Ping Identity > Blogs > PingTalk 

PingTalk Blog

For the last two decades, authentication has been limited to the use of static passwords and token/One-Time-Password (OTP)-based solutions.

That limit needs to be lifted in order for businesses to minimize risk; to secure end-users' data, privacy and identity; and to free the mobile computing revolution to meet its lofty expectations. Current authentication techniques can't hit those high-water marks.

In three years, you will no longer log into a website directly. Mobile authentication and single sign-on will become commonplace. For the first time since the mid-1990s, we will start to experience fewer passwords than the password proliferation we endure today. Federation will, for the first time since the early 2000s, begin to link and consolidate our identities faster than we're able to fragment them.

 This past week we announced the acquisition of accells technologies, a mobile identity and multi-factor authentication company out of Israel that has developed some incredible technology we'll be sharing with all of you very soon!

I've always believed that identity will one day converge around our mobile devices, but there are a number of things about this acquisition that have me really excited right now.

As mobile devices cement their spot in enterprise computing, biometrics will become a key technology for providing higher-levels of authentication for end-users, according to a Gartner report.

The analyst firm says in the next two years 30 percent of organizations will use biometric authentication on mobile devices. Today, only 5 percent have deployed it.

Biometric options are emerging in the mass market.

Apple last year added a fingerprint reader to its popular iPhone, but as of yet the technology is not available to applications developers.

Modern smartphones, however, hold other biometric options, including cameras and microphone, which can support technologies such as facial and voice recognition.

In addition, the FIDO Alliance is working on a protocol to provide the infrastructure to support standardized strong authentication, including  biometrics.

The FIDO protocol leverages existing device hardware such as TPM chips, Near-Field Communications and One-Time Passwords, along with biometric devices such as fingerprint readers, microphones, and cameras to support two-factor authentication.

The BYOD trend has employees increasingly bringing their mobile devices to work and (shockingly!) expecting to be able to use those tablets, phones and phablets to do their jobs.

For some in IT it's a crazy notion, so I put together a webinar on how identity can give to IT the necessary degree of control. The audio recording is archived here. (customer or social log-in required)

I argue in the webinar that the owner of the device matters little in the final equation. The real question is how will it be used?

If you think cloud computing is intrinsically less secure than what you deploylaye on-premises, read these arguments from Dave Kearns. Remember, if you have a breach on-premises, your only recourse is to fire some people.

  • Dave Kearns: The misunderstood cloud
    "Michael Osterman, of Osterman Research, recently opined about the security of cloud computing - and its misunderstandings. He compared cloud security to on-premise security in four areas (employee theft/incompetence, malware, hackers, and physical security) and showed that in all four areas the cloud should be, and generally is, more secure than on-premise data storage. Yet the myth persists that the cloud is less secure."

There were other items of interest to the identity community. I've added two new sections, Mobile and Social, to help sort them out. So now we have the megatrends: identity, cloud, mobile and social.

Every time I think I am finally getting a firm grip on the ins and outs of OAuth along comes something else that I have to add to the puzzle.

But last week, I came across one of the best layouts of the OAuth foundation from the ground up.

I was at the Glue Conference (developer focus and exceptional content) and I had the opportunity to sit in on an OAuth session given by my colleague Brian Campbell (@weeunquietmind on Twitter)

GlueCon, as it's called, is mainly a developer's conference, and it goes cutting edge on APIs, Big Data and Cloud. And while Campbell is the kind of guy who can sharpen the blade on the cutting edge, he had a nice simple OAuth slide entitled the Basic Abstract Flow.

Thinking there are some like me who could use a reference point now and again, I thought I would share the slide, and a link to Campbell's presentation: Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2 and Mobile Devices.

The presentation starts at the introduction of OAuth and lays out where it is relevant today, social, mobile, APIs. It reminds us that the next generation of users don't make a distinction between mobile and computing - it's one thing and it better work. Then it ducks into the weeds with code samples showing mobile applications utilizing social logins with the help of OAuth. Oh yeah, and @paulmadsen is mentioned.

Enterprises thinking about OAuth and how it might mesh with established identity infrastructure, consider this.

I’ve written here before about emerging protocol work designed to bridge the SAML/XML world with the RESTful world of the new kid coders.

Last week, the bridge got stronger. Three Internet Engineering Task Force (IETF) drafts, intertwined and designed to fortify the bridge, were updated bringing a more complete picture into focus.

The new versions includes the OAuth 2.0 Assertion Profile, a model for building specs that allow for multiple assertion types to be exchanged for OAuth access tokens.

It doesn't take a second thought to figure out if your employees are more likely to fill their pockets with a mobile phone or a token-based authentication device - or which one they are more likely to misplace.

And with rising interest in two-factor authentication, it shouldn't take a second thought about what device is best as the "something you have" part of the two-factor (or even multi-factor) equation.

In a survey done by PhoneFactor with 300 IT pros, multi-factor authentication was one of the top three security measures cited for securing cloud computing (the other two were encryption and intrusion detection).

In a Webinar today with PhoneFactor (disclosure: they are a Ping technology partner), Sarah Fender, vice president of marketing and product management for the multi-factor authentication provider, laid out some of the other survey findings and showed how PhoneFactor could be a corner piece in the security and authentication puzzle that IT faces with the cloud.

There was a riff going at the RSA Conference last week.

"We say identity is the new perimeter." If you think this was heard on the show floor or was a T-shirt slogan, think again.

The quote came from Nasrin Rezai, CTO security for worldwide security architectures at Cisco. She participated in a session focused on mobile device adoption: "BYOD(device) without BYOI(insecurity)".  Dan Houser, security and identity architect at Cardinal Health, and his colleague Goran Avramov, senior infrastructure architect, were also there speaking about the thousands of personal devices that have invaded their enterprise. The two Fortune 100 companies dispensed implementation knowledge from the trenches.

According to Houser, Cardinal's "perimeter" identifies personal devices, keeps them off the network altogether and treats them like a kiosk.

What Rezai and Houser are describing is a transition that others are starting to see: security perimeters now extend beyond traditional firewalls and the creation and consumption of identity - who, what, when, why and no way - is happening in distributed infrastructures, platforms, applications and devices.

 "Identity is an architectural anchor point," said Rezai.

The discussion of that identity anchor point eventually won't be around the architecture, but on the apps and security options it enables. 

There is fierce competition amongst members of Ping's CTO team around who can pull in the largest audiences for the webinars we give. Well, to be precise, there is fierce competition amongst other members of the team in trying to match my audience numbers - I just  continue to set records.

But a recent Star Wars themed webinar from Pam Dingle on "SAML & OAuth enabled identity" shook me a bit from my comfortable complacency. Pam had the nerve to pull in a not insignificant audience. Even if almost all that audience were subsequently IP-tracked to a single kangaroo petting zoo in Australia, clearly I needed to step up my game accordingly and give a 'Webinar 2.0' when next my turn.

I planned accordingly:

  1. Research told me that 'mobile' was right up there with 'bieber' as hot search terms amongst the all-important 'teen daughters of enterprise CISOs' demographic. 
  2. Knowing that these very CISO's are feeling the pressure of BYOD [bring your own device], I reasoned that SaaS providers, in a sense an extension of their enterprise customers, must also be feeling the BYOD pressure, even if indirectly. As part of BYOD is the expectation of employees to be able to interact with business applications just as they do with their personal applications, by extension, those employees will expect to interact with SaaS applications on their phone via native applications.
  3. While OAuth 2.0 has emerged as the default standard for authenticating native mobile applications to their APIs, there is no small amount of confusion as to how to actually implement OAuth 2.0 (e.g. how to authenticate the user, which grant type to use, how to deliver parms to the application from the browser, etc) for such clients.

The result? Like an '80s boy band, a webinar so targetted to its intended audience it could not help but set new records - one that explores the choices that SaaS providers must make in using OAuth 2.0 to secure a native mobile application. One that provides sample iOS and Android code by which a native application launches a browser to authenticate the user, obtains access tokens from an Authorization Service, uses the tokens to call a SaaS API, and then refreshes the tokens when they expire. One that doesnt so blatantly cater to IT geek culture with a Star Wars theme.

And most importantly, one that re-establishes me as the unchallenged leader in Ping Identity CTO team webinar audience numbers race.

(Ed. - Listen to Paul's webinar "Got Mobile Support." Log-in or social log-in required.)