Identifiers, Tokens and Authentication

Often times I have wondered why everyone is so enamored with Tokens and Tokenization. Some time ago I begged the question of the broken token in a presentation to the Smart Card Alliance.

My premise is simple.

Identifiers are not authenticators. Replacing the identifier with a token as a result of turning an Identifier, the PAN, Social Security Number or other identifying index value, is a bandage on a festering mistake.

What we need to do is address the challenge of authentication in a convenient and frictionless way. Having to protect an identifier was the issue that created PCI and the whole issue of PII data. The Identifier should not need to be protected. It was and still should be an index and means of recognizing the relationship the relying party has with you. The authentication function is to make sure the person linked to that identifier is you!

User name: Identifier

Password: *********

Was not a bad start. Single factor authentication “what you know”.

Given the number of relying parties we all maintain relationships with, it is time to retire the password; Introducing “what you have” a secure thing (be it a chip card, Fob, Mobile Phone or Personal computer) and exploit the power of cryptography. Then add a second factor, a password or PIN, is a great first step. Changing the PIN or Password to a Biometric is a great leap into a truly secure environment.

The Key is to embrace the first factor “What You Have” a true token.

SCA Workshop Tokenization - 2015

We are here to help you figure out the right approach for your organization.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.