@Pebble is Shutting Down. Can They Take Two-Factor Authentication for #Cybersecurity With Them?

March 7, 2017

Earlier this week, Pebble announced that they would cease operations as a company and become part of FitBit. I was running through the Salt Lake City airport two days after I received my first Kickstarter Pebble when my wrist buzzed. The message on the tiny black e-ink screen said there was a gate change for my flight. If I had not had the Pebble, I would have missed my connection by running to the wrong gate. Years ago, I was sold on the initial value of the Pebble because I did not have to dig through my bag to find my mobile or rely on hearing it beep in a crowded airport.

Last snowboard season, I was at Steven’s Pass and using the voice-to-text function of Google Hangouts with family members around the mountain. Having dropped wallets, mittens, and hats from a chair lift before, I appreciated the new speech-to-text function of the Kickstarter Pebble Steel. Plus, the 7-minute workout app was perfect for crowded hotel gyms, even if the step-counter did not integrate with my desk treadmill.

However, the biggest utility for my Pebble was two-factor authentication from my bank. My bank has had a somewhat tortured Consumer Identity and Access Management rollout over the years. They initially had single-factor authentication – a username and password. They briefly flirted with pictures, until they realized the Internet has an insatiable love of cats. They then deployed Knowledge-Based Authentication, safe in the knowledge that no-one would post their first spouse’s name, the name of their elementary school, and their favorite band on Facebook. Thus, they reluctantly deployed SMS-based two-factor authentication.

The risks of two-factor authentication are clear: mobiles get nicked while their owners are in coffee shops, bad actors can surreptitiously record other people’s phone screens with their phone, and Advanced Persistent Threats (APTs) can intercept SMS via sophisticated man-in-the-middle attacks. SMS-based two-factor authentication lacks context and location.

My Pebble addressed the lack of location data by buzzing whenever I was out of Bluetooth signal range of my mobile. This could be a clear indicator that someone has walked off with my mobile, which is great, except when I am heating water for tea in the microwave, or that time that I was in Iceland and using a Síminn SIM in my mobile. Provided none of those are true; the Pebble faithfully displays the SMS short code on my wrist, and I can log into my bank’s website just by glancing at my wrist and typing in the code.

Unfortunately for Pebble, consumers wanted more than a ventriloquist’s dummy on their wrist, and the technology became evolutionary, not revolutionary. It is also time for Identity and Access Management projects to consign two-factor authentication to the Museum of Obsolete Objects. Forward-thinking IAM leaders need to deploy context and location-aware authentication mechanisms to an increasingly mobile workforce to ensure that users have the privileges to do their jobs and that organizations can continuously and conveniently verify those user’s identities. There already are a small number of MFA app vendors on the Google Play and Apple App Stores. Sometime before my Pebble app dies, my next wearable will need to be able to validate my identity for step-up authentication, regardless of location or how deep in my bag my mobile is buried.

Original Story