickr account).
For authentication changes, liability is the true sticking point just as it has been with EMV.
reason merchants haven’t plunged into card changes that are projected
to reduce fraud by up to 40% is because merchants aren’t on the hook for
So why the EMV conversion?
On October 2015 a shift
in liability will go into effect and for the first time merchants who
do not have EMV-enabled POS readers will be liable for fraud and not
Visa, MasterCard, Discover, American Express and their banking partners.
The stat that broke that camel’s back was $7.1 billion in fraud in 2013, a 29% increase over 2012.
A billion anything is a powerful motivator.
the password side, the incentive to move to more sophisticated
authentication options is in play. How the Targets, Sonys and lawyers of
the world resolve breach issues will factor prominently in strong
authentication options for the masses.
One major prediction I made
in January is that the discussion around passwords will semantically
shift to authentication. Access control will be defined by specific or
combined forms of authentication applied at specific times to specific
classes of devices, access and transactions.
everything from security questions to capchas, passwords, biometrics,
tokens, gestures, behaviors, and other innovations. Passwords will
become authentication’s failed 1.0 implementation.
will define use cases, and liability will be off-loaded whether to a
single identity and access management cloud provider or across a number
Privacy concerns also will influence these
decisions, especially around techniques such as continuous
authentication, which raises the tracking flag.
Passwords will be
used to signal that you would like to access a service, much like
lining up in front of a popular nightclub. But it will take another
authentication credential (a government-issued ID in the night club
example) or more to gain access authorization.
There will be a range of credential options to ensure a “level of assurance” to “grade” authentication, such as in-person verification for Level of Assurance 4 credentials.
know of one U.S. military installation that uses a neutral “pod”
(accessed with a PIV card) that sits between two rooms. The pod has a
built-in scale to check the persons weight (against a database; plus or
minus five pounds margin of error) followed by an iris scanner
authentication. All this happens after the door to the pod is shut and
before the door opens to the next room.
So don’t look (or wait)
for passwords to die, look at authentication as a whole, as a layer to
be architected or inserted via a service provider. Think about use cases
and combinations of authenticators.
Things at first may look a
little more complex (especially as authentication is integrated with
other risk-based tools/strategies), but innovation should eventually put
most of that complexity in the background.
It’s going to be a process. But given recent events, the alternative looks much worse and the costs much higher.