When we launched the Government Gateway in 2001 we spent a lot of time looking at login security models. Phishing, though not called that at the time, was just emerging and we could see that passwords were going to be unreliable.
We looked at lots of options – USB tokens (failed because we wanted people to be able to access services from anywhere and internet cafes – research showed – didn’t expose their USB ports), RSA-style tokens (very complicated with a high cost of set up and a high incidence – at the time – of help desk calls, digital certificates (don’t get me started), a funny device that had 4 coloured buttons and you set your own code on that (it’s name began with Q, I can’t remember what it was). We spoke to the banks to see if they would be interested in issuing secure login devices that we could piggy back on (effectively trusting the bank to authenticate properly and then hand the user to us) but made no progress, We dead-ended on lots of things.
We also looked at sending a text to your mobile phone to confirm that it really was you. We even built the capability to do this. But testing showed that the time to deliver was very variable – and sometimes delivery didn’t ever happen. So we abandoned that as an idea.
We settled, then, on a long (and entirely un-recallable) password coupled with an equally unmemorable userid. These were imposed on us by the security rules at the time.
I was intrigued, then, when Dan forwarded me a recent announcement from Google saying:
2-step verification is now available for Google Apps (free) edition. When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account. A mobile phone is the main requirement to use the second form of identification. It doesn’t require any special tokens or devices. After entering a password, a verification code is sent to the user’s mobile phone via SMS, voice calls, or generated on an application they can install on their Android, BlackBerry or iPhone device.
It isn’t the text bit that’s interesting – doubtless that will have the same issues as we had all that time ago or perhaps even worse given the huge volume of text now. But it is interesting that you can have an app on your phone that will prove you are who you say you are.
It wouldn’t surprise me if the banks made the same move – and so reduced the costs of sending out their own secure devices. And why not the Government Gateway too – we don’t need to know that you are the owner of the phone (with 70% pay as you go, that’s too big a hurdle), we just need to be able to tie that phone to you at the point of registration and create an app that supports the process. That doesn’t sound difficult.
The mobile phone, though, is becoming an increasingly concentrated device – NFC payments, all of your email, one touch access to Facebook/Twitter etc – and often without any PIN protection (or any way to lock it down quickly if it is stolen, Find My iPhone notwithstanding).