Recently I was quoted in an article on newly reported, but somewhat old, breaches. In the report I was quoted as suggesting that these breaches suggest that security has fallen behind and that, just in order to catch up, we need a "leapfrog" strategy. This post will suggest what such a strategy might contain.
Mine would start with strong authentication close to the users, i.e., at the end point. Strong authentication will start with privileged users and move to all employees. We have known about the limitations of passwords and what to do about them for thirty years. It is way past time to get on with it. Going forward, the end point of choice will be the mobile computer, colloquially referred to as a "smartphone." This device already contains powerful sensors that can be used for authentication of claims to identity. Apple Touch ID and Samsung Face Unlock are simply early examples of what can be done. These are quick and easy to use and, in combination with possession of the device, constitute strong authentication.