So, next year might be stretching things a little given the topic we are going to tackle is one of boundaries and how they will be defined and protected as we move ever closer to the merging of humans and technology—but bear with us as we try to work out how we get to solve one of the very fundamental issues that still plagues us AND is arguably responsible for most of the breaches we see every damn week... yes, passwords.
How have we have tried to fix this one? We’ve spent years talking with users, managers, and executives in the various forums and mannerisms that they would understand. We’ve asked, cajoled, and threatened them with everything from treats to tasers, and yet we still fail miserably at maintaining control or any actual security around passwords. We’ve tried to come up with inventive ways to manage them, store them, pass them around, and generally protect them... yet we’ve failed…miserably.
We had Dilbert go through password options. Even XKCD gave us horses, batteries, and staples to try to encourage us to do something better than “SELECT (_fav_football_team)+((VAR/4)*time_in_job)!” Which translates to "GoPackers12!" for someone in Wisconsin that has been in the job for three years.)
We have to go back to the drawing board, not to come up with other ways to deal with them, but to fundamentally challenge the existence of them at all. We have to come up with other ways to validate that WE EXIST, and that is what the challenge is (and ultimately what will save us). Proof of existence should simply be the challenge response that allows us to interact with a system.
Ah, you cry! We have that, it’s called biometrics. Nope, I respond, that’s simply a fancy password wrapped up in someone’s 7th grade biology lesson. Oh, and we have not adopted it as mainstream because we still lose basic passwords, what the hell happens if we start to lose our DNA fingerprints? I know I can change my Yahoo password each time they get p0wned, not sure I can change my DNA quite as frequently. So biometrics are out, what’s next?
We’ll ignore fingerprints; too many attack vectors, too many ways to fake them, and too many ways to bypass them across most deployments. So what’s next? Our gait, or our facial characteristics, our palms, or possibly forehead when things get bad. What else can we come up with that the geeks deem unique? All have their flaws, and all have their implementation challenges AND ultimately could be disastrous should they be breached.
Which brings us neatly back to the simple truth that we have, for years, been using parts of us as justification for access to the very systems we created. Why not simply turn the tables and have our very existence be the key for integration with whatever systems we are using?
We are edging closer and closer to a point where convergence is a real possibility, where the realm of physical and digital are blurred, and the squishy sack of water, calcium, and carbon we call home can be realistically discarded. BEFORE we get there, we should really work out how to manage passwords and access controls more efficiently than stipulating “P@ssword1” is not permitted.
We need to move beyond simple biometric or even layered biological controls. We need to take a fundamental leap forward and embrace the simple fact that our existence is the actual key to access. Mother Nature has known this for several thousand years, why the heck have we yet to work out the computational equivalents?
So, while we work out how to solve passwords in the 2020s, I’m going to go back to researching the basic brain wave biometrics and communication architectures and somehow try to convince my computer that I am both ME and I am able to login without having to remember 101 passwords, passcodes, acronyms, and other things.