Digital Identity and Multi-Factor Authentication, A Necessity in an Increasing Digital World

Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s

Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World

The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:

  • Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
  • Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
  • Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
  • John Dancu, CEO at IDology
  • Vivian van Zyl, Senior Product Architect at FIS

The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience.  The discussion considered the balance between friction and security.  All of the panelist  articulating the demand for convenience.  The Audience questions which is it the desire, or is it the demand, of the American consumer.

All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing.  The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification.

Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.

The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web.  How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to  watch carefully and be part of the move to  restore the consumers’, OUR, right to the data that is us.

From Password and PIN to Biometrics

The Evolution of Authentication

When first we sought to create secure and convenient means of identification, we relied on user names paired with passwords and PINs.  These values are typically stored centrally within the relying party’s database.  Often times, these values are encrypted at point of entry, and once received by the relying party passed through a one-way function, before being stored in the database.  This use of cryptography to encrypt the PIN or Password in transit and perform the one-way function before storing the result is simply to prevented the PIN or Password from being captured in transit or reverse engineered.

Each time the user logs in, they enter their password or PIN, it is received by the relying party, run through the same one-way function and compared to the value stored at user registration

Over the last 30 or so year there has been mounting concern as to the long-term viability of depending on the user being able to remember, create a unique & complex value and accept responsibility to frequently change their passwords and PINs.  Especially given the myriad of sites and digital relationships we each continue to establish.

To assure the integrity of passwords and PINs, the challenge is making sure the length and randomness creates difficultly and minimizes the chance someone can guess what the Pin or password is.  By adding special characters and insisting on password and PIN policies, the rely party has attempted to reduce risk and the chance for rouge penetration.

Unfortunately, people forget their password, phish & vishing attacks work, key-loggers and other clever ways of obtaining the user name and password have increased.  The threat of rouge intrusions and the resulting reputational and financial lose is out of control.

As these loses escalated, the cost of the various techniques to support more secure authentication have been developed.  The market always understood if we could merge a unique object something you Have, with a secret you Know or a biometric something you Are; you would be able to establish a superb form of multi-factor authentication.  Many, such as the ICAO, EMV and PIV specifications, embraced the idea of cryptography operating within a secure element or smart card. They further embraced the idea of loading the registered biometric rending into the chip and incorporate the matching algorithm within the software.  By then using an external PIN pad or biometric sensor, multi-factor authentication could be enabled.  Unfortunately, at considerable cost.

In Europe, in order to secure access to websites they looked to physical objects capable of displaying a onetime password as the answer.  In some cases, the user had to first enter a PIN then a number displayed on the screen and then type the value displayed on the device into a field in browser window. Something you have with a secret, a one-time password, unique to each event.

Clearly PINs and passwords carry with them two flaws.  They need to be remembered and they need to be typed in.  Biometrics on the other hand offer convenience and do not require the user to remember a complex set of characters.  Fortunately, the size, cost and complexity of biometric sensors has decreased significantly and it is viability to integrate sensors into a user operated device.  The first company to offer a phone with a biometric fingerprint sensor was Motorola, quickly followed by Apple on their iPhone 5S.  Today it is rare to find a mobile phone which does not included a biometric sensor and related algorithms.

Now with an identifier (user name), a device with a unique digital signature and the ability to support biometrics, all the virtues of multi-factor authentication and the wonders of biometrics such as: fingerprints, veins, retina, iris, EKG, behavior or selfies are available to assure the registered user is present.

All because the sensor can capture the biometric and software will render the output of the sensor into images, patterns or templates.  The sensor and the related software have unique characteristics as to how the matching processes work.  It then simply requires us to accept that the output of the sensor becomes the input into the matching algorithm.

The last concern – how do we measure the reliability of the biometric sensors and algorithms.  To help people understand the reliability of these sensors and matching algorithms, there are an assortment of acronyms such as: FRR, FAR and PAD.  These three are the ones I am most familiar with.  They measure and quantify the risk of false acceptance or false rejection and provide a measure of the assurance of life.

We now can leverage the biometric sensors in user devices

Paired with the assurance the device is unique

And be confident the registered user is present.

A Letter to Karen Webster of PYMNTS.COM

Karen, you come to mind off and on, especially when I’m try to keep up with what is happening in the wild world of payments, block chain, cryptocurrency, identity, authentication, trust, identification and who knows what else.

One thing is clear.  Lot’s of companies are investing significant sums of money in these various “opportunities”.  Yet are we, as a society, on the right path?

We could look to Washington DC, and the other capitals around the world, and this same question would apply.  But, not to get distracted.

Let’s start with identity and authentication in the digital space

As you may remember, EMV was something I got deeply involved with, both here in the USA and back when we originally conceived of the specification.  We the three founding payment associations had one goal – solve for counterfeit.  And, when the issuer or country so desired address lost and stolen fraud.  Focused on the physical world of commerce, the Point of Sale.  Our original goal was simple.  Assure global interoperability by defining a global migration path away from the magnetic stripe.  We mutually agreed we had to select a technology capable of protecting the physical token, the card, well into the 21st century.

Simultaneously, as was so beautifully captured by the Pete Steiner’s famous 1993 New Yorker cartoon, we knew there would be an issue in the digital space, that thing we then call the World Wide Web.  MasterCard and Visa set out to define the Secure Electronic Transactions SET, then Visa patented a concept called 3D Secure and more recently  worked together with the other owners of EMVCo to create EMV 3D Secure.  Each of these, attempts to find a meaningful way of  authenticating the cardholder when they paid with a credit or debit card.

Today billions of identities have been compromised.  The techniques used during an enrollment process online, to verify who you, are no longer viable.  Identifiers like our social security number and Person Account Number (PAN), unfortunately, became authenticators, a role they were never designed to support.  As EMV was deployed criminal shifted their focus to the Internet and PCI had to be introduced to address the challenges of criminals acquiring payment card and PII data.

As the World Wide Web morphed and grew in value and importance, the potential of monetizing the vast amount of data companies where collected began to scare people;  as this recently found comic so aptly demonstrates.  People, governments and corporations started to struggle with their desire for privacy offset against the value of data corporations are collecting.

Way back then, an opportunity to address the issue was offered by Bill Gates.  As is always the case, Microsoft the then technical giant  wanted something to support what society would ultimately need.  The idea of the social good was lost to the value of corporate profit and control.

As the Internet grew to become this marketplace, library, museum, cinema, place to play and place to meet and connect; we imposed well understood enterprise security techniques (username and password) to the consumer space.  The password thus became our challenge.  How do we convince customers (let alone employees) of the importance of complex, hard to remember passwords – unique to every security conscious relationship we establish on the World Wide Web.

Are biometrics the answer, has the FIDO Alliance and W3C created a set of authentication standards we can all embrace?  Hopefully.  Unfortunately, most opportunists are seeking to monetize their often proprietary solution, creating what they think is a best of breed consumer experience.

My fear, we are moving from the familiar experience of typing our user name and password; to multiple unique experiences at the front door of each and every web site we seek to log-in to. 

As an example my Samsung Android phone has a fingerprint sensor and is FIDO certified.  There is a Samsung Pass Authenticator, Microsoft Authenticator, Google Authenticator and several demo versions of various other authenticators.  I also receive SMS messages with one time tokens I am asked to enter onto the screen.  My PC it also is enabled with a FIDO U2F set of dongles.

Unfortunately my tablet has none of these and assumes I will simply remember, thank you Norton Identity Safe, my various passwords.  What a mess we are created all with monetization and the desire to offer a unique consumer experience as the justification.

With all those already installed, I await the introduction of WebAuthN, within the various browsers installed in my PC, tablet and phone. 

Moving to Block Chain and Cryptocurrencies

The wild west.  The makings of a speculators dream.  The realm of the incomprehensible, built on complex mathematical concepts and the desire to remove the man in the middle and replace them with the miners and nodes distributed around the center.  Or, is the idea of the distributed ledger the solution to the challenges of trust in an every expanding universe of connected people and things.  One can only wonder?

People speak of removing central governments.  Yet, they remind us that there is a governing body, book of rules and set of code that is designed to assure immutability.  If I understand their, logic we should not trust Governments instead we  trust these new open societies and digital enterprises?  they speak of removing intermediaries and replace them with nodes and miners.  New players responsible for creating and signing the new blocks and distributing it all those who maintain a current copy of the chain.

Is there potential, Absolutely.  The challenge is to understand why one would wish to move data from a trusted central repository to a distributed trustless environment.  Cost and latency should be part of the discussion and most importantly the level of trust the parties have with each other, identified intermediaries and governing bodies involved in the ecosystem.

Finally Payments

Barter, gold sovereign, IOU, government or bank back notes and coins, checks, cards, account based solutions, digital coins and what next.  Payments have been this ever evolving space.  Some seek to monetize the methods businesses, consumers and governments use to pay for the good and services they seek to acquirer, use or explore.  Others argue that the cost of payment should not be a source of profit.  The interesting twist here is more about the stage an economy is at in their migration from one from of payment to another.  Questions of legacy and history limit a markets ability to embrace the new and retire the old.

We could shift the conversation and focus on the store of funds: be it the safe in the wall, the checking or savings account at an institutions or digital coins stored in digital memory.  We could talk about the entities that focus on the experience and employ the already existing mechanisms.  We could think about block chain, crypto currency, identity and authentication.

Does the consumer care? or would we be pleased to simply hear the merchant say thank you for your payment.   The frictionless experience of get out of an Uber car or when we click the buy button on Amazon we know the payment will be made and that we will see a receipt in our email.  Remove the friction and make sure that only what I owe is paid, that is the experience we seek.  We the consumer are not interested in the detail.  We just want to know we successfully paid, using the source of funds we set up as our default.

In Conclusion

Yesterday, with this blog incomplete, I listened to  The Economist article titled Rousseau, Marx and Nietzsche – The prophets of illiberal progress – Terrible things have been done in their name.  What grabbed my attention is that it spoke to the depth of my wider concerns.  The article concludes with the following:

The path from illiberal progress to terror is easy to plot. Debate about how to improve the world loses its purpose—because of Marx’s certitude about progress, Rousseau’s pessimism or Nietzsche’s subjectivity. Power accretes—explicitly to economic classes in the thought of Marx and the übermenschen in Nietzsche, and through the subversive manipulation of the general will in Rousseau. And accreted power tramples over the dignity of the individual—because that is what power does.

As I think of our capitalist environment, I am concerned and wonder if the publication of the Economist article is  timed to educate and alarm.  The reality is we are experiencing a concentration of power leading to an increase in the distance between those in the upper 1% and those we call the middle class.  Therefore, there is a need to about what is good for the whole, yes a tiny bit of socialism, to restore balance to make sure the wealth and benefits accrue to all and not just the few.

As identification, authentication and payment systems, discussed above, evolves we need to think about the structure of how these solutions will be offered to the market.  Are we seeking to address a social issue like crime or terrorism? Are we seeking to improve confidence?  Are we attempting to focus on the consumer, citizen and employee needs?  Or, is it all about shareholder value and the search for profit?

Like in the article discusses, my fear is Profit will create confusion and complexity.  Not more convenient and frictionless experiences.

The case for Identification and Authentication

As we continue to explore the case for Identification and Authentication I share the below article.

What is becoming clear is standards are being embraced.

In the Payment space

Will it be W3C WebAuthN, 3DC and Webpayments or EMVCo SRC & Tokenization?

My guess depends on if standards bodies can play well together.  EMV (contact or contactless) will remain the many stay for physical world commerce, until the App takes over the Omni Channel shopping experience.  then the merchant will properly authenticate their loyal customer and use card on file scenarios for payments.  The question of interchange rates for CNP will see a new rate for “Cardholder Present&Authenticated/ Card Not Present.”.  In time when a reader is present I can see an out of band “tap to pay” scenario emerging using WebPayments and WebAuthN.

In the identity space

I contend the government and enterprise market will go for a pure identification solution with the biometric matched, in the cloud, in a large central database.  Does it include a what you know username, email address or phone number; maybe!  If it is simply the captured image or behavior, then it is a 1 to many match.  If it is with an identifier, it is classic authentication with a one to one match.

In the pure authentication space where the relying party simply want to know it is the person they registered.  Then, the classic FIDO solutions work perfectly and will be embedded into most of our devices.  Or, as we’ve seen with some enterprises, the relying party will embrace U2F with be a FIDO Key, like what Yubico and Google recommend.

The classic process needs to be thought about in respect to what can be monetized.

  • Enrollment = I would like to become a client or member
  • Proofing = Ok you are who and what you claim, we have checked with many to confirm your Identity – This is where federation comes in.
  • Registration – Verification = Ok, now we confirm it is you registering your device(s)
  • Authorization & Authentication = Transaction with multiple FIDO enabled relying parties using your duly registered authentication.

How Microsoft 365 Security integrates with the broader security ecosystem—part 1

by toddvanderark on July 17, 2018

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protectionthreat protectionidentity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

 

Something to wonder about

What You Have

The Two Sided Market

When we think of investing in various macro business needs e.g. revenue. We see that establishing relationships with customers to stimulate sales is why we create the goods and services, hopefully, others want.

If the buyer has something the seller wants, in exchange for the good or service they desire, then a transaction occurs. The challenge is simple, each party defines the value of what they are providing or exchanging and presto the trade occurs.

When society grows and the complexity of what each of us produces and when our needs are not aligned to this process called barter, a means of monetization is established. Society creates a trusted form of exchange – pebbles, coins, money, a promissory note or now even cyptocurrencies.

In other words, society creates an answer to enable the exchange of goods and services between parties who do not have goods and services the other party seeks in exchange.

With cash, coins or other trangible representations of value, commerce is easy. When we complicate things and worry about carrying cash and seek to buy things with debt. A need for a Network emerges.

These payment networks, by necessity, add complexity. They create the need to establish two sides to the market, one focused on the relationship with the buyer and the other with the seller.

Issuance and Acceptance. Two words to descibe the two sides of a network. It’s only when the two sides of the market have sufficient participants. Only at the tipping point, enough critical mass exists, to create a self sustaining network. This is the network. At this moment the network blossoms. If either side of the market does not achieve critical mass, the network collapses.

Any two entities familiar and trusting in the Brand, or each other, can easily establish a temporary relationship. Adding anonymity to the requirements, increases the leave of trust and recognition the Brand must establish.

In a digital environment we have to define mechanisms to share and establish trust across trillions of electrons. The two sides will not pursue understanding of nor focus on security. Until the risk exceeds a threshold unique to each party on either side of the market.

To often in the past, the idea of the individuality of the individual or the need to design security in from the beginning. Has left us with a legacy of system all needing design of custom approaches to how to integrate security with requisites necessary to capture, calculate and manage risk.

The Artifact of Trust

When a mutually trusted set of parties gives the citizen, consumer, employee or courtier a card, a device or an object and provides every acceptor with a reader capable of recognizing the trusted thing; then the two parties are in a position to establish “trust”. The consumer has a thing which is recognized and trusted by the acceptor. This is often referred to as “What You Have”.

Once the thing is recognized by the acceptor, then, the process of identification and authorizations (the transaction) can take place. The object – the artifact – carries an identifier. It possesses characteristics that establish its unique character. The object also posesses a means of assuring the acceptor the presentation of that identifier repreents a unique entity.

The simplest artifact of establishing “trust” is a hand held thing, be it a key, fob, card, watch, pendant, phone, ear piece. It does not matter what it is, all that counts is that the merchant recognizes it and that the consumer is willing to carry and present it.

Trust, for the merchant, means they can, according to the rules, recognize and authenticate the thing. They are then in a possition to pursue a temporary and trusted relationship. What can be achieved during the time the relationship of trusted is bounded, is the constrained by an additional layer. In this layer the consumer, the acceptor and any third parties address which the rights and privileges are to be granted or pursued. This is when the exchange, sale, conversation, tranaction, event or access is granted.

Two sides meet several common mediums of exchange are available.

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Digital Identity



Question for all those who advocate migration from card to electronic

We all are aware and many of us dream of a time when all of our physical identity artifacts are digital. We dream of consolidating these credential in our electronic wallet, otherwise known as our mobile phone.

Today while visiting an outpatient imaging center, I was asked for my drivers license. She would only accept the physical document, I offered to send an image by email. Her goal to scan my identity document into the electronic patient file she was creating. The idea of an image of the drivers license in an email, well.

Sure the system could easily be changed to record digital credentials delivered by NFC or BLE. The first question given the expensive medical system we have here in America; at whose cost?

Time could not be argued as a savings, she would only have a saved a second or three of time to pass the card back to me.

People discuss contactless cards and contrast them to the convenience of a Mobile Wallet. What we often forget is reality. As long as we need to carry other physical identity artifacts, the convergence of our leather wallet into our electronic device is not happening.

In my humble opinion it is an all or nothing situation. Yes I will add digital credentials into the mobile wallet. But, unfortunately, the leather wallet is still part of my attire.

Better still it does not need to be recharged. My leather wallet still works after the phone’s battery has died.

Authentication or Identification

Two words Authentication and Identification.

Reading what Wikipedia had to say about authentication leads to an interesting array of discussions across a wide set of sciences and other social segments. The exploration led to a search for a definition of Identification:

  • The act of identifying, or proving to be the same.
  • The state of being identified.
  • A particular instance of identifying something.
  • A document or documents serving as evidence of a person’s identity.

Next exploring what Wikipedia had to say about Authentication leads to a much richer discussion aligned around the idea of assuring the truth of a particular attribute, someone is claiming to be true. Seeking to assure a degree of parallelism to the discussion:

Authentication is

  • something which validates or confirms the authenticity of something
  • computing proof of the identity of a userlogging on to some network

These two words: authentication and identification, some think represent the same act, yet when we bring into the conversation – privacy the two words have very different meanings.

We then have to think about the how and the what we are attempting to do.

In the physical world there are a set of situations and considerations. We will leave those for another article.

When we think about the digital world, this place were our physical presence is not present. We must find solutions that prove we are who we are without necessary needing another to vouch for our identity each time.

As a consumer we want the freedom to visit multiple sites and believe that where we visit and who we interact with is not open to all to know.

As I write, I can hear some say, all our stuff is known so why try to hide. They are correct and then they miss the concern – who knows. Not to get distracted.

Verification, a third word must enter into the discussion. In order for anything associated with only serving or sharing with a clear and identified party one needs to be able to provide Identity.

of Tokens and Things

Things, now there is a big word.

  • I am a thing
  • It is a thing
  • I know a thing
  • Things must therefore be anything

The dictionary rambles on about things.

Tokens, What is this thing?

Tokenization why is everyone so excited?

Tokenization and the Search for Identity

The belief in tokens emerges from the need to address security in a world where an identifier becomes an authenticator.

The PAN on the front of a ID-1 Card defined and governed by the International standard IS)/IEC 7812-1. When it was originally conceived there was no desire to turn the PAN into PII Data. They simply wanted the PAN to be an index, “a pointer” “an Identifier”, to an account, or relationship, a card issuer (financial institution) created between itself and the cardholder. In our quest to take advantage of the telephone, the mail and ultimately the internet as a set of sales channel. The Payment System actors agreed if the card acceptor “merchant” would accept liability. Then, they could simply use the PAN, the expiry data and cardholders name to effect a card payment. This acceptance of liability was an acknowledgement they could not inspect the card and verify that the physical security features where present, hence the token was not present to be authenticated.

Society in its infinite wisdom followed another path with the Social Security Number. A number originally designed to act simply as a unique value representing each person here in the United States. Unfortunately, as is often true, we took the short cut, assumed this number, stored on hundreds of databases and recorded on an equally large number of forms, could be used to authenticate that you the individual was present.

mysteriously and without thought society allowed these numbers to take on values they where never intended to assume. They became “secrets” number that if known to another could be used to take over our identity. They can make payments in our name. They can apply for loans and take over our financial assets without the true individual being the wiser.

Those that seek to profit and do not share societies morality find ways of taking advantages of our desire to cut cost and reduce friction. They create near perfect counterfeits of these tokens, they take advantage of our naivety and they seek to disrupt and profit.

We could do as we have often done in the past – replace the token with a token. We could claim by tokenizing these identifier with another vale we were adding layers of security. We argued that if this new tokenized value could only be used by that merchant or with that physical device; security would be restored. The question how long would that new think provide the security its champions claimed it would offer.

Payment Card Construct and Dual Interface Deployment

Payment Card Construction

The discussion focused on the construction of the sandwich. Four layers. Clear front laminate to protect the ink, front with the banks design and brand logo, back with the banks back design and a clear laminate with the magnetic stripe integrated into it.

To enhance design additional layers may be added, such a metal foil.

These four sheets are then bonded together, at 120 degrees, in sheets of 21, 36 or 48 or other various sheet sizes. Next step punch out cards, add hologram and signature panel.

For a standard EMV card the next phase is to mill and embed the module with the chip inside. Last, the manufacturer typically loads the O/S & EMV application into the integrated circuit card.

When we move to dual interface caed, this process is modified to add an inlay, with the antenna embedded within. This inlay is inserted in the middle of the sandwich and during the embedded process the contacts exposed on the base of the module are connected to the antenna in the inlay.

Next step, personalization, when the appropriate data is loaded into the chip, along with the encoding of the magnetic strip and printing and/or embossing of the cardholders, name, expiry date, cvv2 and other information onto the card.

Contactless or Not That is a Question

Contactless NFC acceptance and dual interface issuance is all about the chicken and the egg. Who will go first? The merchant or the issuer? Each need each other. Both are wondering about the incremental value.

  • Faster transactions – Yes
  • Less cash – maybe
  • More revenue – good question!
In other parts of the world, transit and their choice of contactless, as the right answer to a more efficient fare collection solution is driving conversion. In other, markets a group decision to adopt or a desire to find the next great thing drives the market. Here in the USA, we have a less than successful history of contactless. Let’s not forget PayPass and PayWave, it was tried the middle of the last decade, to little or no success.
We have Google and the FinTech world looking to mobile payments as the next great adventure. Merchants, like Wal-Mart, are resisting NFC acceptance given their own plans for QR based wallets and desire to limit the sharing of data with competitors.

Given these questions and observations, one can only wonder.

Financial Trade Groups Write to House Leaders in Support of Data Breach Notification Bill

https://bankingjournal.aba.com/2018/02/financial-trade-groups-write-to-house-leaders-in-support-of-data-breach-notification-bill/

 The American Bankers Association and six other financial trade organizations wrote to House leaders today underscoring the need for businesses across all industries to be held to the same data protection and breach notification standards currently adhered to by regulated financial institutions.

The associations expressed support for draft legislation released by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.) that would create a level playing field of nationally consistent data protection standards and post-breach notification requirements. This bill would not create duplicative standards for financial institutions which are already subject to robust standards, but rather extend similar expectations to other sectors that handle consumer data.

“The goal of the bill is simple — raise the bar so that all companies protect data similar to how banks and credit unions protect their data, and create a common-sense standard to ensure consumers receive timely notice when a breach does occur,” the groups wrote.

The draft bill contains a provision that recognizes the existing, effective regulatory framework for covered financial sector entities.  While the provision was intended to prevent banks and credit unions from being subject to duplicative notification requirements, it has been the target of recent negative campaigns circulated by the National Retail Federation and the Retail Industry Leaders Association, which incorrectly suggested that banks do not notify customers of breaches on their computer systems and   The ads from the retailer groups also mischaracterize and exaggerate the share of data breaches occurring at banks and credit unions while omitting their members’ (higher) share of data breaches.

The financial trades refuted the notification assertion, noting that “banks and credit unions have long been subject to rigorous data protection and breach notification practices for financial institutions to follow,” and that in the event of a data breach, banks and credit unions work continuously to communicate with customers, reissue cards and enact measures to mitigate the effects of fraud. They added, however, that “no solution will work unless everyone has an obligation to take these steps.” For more information, contact ABA’s Jess Sharp.

The management of our identity

A few weeks ago I learned of the Sovrin Foundation a foundation interested in establish a concept to support the idea of a self Sovereign means of identity.

As an advocate for stronger forms of identification and more important Authentication I am pleased to have received your response today.

Back in 1993 I was part of Europay and drove the creation of the EMV specifications as a form of Authentication and frankly reflecting back a strong form of Identification with the Trust Anchor being the Financial institution issuing the card and the foundation anchor being the payment network that the issuer used to assure acceptance globally.

In 2013 I joined the Board of the FIDO Alliance and eventually become the Secretary of that Board.

Today I am engaged with a company called IPSIDY, that is promoting and selling Identity as a solution.

Clear the conversations we are having include:

  • Device based versus centralized biometric authentication
  • Identification based on a central repository of Biometrics or a simply identifier linked to a means of authentication
  • Claims and assertions one points (URL) to or those that one has in their own possession
  • Repositories or Distributed databases of information
  • Privacy of attributes and rights to defining what can be shared

When I ask about the future of Sovrin, I hear people saying great concept how does it scale to be useful. 

This, as was my experience in the Payments world, is the challenge of a  two sided market

  • Consumer – Merchant
  • IndividualRely Party and those seeking attributes and proofs of identity

The challenge is developing a value proposition and more importantly critical mass that will excite both sides of the market to want to participate.

To further complicate developing the market is the challenge of the “Go To Market” strategy.  Who does one partner with given that the usefulness to the citizen/consumer is predicated on the number of parties or places this solution, token or Identity with a set of sharable attributes can be usefully used.

 

This is the question this is the challenge.

 

Words all bound to who we claim to be – How do we identify ourselves on the Internet or in Cyberspace?

Identifier – Something you create or are provided to digitally identify yourselves. Identifiers are things like an alias, user name, email address are examples.

Identity – This is who we are or wish to represent ourselves to be. These are attributes and information about: where we live, who we work for, which banks we have relationships with, who our friends are, which clubs we belong to, our certified skills, what schools we graduated from, which country(s) we are citizens of, our LinkedIn profile, Our Twitter handle, our Facebook identifier, our phone number … .  It is the sum of the attributes we can and will share with others, be they individuals, governments, entities or organizations; as we establish relationships and prove to them who and often what we are.

Authentication – The method we employ to assure that you, based on the identifier presented, are who we (the relying parties) thinks you are.  You are the person the relying party accepted when you registered that Identifier as how you would digitally identify yourself.  By itself the method of authentication should not allow another party to be able to determine anything about your identity.  Privacy is the goal.  FIDO Alliance and W3C have defined standards to support authentication.

Verification – The process of confirming that the secret or biometric match the secret or biometric that where originally registered to that Identifier.

Identification – A means of authentication that is bound to your identity.  A EMV payment instrument “Chip and PIN”a PIV card, an electronic passport, a membership card, a drivers license, a national ID are all forms of identification  issued by a party that should be trusted to have performed a proof of the individuals Identity, based on a defined and often published criteria.

This particular word, for many, has an alternate meaning.  In the biometric community they see Identification as the ability to use a biometric to determine ones Identity.  This is achieved by performing a one (the person present) to many match (persons registered).  The goal is the same, bind Identity to the mean of Authentication by using the Biometric as the Identifier.

Proof – The method a relying party or an individual uses to validate your claim of a specific Identity.  In many cases this is achieved by relying on knowledge of another party.  The relying party accepts the due diligence to proof your claimed identity was done to their satisfaction by another party.  This other party is often referred to as a Trusted party.  This effort to proof the identity of an individual is linked to words and acronyms like KYC “Know Your Customer”, ID&V “Identity and Verification” and Self Sovereign Identity.  We classically assume that documents provided by a Government e.g. drivers License and Passports are a solid proof of the claims asserted on those same documents.

In a digital world this is the most important element of a how we as people, entities, governments and corporations can be assured that you are who we believe you to be.

I am once again am reminded of the 1994 New Yorker Cartoon

The challenge of voice recognition and the need for multiple modalities to the question of authentication

A Good Mimic Can Bypass Voice Recognition Authentication, Research Suggests

The idea of voice many see as one of the more interesting biometric solutions as seen from an ergonomic perspective and something that can readily enhance the call center consumer experience and related security.  The user simply needs to say something into a microphone (telephone) and presto they can be identified or authenticated.    

But is it a safe and secure approach or simply the starting point for the identification and therefore associated with additional authentication processes. 

Personally I am not convinced a voice is a good solution to the challenge of authentication.  Yes, as one element of a multi-factor multimodal approach it is an excellent modality.  But not as the only biometric modality.  My fear emerged from a conversation with a sound engineer.  She told me they could, at the level of a single vowel, splice and change the intonation of a word in a movie sound track.

The above article clearly identifies real world examples of voice biometrics being fooled and concludes by remind us that a multimodal solution is essential. 

Classic Multi-Factor Authentication wants to pair multiple unique and none replicable elements together.

  • Some thing you have
  • Some thing you know
  • Something you are

When I think about multi-factor authentication I wonder what would happen if the object “what you have” can be stolen.  This therefore means the second factor must to assure that only the legitimate user is presenting the object.  If a mime can replicate a voice, after stealing the object, then, this combination of factors can be compromised.

EMV, when implemented as Chip and PIN, matches a unique chip card (what you have) with a PIN (what you know).  Apple Pay is EMV and stores the secrets and executes the cryptographic functions, inside hardware, the Secure Enclave (what you have) and combines this with a sensor to capture the Biometric (what you are).  The electronic passport ICAO use similar chips and carries within it a facial image.  The US PIV & CAC cards uses the same style Chip and are paired it with a fingerprint and sometimes also requires the user to enter their PIN.   

Yet are they truly secure?  We know  Apple X’s, facial recognition, as currently implemented, can be fooled.  We know that Touch ID  was spoofed.  Without liveness testing, most if not all biometrics, will accept a clone or replica of the biometric it employs. 

The challenge is establishing the appropriate benchmarks for the various biometric implementations such that enterprises, governments, merchants and corporations can select and implement a consumer experience that satisfies the needs of security and convenience.

Acronyms like FRR, FAR and PAD become critical to selecting the appropriate implementation of a biometric solution.

  • The False Reject Rate or FRR is all about convenience and not refusing the legitimate user. Perfection is a ratio of 0 in 
  • The False Accept Rate or FAR is all about not approving a transaction or event by an imposter. Perfection is a ratio of 0 in 1
  • The Presentation Attack Detection or PAD is all about addressing the reality that anything can be duplicated; therefore it is essential to make sure the biometric presented in alive and genuine. Perfection is a ratio of 0 in 1.

The challenge is establishing  a balance between the cost and the acceptable FRR, FAR and PAD.

Measuring and establishing the test results of a particular element of a multi-factor solution is not cheap.  EMV, PIV, ICAO software and “Secure enclave” / “Chip Card” / “Secure Element” suppliers spend 100’s of thousands of dollars developing and certifying the functional and security characteristics of the “what you have” element of these solutions.  We know that passwords and PIN can and have been compromised with Phishing attacks and hidden cameras.

When we think about  biometrics there is complexity in the read and match processes.  When the user established their identity and their biometric the reference template is create.  This reference template is then used in the matching process to identify if template resulting from the biometric just presented, is the same.  Unfortunately reality dictates that each presentation of the user’s biometric will generate a unique result.  This unique result will never absolutely match the reference template.  Hence the need to understand and test the sensor and establish its FRR, FAR and PAD.   The more foolproof the match must be, dictates the complexity of the solution and the number of different individual needed during the test process to establish the sensors FRR, FAR and PAD.

Therefore selecting the most appropriate solutions means quantify the risk of the event or transaction and measuring it against the cost and certified characteristics of the authentication mechanisms.

A layered approach that combines two or more factors must also considered including multiple modalities for at least the “what you are modality” is what we must consider.  Using cryptography and hardware to address what you are, Passwords and demographic information to match what you know and layering various elements like location, behavior and some set of biometrics to understand who you are, will offer the highest level of security with the lowest degree of inconvenience.

Bottom Line Multi-Modal & Multi Factor

Authentication of Identification is what we must implement

Always mindful a modality will lose its ability to assure uniqueness

Over time.

We must take care when we speak or sell the power of that which may not be

I always enjoy reading the words David writes.

This particular post creates a moment to reflect.  As we consider the implications of the  Fourth Industrial Revolution, we must remember the  significance many have attributed to Artificial Intelligence.  Those two letters AI are clearly key to the what, why and wherefore of the change ahead.

Clearly machines that work faster, search deeper and are capable of studying vast realms of data are changing the nature of so much.  Simply consider the risks to our security cyber hackers and terrorists wrought on this world or the shenanigans many claim the Russians use to disrupt as they explore and exploit the power of social media.

Moreover as we look afield many industries are being disrupted: movies, books, music, news … to name few.   Outsourcing and robotics is changing the nature of work and the skills necessary to compete and ultimately survive to enjoy the pleasures available in our increasingly digital world.

David makes the point that the intelligence Isaac Asimov and other science fiction envisioned has not yet emerged.  I think he is right.  The message I take aware -we who  market these  solutions should walk forward with care.

People are clearly feeling threatened by the change impacting their towns, families and livelihood.

We must be mindful that complexity breeds confusion.  Confusion drives disillusion.  This then causes people to react, often in nonsensical  ways.

Take On Payments

Federal Reserve Bank of Atlanta

How Intelligent Is Artificial Intelligence?

Posted: Nov 27, 2017 10:51 am

At the recent Money20/20 conference, sessions on artificial intelligence (AI) joined those on friction in regulatory and technological innovation in dominating the agenda. A number of panels highlighted the competitive advantages AI tools offer companies. It didn’t matter if the topic was consumer marketing, fraud prevention, or product development—AI was the buzzword. One speaker noted the social good that could come from such technology, pointing to the work of a Stanford research team trying to identify individuals with a strong likelihood of developing diabetes by running an automated review of photographic images of their eyes. Another panel discussed the privacy and ethical issues around the use of artificial intelligence.

But do any of these applications marketed as AI pass Alan Turing’s 1950s now-famous Turing test defining true artificial intelligence? Turing was regarded as the father of computer science. It was his efforts during World War II that led a cryptographic team to break the Enigma code used by the Germans, as featured in the 2014 movie The Imitation Game. Turing once said, “A computer would deserve to be called intelligent if it could deceive a human into believing that it was human.” An annual competition held since 1991, aims to award a solid 18-karat gold medal and a monetary prize of $100,000 for the first computer whose responses are indistinguishable from a real human’s. To date, no one has received the gold medal, but every year, a bronze medal and smaller cash prize are given to the “most humanlike.”

Incidentally, many vendors seem to use artificial intelligence as a synonym for the terms deep learning and machine learning. Is this usage of AI mostly marketing hype for the neural network technology developed in the mid-1960s, now greatly improved thanks to the substantial increase in computing power? A 2016 Forbes article by Bernard Marr provides a good overview of the different terms and their applications.

My opinion is that none of the tools in the market today meet the threshold of true artificial intelligence based on Turing’s criteria. That isn’t to say the lack of this achievement should diminish the benefits that have already emerged and will continue to be generated in the future. Computing technology certainly has advanced to be able to handle complex mathematical and programmed instructions at a much faster rate than a human.

What are your thoughts?

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed