Just to recap, I’ve been writing about my philosophy of authentication, which I call sustainable authentication. So far, I’ve given two rules:

1. Authentication should remain relevant and viable in spite of advances in computing power.
2. The sustainable authentication system provides acceptable levels of security regardless of any user configuration.

The third and final principle of Sustainable Authentication, to be stated a little later, however, makes one stipulation about following those rules: You can’t do it by accident.

There’s an important distinction that fuels the creation of the third rule, and it’s the difference between security by design and security by accident. When a computer system or a piece of software is secure by design, security is literally a part of the system’s design just like speed, reliability, features, performance, and cost. These systems derive their security primarily from sound principles and security-conscious design.

When a system, however, is secure by accident, it means that the system was designed largely (or wholly) without regard for security. That the system is secure at all is the result of coincidence and an ongoing process of patches being issued because vulnerabilities are discovered. These systems derive their security primarily from coincidence and sporadic updates — in a word, band-aids.

It is this distinction on which I base the third principle of sustainable authentication, which states: The sustainable authentication system is a structurally, logically, and programmatically cohesive whole which is secure by design.

Just for the sake of emphasis, here are the three principles of sustainable authentication, all together at last. The sustainable authentication system:

1. remains relevant and viable in spite of advances in computing power.
2. provides acceptable levels of security regardless of any user configuration.
3. is a structurally, logically, and programmatically cohesive whole which is secure by design.

So how do we get there?

There’s one very important change that needs to happen before sustainable authentication is possible in the real world — but, luckily, it’s a change that’s already happening. You may have noticed it. A few years ago, you would have laughed to be told “You’re signing in using Vidoop Secure” or “Sign in using SiteKey” or “Logging you in with SafePass” or “Sign in with WiKID.” TOTAL AUTHENTICATION SOLUTIONS? That’s just silly.

Except that’s exactly what we need. Sustainable authentication requires that we think of authentication mechanisms as structured wholes, as self-contained systems, as pluggable units that we essentially just drop into place where they’re needed. This serves two purposes: they facilitate security by design by forcing the system to be a distinct unit designed from the ground up, and they allow the authentication system to be swapped out for another one, easily, if it turns out not to be quite as sustainable as was originally thought.

But what do I mean by structured wholes and self-contained, pluggable systems? I mean that we should no longer think of a username and password at PayPal and a username and password at our bank as the same thing, because they have totally different properties.

According to the third rule, for instance, in systems using passwords, limits on password length and complexity, number of failed logins allowed before lockout, length of lockout, password reminders, password hints, password resets, and even the amount of time you have to wait between sign-in attempts should all be considered part of password system itself.

All of those properties — and more, including some totally behind the scenes — affect security in a very real way and are just as much a part of the authentication system as the username and password boxes themselves. These properties and settings need to be determined deliberately and with the future viability of the authentication system in mind. Only then can such a system even be a candidate for sustainable authentication.

Just one last question: how will you know the sustainable authentication system when you see it?

The first two rules take some knowledge of security to spot systems that adhere to them. But a system following the third rule should be easy to spot: you’ll know it because the way you sign in to most sites now will look hacked-together by comparison.