Authentication’s Last Mile

In communications parlance, the last mile refers to the difficult problem of getting from the street to a consumer’s home, and it’s often the most difficult part. I think there’s something similar we’re facing with computing and security.

We seldom have a problem validating that someone did something. And we can do all sorts of extra checking that this is true. We have passwords, we have one-time passcodes sent to phone numbers, we have secret questions and answers, and we also have physical tokens with other single-use identity verification as well.

But someone can just steal these things. Knowing most peoples’ passwords and secret question/answer combinations is a Trivial Joke, and if you lose your phone, your token, or whatever else you authenticate with, people can simply become you.

So you’re not ever really authenticating you. What you’re authenticating is that you know things, or that you have things.

Now we do have biometric authentication, which attempts to solve this with an addition type of factor, i.e. something you are instead of something you have, or know. But biometrics thus far have been a bit one-dimensional. Fingerprints, voice authentication, hand scanners, even iris scanners—they all seem to have their own quirks. They tend to either be too hard to use, or too easy to copy, which drops us back to the lost password problem.

What’s ultimately going to be needed is some sort of semi-centralized (it can be many private groups doing it) where validation of ID is performed somehow at enrollment time as well as when you change parameters (such as getting a new mobile device).

The last mile is the direct link between:

  1. A multitude of validation factors that are unique to a person.

  2. To the claim that they are who they say they are.

  3. To the request being made.

Imagine, as I discuss in my piece called The Future of Authentication, that you have instead of just a passcode and a token, that you instead have dozens or hundreds of ways that you are confirmed to be you.

  • Iris mapping

  • The way you walk

  • The way you move your body in other ways

  • Your voice

  • Your typing signature

  • The fact that you have access to some device

  • The fact that you know something

  • Your height

  • Your weight

  • Your heartbeat signature

  • The makeup of your sweat

  • Etc, etc.

The list can, and will, go on.

What will happen is that there will be companies that specialize in knowing YOU, and it will have hundreds of ways of measuring this, all weighted based on their own algorithms. So when your mobile device becomes your central hub for authentication as you move through the world, it will be passing a claim from this Identity Validation Service through to the resource that you’re attempting to access.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Data from you and from many other places stream into the Identity Validation Service constantly. They have a constant certainty rating for how likely you are to be who you are at any given time.

You step on a crack in the sidewalk and twist your ankle? Well, the data stream of your gait is now off from baseline. It’s also off if you change shoes. Or if you’re sore from doing squats the day before. But it’s only one of hundreds of feeds coming in.

If someone grabs your mobile device, makes you tell them your password, makes you add their fingerprint to the system, you’d be screwed at this point. They’d become you.

But in this system, everything from the mobile device, including all the other metrics are still streaming in. Now suddenly the person walks FAR different. Now they’re shorter. Now their voice is way different. They’re going places they don’t normally go. It looks like theft.

And here’s the key. This streamed data is not just going to the mobile device to be sent to a resource the person is trying to access. It’s being sent to the Identity Verification Service, as a bundle of stream data, and when you want to use a resource you’re sending a signed request from yourself and from the IVS. This request will include a field for the certainty score, and requested resources can choose to reject requests with certainty scores below a certain point.

This type of system, however it plays out exactly, is the future of authentication. Not just in the fact that authentication will be constant and granular like I talked about in the previous piece, but also in the fact that claims will be signed by a third party expert on your identity, and therefore on your authentication.

If it sounds scary to you, I’m with you. But I’m not describing the pleasant or the ideal. I’m describing what’s probably going to happen.

We need a last mile link that validates requests come from the right person, and this is likely how it’ll be implemented.

Related posts: