Username + a one-time password via SMS
A two-factor authentication method that is becoming more accepted by consumers is to send a one-time password via SMS to a pre-registered phone number of a mobile device. The biggest problem with this method is time lag - often the SMS arrives too late for the user, or sometimes not at all. Successful SMS delivery is reliant on many factors, including good reception, service availability and usage peaks (think of New Years' Eve). Also, when people change phone numbers, that change is often not logged in the registration portal, resulting in many cases of the user being permanently locked out of the website. Finally, but perhaps most importantly, it is very difficult for website owners to predict the cost associated with this type of authentication. For all these reasons, SMS is a good complementary solution, but is not a good standalone authentication option.
Biometric verification is becoming increasingly popular as an authentication method, thanks to high-end smart devices (I'm looking at you iPhone 5s) now including support for fingerprint scanning as a valid authentication method. This is a very positive trend, as it allows people to start thinking differently about identity authentication. The introduction of biometrics in smartphones is a first step in easing the path towards general acceptance of biometrics. While biometric technology has technical and privacy-related challenges, there is nothing wrong with using biometrics locally to unlock your own device. That being said, we still have a long way to go before websites will accept a palm or iris scan as a standard second factor for authentication.
Using the smartphone
More and more functionality is converging onto our smartphones - a very logical next step is to make the smartphone an authentication device. A concern is the variety of operating systems available that applications would have to be written for - some of which are more prone to being hacked than others. However, the real barrier to smartphone implementation is usability. Every major website will want to develop its own authentication application, which users would have to install on their smartphone to access each site. For consumers to have to wade through hundreds of different authentication apps and work out which one they need for each website they use, will be too cumbersome to be practical.
Essentially, the secret to mass adoption of a more secure authentication method is, quite simply, that it must be easier than typing in a username and "123456". The user interaction must be minimal and be based on something most people have with them all the time and care about.
However, as explained above, the science of authentication is no child's play. While it is continually being refined and a breakthrough is not far away, ensuring your current password is unlikely to come out from the mouth of a three year old is a good first step.
Sign up for Computerworld eNewsletters.