The definition of the cloud has been in metamorphosis since its conception. The earliest understanding of the term served a useful purpose as it really was a paradigm shift to a scalable, elastic, quickly deployed infrastructure. While appropriate at the time, this definition lacks some clarity as many see it as the foundation of what we now see as the Internet on the whole.
What is certain in the future is that ‘what goes online stay online’. This points to a future where every device will simply connect to the cloud. Yes, we cannot deny it – “everything” will soon be online. Currently, most things are offline by default, but being online and connected will become the default for everything. The cloud will be the foundation of the data for the edge devices. This massive cloud computing power with instant response will make intelligence on demand available for everyone, everywhere. New business models where devices are boosted by inexhaustible cloud-based resources – will begin to emerge. AI will benefit as a result. We will experience more natural interactions with computers. A super intelligence. This incredible computing resource combined with fast 5G will serve us with a powerful computing potential previously considered to be in the science fiction realm.
However, with this relentless move towards online comes a question around online protection. With the cloud, true security practices always come at the cost of convenience. This is a well-known mantra in the security world. The correct trade-off to give them a ‘certain level’ of security while still not eating into productivity is what most people are seeking. Of course, that ‘certain level’ will differ as people have different threat actors to worry about.
We have a good understanding of what is good solid authentication today which generally involves a mix of a strong password (ideally random generated and managed by a password manager) linked to multi-factor authentication via a dedicated app or a hardware token. Of course biometrics can be in the mix too.
However, we know that a significant proportion of online users are unable and unwilling to adopt these practices. Yes, we can teach some people how to use password managers and we can get organisations to better integrate password managers with the software and devices we use to enter them but that will not happen universally.
The computer security industry knows that password authentication is broken. With most cloud applications protected by nothing more than a password, this proves an increasing challenge. However, it is still a method which everyone knows how to use. Until another easy to use authentication can surpass it, then we have to live with it and hopefully people will get the message of the dangers of password reuse on sites and the need to make it long (and as random as possible).
We are seeing some moves against passwords. Just in October, Microsoft announced that it now supports password-less logins via its Microsoft Authenticator app. It works for hundreds of thousands of Azure Active Directory-connected apps. It is not entirely a new avenue for them as for some time with Windows Hello, it offers a version of this for Windows 10 users. For Azure Active Directory, the Windows Authenticator app basically copies Windows Hello functionality and it allows users to use their fingerprint, PIN or face to log in to enterprise applications. The idea is to provide two factors of authentication: something you are (your fingerprint or face) and something you own (your phone). What this does indicate is a move towards eradicating the password as the defacto authentication method.
It is feasible that biometric authentication becomes the de facto form of providing credentials in the future (although it should be combined with multi-factor methods). Many smartphones have biometric readers or sensors incorporated into the hardware. Deployment of proper biometric solutions should significantly reduce identity thefts with great benefits for the economy by eliminating passwords from the equation in place of more reliable solutions. Face ID does seem to work quite well. It works by projecting around 30,000 infrared dots on a face to produce a 3D mesh. The infra-red sensor on front is crucial for sensing depth which allows the device to verify the ‘liveness’ of what is in front of it. Earlier facial recognition features were easily tricked by face masks and 2D photos. Behavioural biometric based authentication methods on mobile platforms is another step in the right direction. They are more than just a one-off identification process, as they allow for on-going monitoring of a person’s behaviour, detecting things from the way someone types to the angle at which they hold their phone. There is also voice authentication but it suffers of course from the danger of aural eavesdropping.
The most interesting new moves in authentication have been the move by IT giants such as Google in their Advanced Protection programme to embrace hardware tokens. At this time, a password and hard token are as good as it gets. Of course, biometric, authenticator apps or hardware token solutions may not provide us with the complete authentication solution we need right now to more fully secure our accounts and systems in the cloud, but they will play an increasingly important role in the days ahead. As our understanding and application of the cloud continues to change and grow, these developments are a step in the right direction.
As a Professor of Cybersecurity and leader of the Ambient Intelligence and Virtual Worlds Research group at Ulster University, Kevin Curran is a well-known voice in the world of cybersecurity. He is a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE) – the world’s largest technical and professional organisation dedicated to advancing technology for the benefit of humankind – and has contributed to 800 conferences, book chapters and journals, and presented at technology events all over the world.