How many passwords are you trying to manage! Does your LinkedIn contact list connecting you to more than 4,000 individuals? Does Facebook, Instagram, and other social media websites inundating you with news and stories about your friends, colleagues and interesting people?
How many cookies have your computers accumulated? How many databases have more information about you than they need? If we search the dark web, how valuable is your data?
Cando seeks to help you manage your data, identity, assets, and relationships.
Philip lives on Sea Island with his 93-year-old father, the Doctor. They pursue travel and Philip keeps his head into what is happening in financial services, blockchain, authentication, digital identity, and, whatever else people seeking to understand the transformation; particularly those in the identity and payments space.
What is happening means we can unlock our hotel rooms, cars, and homes from our phones. Our security system iwill be another app we have to find on our phone.
Instead, we need an intuitive assistant seeking to simplify our lives by taking on repetitive tasks like driving, working inside a data table or simply opening up the house for the season.
Normalizing data and performing the analysis capable of earning value is the name of the game. Management is about stimulating a team to work in the mutual interest of the organization. Executives define the strategy and articulate the vision in a manner conducive to success.
Cando seeks to help you manage your assets and relationships. Assets those places and things you use doing your daily life and those interactions you have with people and entities seeking to serve, sell and partner with you.
Then there are friends who we expect to be part of our lives and therefore have privileges and access capabilities.
All of this with a target of selling integration services to the top million and simply assuring each person has an identity thus serving the bottom billion. ultimately earning $1 per year per user to simply be there when it all breaks and you wish to restore your digital life.
At the core, your digital security will be based on the use of cryptography and sophisticated matching algorithms designed to assure anyone that you are that one individual in the populatations of the universe.
- Artificial Intelligence
- Machine Learning
- Nature Language Interface
- Predictive Analytics
This technology called the Blockchain is built on the desire to create a new model to assure “trust”.
To establish trust between ourselves, we depend on individual third-parties.
Could there be a system where we can still transfer money without needing the bank?
This statement begs the question, What is a Bank. Is it simply an institution for recording the value we deposit with them and then allow us to move/transfer some portion of that value to another. This then means the loans a bank makes, based on the sum of the deposits we trust them with, is not part of what a bank does.
If the only role of the intermediary is to maintain a ledger capable of recording and facilitating the transfer to electronic facsimiles of something, then, yes a distributed ledger removes the need for the middle man the trusted intermediary. Instead of trusting a third party we agree to a methodology “The Distributed Ledger” to record these intangible assets or rights of ownership of a tangible asset in a manner where each of us has a copy of the ledger. The beauty of this concept is for someone to attempt to change a record in the ledger, recording the disposition of a tangible or intangible asset; 51% of us would have to agree to that alteration.
In the above-linked article, all of what happens can be summaries with this quote
Earlier the third-party/middleman gave us the trust that whatever they have written in the register will never be altered. In a distributed and decentralized system like ours, this seal will provide the trust instead.
While reading the recent document produced by the IMF I am compelled to wonder.
What is the difference between what they call Bank Deposits and e-money. My first question, ignoring the words bank deposit. Both are electronic accounts of value, recorded in someone’s ledger. These two diagrams extracted from a BIS paper offer a perspective.
They then speak to four attributed to the “means of payment”
- The Type, be it a claim or an object.
- The value, be it fixed or variable.
- If it is a claim who is liable?
- The technology, be it centralized or decentralized
- Central Bank Money (cash)
- Crypto-currency (non-Bank Issued)
As we think of the evolution of these object-based means of payment, we need to reflect on a new term “Central Bank Digital Currency” CBDC.
As a historian, I then wonder where things like Digi-cash and Mondex fit into the classification. The value was originated and then distributed into a personal and secure storage device (Wallet). Redemption or better said the guarantee, was provided by a party. Maybe not a bank or the central bank, yet, easily embraced by such an institution. Somehow history seems to lose sight of the origins of money and assumes the existence of a central bank. Here in the USA, the formation of a Central bank was one of many areas of political discourse.
- b-money (Bank issued)
- e-money (Privately issued)
- i-money (Investment funds)
The magic word behind all of these discussions is “Liquidity”. The bottom line does the receiver of the money appreciate the value of the unit of measure and is the receiver confident they will be able to convert that money into another form, of their preference
Let’s start at the beginning, the transaction, the distributed ledger entry. Think about the content of the transaction as the payload. Next think of the payload as the land deed, cryptocurrency value, record of ownership, journal entry, smart contract … marriage contract. Whatever two or more people seek to exchange and record. Another way to think about all of this is as a block of data, code or other digital representation of something duplicated in every participant’s copy of the current ledger.
A governance model is required
What is essential, before anyone can do anything.
The parties seeking to exploit a distributed ledger must define how it will work.
It is what the community or parties seek to represent and manage, using distributed ledger technology, agree.
The whole process of defining the payload begins when the community agrees to and sets off to publish the processes, procedures, rules, functions, and purpose of their application. It is this act of governance we use to define how and what will be conveyed in the payload to be stored and recorded on a blockchain. Which blockchain, protocol, and cryptographic processes; obviously is a decision of the community.
We should be clear before we can do anything with the payload. Ourselves and ultimately others will have initially and subsequently defined the mechanics and processes designed to assure the integrity of the blockchain, itself.
A Transaction is appended to the chain
There are two parties to each event recorded within these transactions. The agreed events, transactions and smart contracts are ultimately included in a block and properly extended onto the chain for everyone to see and read. More about Confidentiality in another post.
Once governance is established
People can now interact
Each party has an address and then addresses unique to each asset e.g. coin. The address, in most cases, is simply an asymmetric cryptographic public key.
- The individual, as is always the case with cryptography, has their own private key(s); they must retain, never lose and keep secret.
When the two parties decide to record an event; the sale or transfer of the title to a car.
- A formal record of a property, a transaction, ledger entry is created.
- The basic data.
- The seller’s public key
- the buyers public key
- the payload
- a hash
- the signature created by the seller using their private key.
The transactions are broadcast to the network. The nodes or miners continuously work to assemble a defined number of transactions and create the next block.
The chain’s role is to record the providence of an asset and the immutability of all the associated transactions.
These records and blocks of data include content: of, by and following the rules of the consensus process.
- Each active node or miner is attempting to create the next block.
- The mathematics involved and the use of hashes to bind this new block to the existing blocks in the chain is beyond the scope of this blog.
- Let us simply assume the mathematicians and cryptographers define as part of the original design of each chain an infallible solution to the issues of economics, security, integrity, and immutability.
- These specifications will define the hash game and how one adds the next block to the chain retaining the immutability of the present and the past
By being the first to calculate the cryptographic nonce
The winner receives a reward.
- Hopefully proportional to the cost of work or other discernable and agreed method of reward.
- The other active nodes then test to see if they agree the first got it right.
- If consensus is reached the new block is appended to the chain.
- This all assumes 51% or more of the miners or nodes reach consensus on the winner’s answer. And no one can control 51% or anything closer than 33%.
Around and around the game continues, as transactions are added and immutably recorded on the chain.
This whole process fundamentally assures history cannot be altered.
Chains split and fun things happen
If the process is not elegantly managed in full sight of all the participants.
When I started to read this article, https://www.pymnts.com/news/b2b-payments/2019/wespay-corporate-faster-payment-adoption/ , my first thought, why would anyone in accounts payable want to pay a bill sooner than it is due. Clearly someone in accounts receivable, the CFO and the treasurer, is in need of a strong cash position. Therefore therefore, wants to bring cash in as fast as possible. This classic struggle between the buyer (accounts receivable) and the seller (accounts payable) begs the question – Who gains from faster payments and who loses?
Clearly the financial institutions are stuck in the middle.
- On one side their clients want moneys to flow into their accounts, oh so fast.
- While on the other hand those same companies would prefer moneys moved out of their accounts at a snail’s pace.
If the competition offers the service, then, the financial institution simply must decide if faster Payments creates a competitive disadvantage.
The question is not if – it is when.
Do we the consumer care? Today we have credit and debit cards which allow us to pace the movement of money. In the case of debit – today. In the case of Credit – some number of days after we get the bill. We can set up autopay facilities for those every month payments. We can schedule money transfers to occur on the day we desire.
From a business and technical perspective the movement of funds immediately upon instruction, makes good sense. We the receiver are assured those funds are good funds. We the sender know the moneys have been sent and received. Therefore, whatever subsequent result can be expected, now!
365/7/24 seems to be what instant gratification is all about. We want everything now and have lost the excitement of expectation.
All this said, there are risks we must consider when deciding to employ faster payments. There is no recourse. Once the moneys have been authorized the moneys are in the hands of the party you transferred them to. Only if they so desire, will you be able to recover from a mistake.
Worse still, if someone is able to assume your identity then an even greater risk exists. The funds are gone. The party receiving them will have no interest in addressing your lose.
Therefore Strong Authentication is the essential requirement.
I ran into this site today and am happy to see how Josh has offered a listing of sites, across multiple verticals, who have and have not embraced Multi-Factor Authentication.
What the primary factor is, is the key to the strength of authentication.
“What You Know” could be extremely secure, except we depend on the human to make sure they protect it, make it unique and complex.
“What You Are” can only be as secure as the quality and accuracy of the sensors and the algorithms used to match what is sensed now to what was registered then.
For me a “Restricted Operating Environment” capable of securing secret and private KEYS and use them to securely performing cryptographic functions, be they Symmetric and / or Asymmetric is the primary factor. The DEVICE(s) we use to access the service provided by the relying party simply needs to be registered, recognized and therefore the UNIQUE “What We Have” factor.
If we know the device is UNIQUE. Then the only outstanding question is, is the registered user using it, while not under duress. If the relying party is not comfortable with the presence of the registered user, then the Relying Party needs an additional factor to assure presence. Be it the “What You Know” and / or “What You Are” one adds to assure presence during the transaction or the authentication dialogue.
If the Relying party is comfortable the registered user is using their registered device, why add friction?
Prevention is what we need to focus on. Lock the door with strong keys . Detection is after the fact and necessary. Investigation helps to punish the evil doer and improve the quality of security.
We need to focus on making sure the methods used to allow someone onto the relying parties website or when they execute a transaction. Like in the physical world, it is about making sure the user’s KEY is unique and the right individual is in possession of the the key.
In other words. The user is present using a registered and recognized device.
Over the last couple of years the reality of fingerprint cards is a hot topic in conversation, white papers and press articles. It led me to think about the challenges and opportunities associated with this intriguing convergence of technologies.
My purpose is not to determine which solution is best or which companies are developing and selling them. My goal is simply to explore.
The first consideration begins when the card is constructed. Here we must ask the mechanical question relative to how the electronics are integrated into the strata of an ID-1 card. This then begs the question of making sure this new card conforms to the specifications dictated by Payment, Networks, Governments or other bodies who define the use of these branded cards. If we continue to think about the card manufacturing process we need to think about electronics and the use of heat in the typical lamination process or the inclusion of metallic materials used to create a particular look. One needs to think about the method of connecting the various internal components to the other electronic elements as the fingerprint scanner, antenna(s)m LEDs, batteries, the EMV chip or contact plate on the face of the card.
The second set of concerns must be related to the personalization of the card. First question is where will it be personalized? in a branch or within a bureau? How will it be personalized? With a thermal printer, laser engraver or embossing machine? Will any of the personalization processes adversely affect the electronic?. Similarly it will be appropriate to confirm whether any of the various card transport mechanisms will disrupt or damage the sensor and related electronics.
At some point in the processes the consumer must register their fingerprint and the resulting template must be instantiated into the card. How will this be done? Some speak of an in branch process. Others talk about some type of first time cardholder activation process performed when they receive the card in the mail.
Clearly there are a lot more questions the issuer, card manufacturer and personalization provider need to address. Let alone the method of making sure the cardholder knows how to use the card at the point of sale or ATM
The key question is the cost of the card, is it worth it?
Each morning I read trade articles on Blockchain, Faster Payments, Mobile Wallets, Authentication, Identity and other alerts & subjects of interest. Each day the writers leave me thinking about the future of society, howbwe will address cyber security, what we can do to funally eliminate fraud and which solutions will help us to mitigate risk. These then drives concern about where we will end up, as we drive to define effective means of identity and authentication, capable of supporting the individual desire for convenience and gratification.
Facial recognition deployed to speed up entry and exit to and from countries and through airports are here. The surveillance state is emerging at alarming speed. These same cabilities could potentially deliver a safer environment. Which will it be?
Physical and behavioral biometrics many feel should become the primary means of authentication. Yet, false acceptance and more importantly false rejection will result in inconvenience some expect the consumer to tolerate while other remember friction typically ends up with the consumer abandoning the journey.
The cost of payments, the escalating concern of the retail sector, remund us thatnpayments are sourcesnof revenue for some and friction for others.
Identity theft and the ability to create synthetic identifies are the fears of many. Consumers whose identity is stolen struggle to regain their standing.
In the end all we seek is:
- Pay for something
- Identify ourselves
- Protect our hard earned money
- Live a safe and productive life
- Be assured you are you and not someone else
These articles cause me to think about the future and how the consumer will ultimately respond to the changes now taking place to how we Log-in to a website. Yesterday, or better said 10 years ago, we all understood that simple User Name password. A single screen with a reasonably consistent user interface. Sometime we might have to put up with two screens, One for the User name and the next for the password.
Today we are being confronted with a variety of methods to authenticate ourselves to the websites we frequent. Many register cookies on your machine and when your told they needs to be deleted, we are confronted with a second or even third layer of security and identity proofing. Often times we are then told to wait for an email sent to some email address we once registered or asked to enter the number we will receive in a text message to a mobile phone number we once registered. Some websites are using one of the various authenticators our mobile phones may now be hosting.
In my case, ignoring the various authenticators I have already deleted, I am using:
- Samsung Pass
- Google Authenticator
- Microsoft Authentication
- Norton Password Vault
- Samsung FIDO Certified “SIDF”, inside my Galaxy 7s phone
- email or text messages with a code I must type in
- Emails with a link as a means of verification
What is clear is there are start-ups and legacy technology companies busy trying to profit from authentication.
My concern is the consumer will be confronted with more and more as everyone claims they have a better widget capable of securing our digital world.
Why not come to consensus on a common approach to authentication?
Another article published by PYMNTS.COM causes me to reflect on a discussion I had last we at the Payment Summit organized by the Secure Technology Alliance. When the US Faster Payments work groups where stood up on e of the working groups focuses on security, yet no particular drive exists to protect the consumer of the corporate treasure from their account being hacked into by some phishing, vishing or other criminal act. Account takeover will become a much more interesting attack vector. Moneys will irrevocably flow out of the hacked account and to whatever account the criminal so directs them.
Key word real time gross settlement and faster payments depend on the irrefutability of the funds. once executed they instantaneously transfer to the receiving party. What is required is a concerted effort to implement strong multi-factor authentication, at least at the time the transaction is authorized by the sending party. Some will say the risk is no greater than what exists today when a consumer or treasurer executes a Wire Transfer or any form of transfer between two financial institutions. This maybe true. the availability and assumed convenience will as the article described lead to heightened risk.
As I have written in other blogs we need to embrace strong Multi-Factor Authentication. The standards exist, the security of the device in many case is present. Relaying parties need to decide security is worth the investment. They need to recognize the value of satisfying the consumers’ need to have access to their funds properly protected.
As I skimmed through this article I was reminded of the reality of biometrics. It is a statistical algorithm designed to compare what was registered to that was just sensed. It is an imprecise process. The author reminds us of the importance of our identity in each and every interaction we engage in. She further ponders the question, of the potential threats to the biometric solutions that countries, people and enterprises are embracing, as we work to address the questions of Authentication and Identification in our complex digital and physical world.
The article asks the questions:
- Do the countries and enterprises understand the technology and processes used to support biometrics as a means of authentication.
- Do they appreciate the need to secure and protect this most sensitive of data?
- Is the data they store able to be used to compromise the individual of the integrity of that which it seeks to protect?
- Are we at risk of creating a surveillance society?
Finally there is the question of the accuracy of biometric matching. It is interesting to observe the comparison of the accuracy of biometric matching to PIN or password matching. We all recognize the challenges of PIN and password. It is not the concept it is the question of how many complex PIN or passwords is the human mind capable of retaining without writing them down or storing them someplace that can be compromised.
As I have argued in other blogs, the answer must be in the possess of something unique which has a False Reject Rate FRR and a False Accept FAR Rate, both approaching zero. Clearly the PIN or password has such a characteristic the challenge is in remembering so many. An object or a thing “Something You Have”, be it a card, phone, watch or bracelet with a Restricted Operating Environment inside e.g. secure element, TEE or TPM, secured using strong cryptography, paired with a biometric makes the most sense.
Often times I have wondered why everyone is so enamored with Tokens and Tokenization. Some time ago I begged the question of the broken token in a presentation to the Smart Card Alliance.
My premise is simple.
Identifiers are not authenticators. Replacing the identifier with a token as a result of turning an Identifier, the PAN, Social Security Number or other identifying index value, is a bandage on a festering mistake.
What we need to do is address the challenge of authentication in a convenient and frictionless way. Having to protect an identifier was the issue that created PCI and the whole issue of PII data. The Identifier should not need to be protected. It was and still should be an index and means of recognizing the relationship the relying party has with you. The authentication function is to make sure the person linked to that identifier is you!
User name: Identifier
Was not a bad start. Single factor authentication “what you know”.
Given the number of relying parties we all maintain relationships with, it is time to retire the password; Introducing “what you have” a secure thing (be it a chip card, Fob, Mobile Phone or Personal computer) and exploit the power of cryptography. Then add a second factor, a password or PIN, is a great first step. Changing the PIN or Password to a Biometric is a great leap into a truly secure environment.
The Key is to embrace the first factor “What You Have” a true token.SCA Workshop Tokenization - 2015
We are here to help you figure out the right approach for your organization.
CEO, Market Platform Dynamics
Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:
The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.
We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.
When we think of “What You Have” we think of a “Thing”. An object that cannot be replicated or cannot be counterfeited.
An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.
In the physical world “the thing” is a card or passport. You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism. In the digital world, we depend on Cryptography. This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”. Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip. Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.
Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured. This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.
Think Bitcoin for a second. The key to its architecture is the Private Key associated with your store of coins. Lose it and they are lost. Many people store these in hardware, based on the use of a ROE.
The second factor is all about proving that you are present. Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.
This is what FIDO and what WebAuthN is all about. Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices. This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing. This is what Bill Gates started talking about in 2002. BILL GATES: TRUSTWORTHY COMPUTING
As we move to Faster Payments we must move to Secure payments. Immutability and irrefutably become key requirements. To achieve this goal I suggest we need to understand one fundamental security principle.
The First Factor
is Something(s) You Have
The Second and Third factors
Prove You Are Present
Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy
Let me identify myself to My Thing.
Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)
This week the following title caught my eye Why Authentication Needs to Simplified for Users and Organizations. As one of those users who wants authentication to be easier, I was driven to reflect back on what companies have offered as mechanisms to secure this amazing landscape called the World Wide Web or the Internet. Each of the four devices on the right are samples of the primary factor “What You Have”. They date back over 25 years and each included a Secure Element currently referred to as a Restricted Operating Environment ROE. The one with the keyboard was issued to me by my european bank in the 90’s. It was used as step up authentication to secure the transfer of funds.
Cumbersome to say the least. I had to enter a PIN, a number displayed on the screen then type the number displayed on LCD into a field on my personal computer. What I always asked myself, why can’t they integrate that thing inside my keyboard or laptop.
Reflecting forward and thinking about what we have to do today to authenticate ourselves. We are confronted with a myriad of solutions each different each claiming to be the right answer to the wider question. Secret questions, PINs, patterns, passwords, an SMS or email with one time passcode, the Google authenticator, the Microsoft authenticator, the FIDO U2F keys, the Fingerprint sensor on my phone, the camera on my desk top, how I use my mouse, where I am located, is there a cookie in my machine.
On top of all of those commercial solutions, there are numerous demo authenticators clients and prospects have asked me to look at.
Each requiring the user to appreciate when and how to use it.
What is the answer. First we must agree on the requirements.
- Easy to Integrate
Starting with secure it must be able to offer a unique method of authentication that cannot be spoofed, counterfeit or otherwise compromised. It must have a false accept rate approaching zero and a false reject rate also approaching zero.
As it relates to easy to integrate the people who manage identity & access management systems IAM, computers and applications need to be able to quickly and with a minimum of effort, replace what is now used to identify and authenticate the user, with something new.
Intuitive this is the real challenge. There is the variety of users that must be considered. Are they their willing to learn or capable to make the leap, we hope they will?
Finally convenient which demands fast, easy, memorable and even something that is device independent.
How did we get here? Nobility provided individuals letters of introduction, sealed with wax and a signet ring to confirm the origin. This letter assured the attributes, capabilities and identity of the carrier. We trusted because of the seal we recognized
We, one of 7 billion people on this planet, have more contacts on LinkedIn, Facebook and a myriad of other social networks than many towns and cities when a ring and wax was an effective means of authentication.
Today we carry a number of documents. Each designed to provide proof of our identity. We simultaneously expect schools, employers, friends and other agents to be ready to offer proof of our claims. Did we graduate? Did we work there? Are we of good character? Did we received particular certificate?
Insurance companies, airlines, merchants, hotel and banks all provide cards and other means of identity. Each designed to inform someone of our rights, privileges or capabilities.
But, and this is a big but. We do not have an effective and convenient way of sharing these rights, attributes, and privileges on the internet. We let people identify themselves with user Ids and passwords. As the number of digital relations grow the challenge of maintaining secure passwords gets worse. As the challenges of phishing and vishing attacks got more sophisticated the risks, fraud and loses escalated.
We understand these challenges helped to secure card payment systems, were involved in defining new authentication standards and have seen and been exposed to way more ideas than necessary. Happy to help your organization’s secure your consumer and employee relationships.
Wednesday November 27th, 2018
At Kennesaw State University
As part of Coles College of Business
Information Security Lecture
I offered the following:FIDO-The_Consumer_Solution
Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s
Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World
The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:
- Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
- Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
- Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
- John Dancu, CEO at IDology
- Vivian van Zyl, Senior Product Architect at FIS
The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience. The discussion considered the balance between friction and security. All of the panelist articulating the demand for convenience. The Audience questions which is it the desire, or is it the demand, of the American consumer.
All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing. The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification.
Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.
The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web. How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to watch carefully and be part of the move to restore the consumers’, OUR, right to the data that is us.
The Evolution of Authentication
When first we sought to create secure and convenient means of identification, we relied on user names paired with passwords and PINs. These values are typically stored centrally within the relying party’s database. Often times, these values are encrypted at point of entry, and once received by the relying party passed through a one-way function, before being stored in the database. This use of cryptography to encrypt the PIN or Password in transit and perform the one-way function before storing the result is simply to prevented the PIN or Password from being captured in transit or reverse engineered.
Each time the user logs in, they enter their password or PIN, it is received by the relying party, run through the same one-way function and compared to the value stored at user registration
Over the last 30 or so year there has been mounting concern as to the long-term viability of depending on the user being able to remember, create a unique & complex value and accept responsibility to frequently change their passwords and PINs. Especially given the myriad of sites and digital relationships we each continue to establish.
To assure the integrity of passwords and PINs, the challenge is making sure the length and randomness creates difficultly and minimizes the chance someone can guess what the Pin or password is. By adding special characters and insisting on password and PIN policies, the rely party has attempted to reduce risk and the chance for rouge penetration.
Unfortunately, people forget their password, phish & vishing attacks work, key-loggers and other clever ways of obtaining the user name and password have increased. The threat of rouge intrusions and the resulting reputational and financial lose is out of control.
As these loses escalated, the cost of the various techniques to support more secure authentication have been developed. The market always understood if we could merge a unique object something you Have, with a secret you Know or a biometric something you Are; you would be able to establish a superb form of multi-factor authentication. Many, such as the ICAO, EMV and PIV specifications, embraced the idea of cryptography operating within a secure element or smart card. They further embraced the idea of loading the registered biometric rending into the chip and incorporate the matching algorithm within the software. By then using an external PIN pad or biometric sensor, multi-factor authentication could be enabled. Unfortunately, at considerable cost.
In Europe, in order to secure access to websites they looked to physical objects capable of displaying a onetime password as the answer. In some cases, the user had to first enter a PIN then a number displayed on the screen and then type the value displayed on the device into a field in browser window. Something you have with a secret, a one-time password, unique to each event.
Clearly PINs and passwords carry with them two flaws. They need to be remembered and they need to be typed in. Biometrics on the other hand offer convenience and do not require the user to remember a complex set of characters. Fortunately, the size, cost and complexity of biometric sensors has decreased significantly and it is viability to integrate sensors into a user operated device. The first company to offer a phone with a biometric fingerprint sensor was Motorola, quickly followed by Apple on their iPhone 5S. Today it is rare to find a mobile phone which does not included a biometric sensor and related algorithms.
Now with an identifier (user name), a device with a unique digital signature and the ability to support biometrics, all the virtues of multi-factor authentication and the wonders of biometrics such as: fingerprints, veins, retina, iris, EKG, behavior or selfies are available to assure the registered user is present.
All because the sensor can capture the biometric and software will render the output of the sensor into images, patterns or templates. The sensor and the related software have unique characteristics as to how the matching processes work. It then simply requires us to accept that the output of the sensor becomes the input into the matching algorithm.
The last concern – how do we measure the reliability of the biometric sensors and algorithms. To help people understand the reliability of these sensors and matching algorithms, there are an assortment of acronyms such as: FRR, FAR and PAD. These three are the ones I am most familiar with. They measure and quantify the risk of false acceptance or false rejection and provide a measure of the assurance of life.