I am hearing some cross-talk between a couple of my recent blogs. In "Single Number Reach," I was speculating as to what word we will use in the future for a Unified Communications identifier when phone numbers become obsolete. In "Perfect Storm of Security Threats," I speculated about the problems with today's common two-factor authentication approaches and how vulnerable they are. As social media changes the way we use the net, it looks like the two issues discussed in those articles will become more inter-twined.
As I think more about “Single Number Reach,” it is odd how we still "dial" a phone even though you "press" a keypad today; and, we still "call" someone even though we physically don't "call on them" as people did when the term was last re-defined (I suppose it originated when people yelled over the hill, but you get my point). Maybe in the future we'll say "phone number" even though it's not a number? Who knows? If you read a document from 1,000 years ago, you’ll see it’s an interesting hybrid of Latin and the English we know today.
Later in “Single Number,” I opined that in the future, the communications device I am using will contact a “social authority” (LinkedIn or Facebook) to help me “connect” with a person via myriad communication methods. The idea is you only keep the social authority up to date about your phone number, email, Twitter ID, Skype ID, etc., and then, as opposed to saving people's business cards, you connect via a social network and specify your affiliation.
In "Perfect Storm of Security Threats," I speculated about the problems with today's common two-factor authentication approaches and how vulnerable they are. Today, "two-factor" is the law for banks. With my brokerage account, the factors are “something you know” and “something you have.” The first factor is my user ID and password, and the second is a SecurID fob on my keychain with a six-digit number that changes every 60 seconds.
So when I say there is cross-talk between these two posts, what I mean is that I am now seeing (as I suspect you are) options to use your Facebook login information to log into more and more websites. That's a trend that won't stop. Social authorities will take over authentication, but the danger in the short term is that Facebook isn't using two-factor authentication.
That is a major problem because if your Facebook account is compromised, then all of the websites where you use Facebook to authenticate yourself are compromised as well. In other words, don't expect your banks to start giving you the "login with Facebook" option anytime soon. Before that happens, Facebook will need a more robust approach to multi-factor authentication.
Given that 25 percent of Facebook's users are 18 to 21, I think I know how Facebook will get there. The most logical "something you have and something you know" approach for Facebook in the short term would be to use a person's cell phone as the "something you have" factor. It’s not perfect in the long term, but I envision it as a stepping stone to making your cell phone a better token for authentication.