Category: Identification

Tomorrow Immutability and Trustless is this what we want?

2 words immutability and trustless. 

Such big words. The idea something is once written can never be changed, altered, or deleted as well as elegant. Or that there is no need to worry about anything, what is presented simply is one instance of knowledge not until more than two can be found is there the possibility of trust. But if more than a few assemble and not sure then!

In a trustless environment, there is no single entity that has authority over the system, and consensus is achieved without participants having to know or trust anything but the system itself. A definition from one of the major institutions helping to establish this new.  New what?

https://academy.binance.com/en/glossary/trustless

It is the removal of relationships so they can be replaced by something, no someone new that is bothersome.  Words like usury invade reality, and a few get very wealthy as the mass spend to survive, always being driven to need more. 

We have lost the ability to commune.  We lost track if the responsibility to be good stewards of the garden we were given responsibility for .

Van Buren v United States

Date & Time:
Tuesday, June 29th, 2021
10:30 AM PT | 1:30 PM ET

Explained: A Legal Perspective on the Future of Cybersecurity Research

The Supreme Court’s Van Buren decision earlier this month aimed to clarify the ambiguous meaning of “exceeding authorized access” in the Computer Fraud and Abuse Act, the federal computer crime law.

In the context of protecting critical infrastructure from hackers, this particular ruling will define how we manage, report, and handle unauthorized access.

It also raises some foundational questions that, if weighed carefully, have the potential to foster a collaborative relationship between researchers and companies. How should good-faith researchers conduct themselves? Does this redefine the relationship between companies and hackers? Is every researcher considered to be in violation of CFAA if they’ve not sought permission to access a system?

Jared L. Hubbard and Christopher Hart have followed this ruling closely and worked on amicus briefs to aid the Court in this matter. They will discuss the case and answer questions.

Speakers:

Jared L. Hubbard, Partner, Fitch LP
Christopher Escobedo Hart, Partner, Co-Chair, Privacy & Data Security Practice – Boston, FoleyHoag LLP


Register on Eventbrite


Follow us on Twitter and LinkedIn to stay in the loop with updates!

Copyright © 2021 Voatz. All rights reserved.

Thinking Voting

Today we seek to ensure each citizen eligible to vote can vote. Issues like location, geography, education are all elements of the values we must embrace as we work to assure the citizens ability to vote.

The first question of voter and eligibility takes us into the realm of who or how elections are managed. Candidates, contests, question are all elements of what is presented to the voter as a ballot. According to practices and rules, contests involve selecting candidates. While questions focus on yes/no answers or a score.

Anonymity creates a need to construct a mechanism to assure one vote per voter while preserving the privacy of the voters identity. This one requirement solved reduces the risk landscape significanttly and complicates the angle of attack.

Adhering to a security first continous improvement principles and integrating prevention and detection into the design of the source code.

I believe Voatz has solved the most challenging task and embraced best of breed components and partners to build a secure immutable record of each unique anonymously signed ballot.

The rest, as long as vendor certification mechanisms and coherent standards exist, has been done over and over again in: financial services, government services, defense, health, and retail. With sound software design and release procedures, built on quality principles inherent in the companies ethos

All we need is the right to improve democracy.

What is a DAO and how do we govern tomorrow

Distributed autonomous organizations, a DAO.

When we think of governance and how we control society, we immediately must consider the realities of people in the tribes they belong to.

Recently the emergence of bitcoin, the understanding of the power of a distributed ledger, the use of a hash chain, the power of cryptographic processes, and the security of the devices we carry establishes a foundation for a brave new world.

What is governance? It is the method processes and mechanisms a society puts in place to establish order and ensure harmony?

The ancient Turks, Greeks, slave spoke of democracy, the idea that each member of the tribe, the town, the city, or the state could assemble and determine new laws, regulations, and best practices. We then evolved into Republican governments the concept of a group of people representing a larger number of citizens.

Influence and power define what shall evolve. In my lifetime, the idea of being able to plug the handset of your telephone into the back of a terminal and establish a connection to a computer somewhere out there was a novelty. For my father it is Time in Geneva when Aryanism stood out as a challenge, opportunity or threat. Telephones were just emerging and radios were available. TV was still not present. Paper books and libraries surrounded the environment we will call Geneva.

City on the Lake, what is this thing place in his history his is as relevant as your or mine.

One question why anonymity at the profound process of engagement. When you are something called anonymous I am not sure I want to play. If your anonymous is mandatory; I don’t want to play.

The innovative spiritual and the. Nurturing essence of life.. How this evolves involves countless engagements.

Each sublime note to the fabric of the virtual environment we present to the public is.

And, all of us form the fabric of the public.

He answered them, “And why do you break the commandment of God for the sake of your tradition? 4 For God said,* ‘Honor your father and your mother,’ and, ‘Whoever speaks evil of father or mother must surely die.’ 5 But you say that whoever tells father or mother, ‘Whatever support you might have had from me is given to God,’* then that person need not honor the father.* 6 So, for the sake of your tradition, you make void the word* of God. 7 You hypocrites! Isaiah prophesied rightly about you when he said:

8 ‘This people honors me with their lips,

but their hearts are far from me;

9 in vain do they worship me,

teaching human precepts as doctrines

“Listen and understand: 11 it is not what goes into the mouth that defiles a person, but it is what comes out of the mouth that defiles.”

What shall we do? Simple honor the one Jesus answered, “The first is, ‘Hear, O Israel: the Lord our God, the Lord is one; 30 you shall love the Lord your God with all your heart, and with all your soul, and with all your mind, and with all your strength.’ 31

You commit to what you believe in with a robust desire to adhere to the moral imperatives. The one God is the same God written about in so many different ancient lore.

The second is this, ‘You shall love your neighbor as yourself.’ There is no other commandment greater than these.” 32

32

Who is your neighbor?

Anyone you engage in an event. An event is is anything we all seek to record. By the way any unit of one can record as long as all parties are aware. It is our contracts and promises. Those such as payment, voting, identity and influence.

See you next time.

The Card Was and Is Only a Credential Carrier

Cash is here to stay – cards are the true dinosaurs

This question of the extinction of the payment card is misleading. 

What is a payment card?  It is the carrier of a set of credentials, A means of Identification offering financial Attributes capable of being authenticated by a party seeking to sell something to the individual or entity presenting the credential as a mechanism to assure payment.

Back when credit cards were designed, the goal was to offer merchants a guarantee of payment and anonymous consumers a means of paying.  Behind this means of payment, a financial institution, the issuer, provides the consumer with a “Line of Credit”.

On the merchant side, another financial institution buys these guaranteed receivables from the merchant and charges the merchant a “merchant discount”.  Later that day the Issuing Institution advances payment to the Acquiring Institution based on an agreed set of terms and operating rules. Terms and conditions the involved financial institutions collectively agreed upon.

For this method of payment to be effective, a large number of consumers and merchants had to agree to participate; hence the financial institutions came together and formed what we now know as MasterCard and Visa.

Given the state of technology at the time it was essential this new mechanism work without the burden and expense associated with the merchant, supported by the acquirer, contacting the issuer to receive approval, or, in stronger terms be assured of a guarantee of payment.  To achieve this result, the merchant needed something to acquire the necessary information to submit a request for payment.  For both the merchants and financial institutions,, there had to be a means of authentication. Designed to assure the responsible parties of the authenticity of the person or entity to present their payment credentials.

To accomplish this goal, just like with money, physical security features are integrated into the payment card designed to allow the merchant to authenticate the uniqueness of the card carrying the payment credential, thus assuring the merchant of the authenticity of the card.

Overtime criminals successfully counterfeited these security features.

As these features were compromised additional features had to be added.

Today, a computer has been embedded inside the card, in order to assure the authenticity of the payment card credentials being presented to the merchant.

These computers embedded onto the front of a payment card exploit the power of cryptography.  Cryptographic certificates and digital signatures are created by and for these computers, allowing:

    • The Issuer (symmetric cryptography) to support Online Authentication
    • The merchant (asymmetric cryptography) to support Offline Data Authentication

These two mechanisms prove to the merchant and issuer that the card is unique and the data, credentials, and digital signature it contains or produces are authentic.

Once all the merchants have are capable of reading the data from the chip card, the security features of the card become redundant. 

As these features become redundant and the merchants embrace Near Field Communications, based on the ISO 14443 standard, the issuer can replace the card form factor with anything equipped with the necessary computational capabilities and ability to communicate with the terminal over the NFC interface.

This is exactly what Apple Pay and Google Pay have done.  They replaced the card with a device.  Yes, the Payment Card may become redundant.  But, the Payment Credentials they contain, remain.

What we know as card payments, is fundamentally an account-based solution. Money, through the defined settlement process, ultimately move from the line of credit or deposit account of the buyer, through a series of accounts with the participating financial institutions, to the account of the merchant.

Card-based credential payments
simply become
Device-based credential payments

 

In the Digital world certificates replace so many things

What is a certificate? A certificate as defined by Merriam Webster

certificate noun

1: a document containing a certified statement especially as to the truth of something
specifically: a document certifying that one has fulfilled the requirements of and may practice in a field

2: something serving the same end as a certificate

3: a document evidencing ownership or debt

certificate verb

: to testify to or authorize by a certificate

When we designed the EMV specification we employed a cryptographic mechanism to assure the merchant and ultimately the issuer of the presence of a uniquely issued payment card.  The goal, address the weakness of the security features then present on a physical payment card.

For the merchant – a local mechanism capable of allowing the device – the point of sale to attest to the membership of that card to the family of cards issued under one of the Payment Network brands.

For the Issuer – a mechanism where the card signed transaction details the merchant would forward a digital certificate – the cryptogram – to the issuer for authentication.  This cryptogram included in the message sent to the issuer assured the issuer, the card they issued; was presented to the merchant as a means of payment, for the transaction.

What is a payment card? – It is a certificate, issued by a financial institution, designed to guarantee the merchant will be paid – if they follow the agreed payment brand rules.

What is a ticket? – It is a certificate, issued by the movie theater, or a designated vendor, granting access to some venue or event.

What is a license? – It is a certificate, issued by some authority identifying your right to be or the ability to do something.

In the digital world, certificates are strings of characters, such as 2FG%4T678&b23, created, using some mechanism, by an Authority.  The readers, of these characters, use the certificate to Authenticate the uniqueness and Authority associated with the presentation of this certificate by someone or thing to something or someone.

 

To Identify or to Authenticate what is the difference?

Today I read an article on LinkedIn

 ‘Identification’ is to give an answer to the question of ‘Who is he/she?’, while ‘Authentication’ is to answer ‘Is he/she the person who he/she claims to be?’

This distinction for me is clear.  Yet, based on this article, and personal observation, people do not appreciate the unique difference between these two words.

For those who remember the film War Games, the two young adults were able to access the game simply by learning tidbits about the author of the program.  “Joshua” is the critical fact our young hackers unveiled.  This single word was both the identifier and the password.  A simplistic form of Identification which some may confuse with Authentication.

Our driver’s license number, credit card numbers, passport number, social security number, employee number, email address or other aliases; are identifiers.  These values are and should have remained, simple means of linking someone to the person who initially registered on a web site.

We then link these identifiers to a means of Authentication, an Authenticator.  We then use the authenticator combined with the identifier to assure Identification.  The recent NIST  800-63 standard defines the strength of an Authenticator.  The simple reality the authenticator can be a combination of things you know, things you have, and things you are.  Combining these factors create different strengths of Authentication.

Back in the day, a password, if properly constructed, was a very strong means of authentication.  Unfortunately remembering numerous and unique passwords is unmanageable.

One of the issues we face is how so many entities, companies, and other enterprises have taken the identifier and allowed it to also become a means of Identification, a secret.

As soon as a simple number or string of letters designed as public information, to be shared with others; became a means of Identification we created an untenable situation.

Is Identity Dead – The answer is Authentication

Today 2019-12-12 I found my way to the following article and associated podcast.

https://diginomica.com/fall-event-highlight-steve-wilson-says-digital-identity-dead-so-where-do-we-go-here 

https://www.constellationr.com/blog-news/identity-dead

Below is a flow of thought as I read and listened. to Jon Reed and linkedin.com/in/lockstep Stephen Wilson discuss this most interesting topic.

Surveillance Capitalism – So many are taking advantage of our data!

We need to evolve through the pony express stage of data management, and get to a point where there are responsible data intermediaries who are being held to account.

Identity management, for me, is about proving things about myself. I want to log onto a bank and prove that I have a particular bank account. Sometimes I want to log on and prove that I am the controller of a multi-party bank account with my wife. And sometimes I want to log onto a health service and prove my health identity. So this is all about proving things about me in different contexts.

In the podcast, they beg the question “Why is the Digital Identity problem still any issue”?  This leads one to think about the scale and expectation so many have surrounding this idea of “DIgital Identity”!

They then go on to ask the question What is two-factor authentication and remind us that our phone is a two-factor device, exactly what the standards FIDO Alliance worked to develop.  They remind us of the reality that people look after their phones.  We know when our phone is not with us.

Why not simply bind my identity to my phone.

Mr. Wilson sees the phone as the second factor.  I would suggest our devices, bond to our identity, is the primary factor.

Mr. Wilson reminds us that Identity is all about Verifying Claims. We claim to be someone and the relying party seeks to confirm that I am who I claim to be.  Or, when I seek to log back into a website, the relying party needs to make sure it is I – the same person who the relying party originally proofed, registered and agreed on an identifier and an associated means of authentication.  

Attributes are more interesting than Identity

Attributes are what matters in the various relationships we have when we interact with another.  As we think about our data we need to think seriously about what other parties need to know about us and what we wish to share with them.  Efforts in Europe to institute GDPR and the efforts in California to implement CCPA

As I continued to read and follow the thread I ended up at a W3C working group working on “Verifiable Claims” and found the following:

Abstract

verifiable claim is a qualification, achievement, quality, or piece of information about an entity’s background such as a name, government ID, payment provider, home address, or university degree. Such a claim describes a quality or qualities, property or properties of an entity which establish its existence and uniqueness. The use cases outlined here are provided in order to make progress toward possible future standardization and interoperability of both low- and high-stakes claims with the goals of storing, transmitting, and receiving digitally verifiable proof of attributes such as qualifications and achievements. The use cases in this document focus on concrete scenarios that the technology defined by the group should address.

The truth is that Identity Providers, as imagined, can’t deliver. Identity is in the eye of the Relying Party. The state of being identified is determined by a Relying Party (RP) once it is satisfied that enough is known about a data subject to manage the risk of transacting with them.

We are expecting people to be better than smarter than the crooks.  This is an interesting thought that begs the question.

How do “we the people” trust anything we hear, read or otherwise come across.

How does each of us keep up with all of the various products, standards, specifications and other efforts to develop stuff capable of securing our “IDENTITY”?

I am a firm believer in the work the FIDO ALLIANCE and W3C’s work on Web Authentication and recommend its adoption and use based on authenticators capable of adhering to a level of security certification commensurate with the associated risk of the acts, transactions, information, and services offered by the relying party to the user.

It is time to move to Multi-Factor Authentication built on a Restricted Operating Environment

Passwords should become a thing of the past. Here’s why

This morning one of my Google alerts found a blog coming from the World Economic Forum.  It reminds us of the inventor of the password Fernando Corbato.  In an interview with the Wall Street Journal, he said passwords have become “a nightmare”.

The open question is how do we solve for the nightmare of password management we have created that is both effortless and secure.

This article calls for private enterprise and our governments to find answers.  I hope in finding these answers capitalism and profit do not become the reason to act.  I hope social responsibility and community action drive all to find answers that are affordable, convenient, secure and more importantly consumer-friendly.

Where are we

Today.

How many passwords are you trying to manage!  Does your LinkedIn contact list connecting you to more than  4,000 individuals?  Does Facebook, Instagram, and other social media websites inundating you with news and stories about your friends, colleagues and interesting people?

How many cookies have your computers accumulated?  How many databases have more information about you than they need?  If we search the dark web, how valuable is your data?

Cando seeks to help you manage your data, identity, assets, and relationships.

Philip lives on Sea Island with his 93-year-old father, the Doctor.  They pursue travel and Philip keeps his head into what is happening in financial services, blockchain, authentication, digital identity, and, whatever else people seeking to understand the transformation; particularly those in the identity and payments space.

What is happening means we can unlock our hotel rooms, cars, and homes from our phones. Our security system iwill be another app we have to find on our phone.

Instead, we need an intuitive assistant seeking to simplify our lives by taking on repetitive tasks like driving, working inside a data table or simply opening up the house for the season.

Normalizing data and performing the analysis capable of earning value is the name of the game.  Management is about stimulating a team to work in the mutual interest of the organization.  Executives define the strategy and articulate the vision in a manner conducive to success.

Cando seeks to help you manage your assets and relationships.  Assets those places and things you use doing your daily life and those interactions you have with people and entities seeking to serve, sell and partner with you.

Then there are friends who we expect to be part of our lives and therefore have privileges and access capabilities.

All of this with a target of selling integration services to the top million and simply assuring each person has an identity thus serving the bottom billion.  ultimately earning $1 per year per user to simply be there when it all breaks and you wish to restore your digital life.

At the core, your digital security will be based on the use of cryptography and sophisticated matching algorithms designed to assure anyone that you are that one individual in the populatations of the universe.

What You possess, What You Are, What You Claim … Your Certificates

NCCOE NIST Multi-Factor Authentication

What you Possess — The Thing

What you Are — You

Your Relationships

Responsibilities

Authority

Advice

— Secrets

My Certificates

 

 

 

 

 

 

 

 

[pdf-embedder url=”https://andreae.com/wp-content/uploads/PA&A_2018/Seven-Words.pdf” title=”Seven Words”]

World Wide Web Consortium

FIDO Alliance

Global Platform

The Trusted Computing Group

Future interests

  • Artificial Intelligence
  • Machine Learning
  • Nature Language Interface
  • Predictive Analytics

Blockchain made simple

Let’s start at the beginning, the transaction, the distributed ledger entry. Think about the content of the transaction as the payload. Next think of the payload as land deed, cryptocurrency value, record of ownership, journal entry, smart contract … marriage contract. Either two or more people seek to exchange and record. Another way to think about all of this is as a block of data, code or other digital representation of something duplicated in every participant’s copy of the current ledger. No matter what happens, a secure system must be established for a smooth cryptocurrency transaction to take place. Maybe look for the best vpn for crypto trading? Could be an option, but only in the later stages when the initial nitty-gritty of the process is established.

A governance model is required

What is essential, before anyone can do anything.

The parties seeking to exploit a distributed ledger must define how it will work.

It is what the community or parties seek to represent and manage, using distributed ledger technology, agree.

The whole process of defining the payload begins when the community agrees to and sets off to publish the processes, procedures, rules, functions, and purpose of their application. It is this act of governance we use to define how and what will be conveyed in the payload to be stored and recorded on a blockchain. Which blockchain, protocol, and cryptographic processes; obviously it is a decision of the community.

We need to be clear before we can do anything with the payload. Ourselves and ultimately others will have initially and subsequently defined the mechanics and processes designed to assure the integrity of the blockchain itself.

A Transaction is appended to the chain

There are two parties to each event recorded within these transactions. The agreed events, transactions and smart contracts are ultimately included in a block and properly extended onto the chain for everyone to see and read. More about Confidentiality in another post.

Once governance is established
People can now interact

Each party has an address and then addresses unique to each asset e.g. coin. The address, in most cases, is simply an asymmetric cryptographic public key.

    • The individual, as is always the case with cryptography, has their own private key(s); they must retain, never lose and keep secret.

When the two parties decide to record an event; the sale or transfer of the title to a car.

    • A formal record of a property, a transaction, ledger entry is created.
    • The basic data.
      • The seller’s public key
      • the buyers public key
      • the payload
      • a hash
      • the signature created by the seller using their private key.

The transactions are broadcast to the network, buying and selling included. These transactions can take place through various methods; for instance, digital currencies could be purchased online, whereas to sell, you may have to use Bitcoin ATM and other ideas, which you can learn on Coin Cloud or similar company blogs.

The nodes or miners continuously work to assemble a defined number of transactions and create the next block.

The chain’s role is to record the providence of an asset and the immutability of all the associated transactions.

    • Each active node or miner is attempting to create the next block.
    • The mathematics involved and the use of hashes to bind this new block to the existing blocks in the chain is beyond the scope of this blog.
    • Let us simply assume the mathematicians and cryptographers define as part of the original design of each chain an infallible solution to the issues of economics, security, integrity, and immutability.
    • These specifications will define the hash game and how one adds the next block to the chain retaining the immutability of the present and the past

By being the first to calculate the cryptographic nonce

The winner receives a reward.

    • Hopefully proportional to the cost of work or other discernable and agreed method of reward.
    • The other active nodes then test to see if they agree the first got it right.
    • If consensus is reached the new block is appended to the chain.
    • This all assumes 51% or more of the miners or nodes reach consensus on the winner’s answer. And no one can control 51% or anything closer than 33%.

Around and around the game continues, as transactions are added and immutably recorded on the chain.

This whole process fundamentally assures history cannot be altered.

Chains split and fun things happen

If the process is not elegantly managed in full sight of all the participants.

Biometrics are great as long as we understand.

Biometrics are probabilistic, therefore not 100% accurate every time

They should not be shared in central databases. If they are there must be safeguards and strict privacy policies associated with their use

The better approach is to use the biometric to unlock your device or prove you are present.

Your device should then be cryptographically authenticated by the relying party.

The relying party should maintain a list of devices (Authenticators) you register.

The device proves uniqueness.

The Biometric proves presence on that unique device at that moment in time.

Frictionless authentication of the device.

Active verification when the risk demands assurance of the individual who is authorizing or instructing.

Biometrics – Do we end up in a surveillance state

http://www.planetbiometrics.com/article-details/i/10211/desc/guest-post-experience-a-seamless-lifestyle–idemia/

https://www.aclu.org/other/whats-wrong-public-video-surveillance

https://www.govtech.com/policy-management/Study-Surveillance-Cams-Worth-Money.html

As we think about the world we are living in and the world we want to live in. We must balance friction and convenience against the potential risks which will emerge as technology blossoms and expands to touch ever part of our lives. This morning I got a text informing me of the 200 million cameras the Chinese had watching their citizens. I immediately remember the CATV system in London and

CCTV Camera technology on screen display

what parts of the City it covers. Its goal record everyone’s movements to protect against terrorists. Airlines are talking about ticketless travel and some are speaking of passport-less and ticketless airports. We wonder if Alexa is recording our every word and we know our PC, Tablet, Baby monitor & mobile phone cameras and microphones can be used by: who knows who, to watch who knows what, whenever they so please?

Is this the world we want to live in? Or would we prefer our cities to enact laws like those recently enacted in San Francisco. This law is meant to ban the use of these various cameras and listening devices from being used to identify everyone they see or hear.

This conversation then immediately bleeds into the question of our right to privacy. With all that the internet offers for free and what all these devices are capable of sharing; we’ve given our privacy away.

How often do you wonder why the ads you see seem to attempt to sell you exactly what you recent read about? How often do you wonder why you no longer can easily find the site you are looking for? Instead you have to filter through the search list to get past all the ads. How many of us even understand the information people can glean from what we do and were we are; when we use or carry our devices around?

On one side of the discussion is reality. As has been the case for as long as I can remember.  TV, radio, newspaper, magazine, browser, social media, much web content and mobile app are funded by advertising dollars. Spent by those who want to convince some of us to buy what is on offer. It is these advertising dollars which pays for the content and ultimately decides what will survive the test of time. On the other side are the politicians, regulators, lobbyist and corporations who are focused on one thing. Helping people prosper or worse protecting some so they can continue to prosper.

The acquisition of wealth, the construction of infrastructure, the destruction of our enemies or the support for those without; is all about money.

If we seek to protect our privacy and be assured, we will not live in a surveillance state. We must be willing to read the fine print and be ready to pay for what is now free.  We must be ready and willing to take the extra time to pull out our passport, enter our user name, present our boarding pass. We must insist on the necessary friction to protect our identity and our freedoms.

If convenience is what we insist on.  Be assured, companies will happily build solutions to remove friction. Beware, removing friction, when it comes to  your identity or privacy, means you will allow people and organizations to collect and store everything they can about you/  Their goal to identity you and without friction, with the purpose of serving you or better said profiting from your actions.

All of this is more than the Uber experience.  Uber recognizes your phone and account not you.

This will be a world where the system behind the camera will see you, compare your face to all the faces on file and determines it is you. Therefore, knowing who you are, it can do what it is told to do; because it is you.

Smart Cards with Fingerprint Scanners

Over the last couple of years the reality of fingerprint cards is a hot topic in conversation, white papers and press articles.  It led me to think about the challenges and opportunities associated with this intriguing convergence of technologies.

My purpose is not to determine which solution is best or which companies are developing and selling them.  My goal is simply to explore.

The first consideration begins when the card is constructed.  Here we must ask the mechanical question relative to how the electronics are integrated into the strata of an ID-1 card.  This then begs the question of making sure this new card conforms to the specifications dictated by Payment, Networks, Governments or other bodies who define the use of these branded cards.  If we continue to think about the card manufacturing process we need to think about electronics and the use of heat in the typical lamination process or the inclusion of metallic materials used to create a particular look.  One needs to think about the method of connecting the various internal components to the other electronic elements  as the fingerprint scanner, antenna(s)m LEDs, batteries, the EMV chip or contact plate on the face of the card.

The second set of concerns must be related to the personalization of the card.  First question is where will it be personalized? in a branch or within a bureau?  How will it be personalized? With a thermal printer, laser engraver or embossing machine?  Will any of the  personalization processes adversely affect the electronic?. Similarly it will be appropriate to confirm whether any of the various card transport mechanisms will disrupt or damage the sensor and related electronics.

At some point in the processes the consumer must register their fingerprint and the resulting template must be instantiated into the card.  How will this be done?  Some speak of an in branch process.  Others talk about some type of first time cardholder activation process performed when they receive the card in the mail.

Clearly there are a lot more questions the issuer, card manufacturer and personalization provider need to address.  Let alone the method of making sure the cardholder knows how to use the card at the point of sale or ATM

The key question is the cost of the card, is it worth it?

Where are we going

Each morning I read trade articles on Blockchain, Faster Payments, Mobile Wallets, Authentication, Identity and other alerts & subjects of interest. Each day the writers leave me thinking about the future of society, howbwe will address cyber security, what we can do to funally eliminate fraud and which solutions will help us to mitigate risk. These then drives concern about where we will end up, as we drive to define effective means of identity and authentication, capable of supporting the individual desire for convenience and gratification.

Facial recognition deployed to speed up entry and exit to and from countries and through airports are here. The surveillance state is emerging at alarming speed. These same cabilities could potentially deliver a safer environment. Which will it be?

Physical and behavioral biometrics many feel should become the primary means of authentication. Yet, false acceptance and more importantly false rejection will result in inconvenience some expect the consumer to tolerate while other remember friction typically ends up with the consumer abandoning the journey.

The cost of payments, the escalating concern of the retail sector, remund us thatnpayments are sourcesnof revenue for some and friction for others.

Identity theft and the ability to create synthetic identifies are the fears of many. Consumers whose identity is stolen struggle to regain their standing.

In the end all we seek is:

  • Pay for something
  • Identify ourselves
  • Protect our hard earned money
  • Live a safe and productive life
  • Be assured you are you and not someone else

Proofing or Identity Verification is the Key to any Relationship

When we consider our activity in cyber space  and even in in person.  The most important element is the relationships we develop.

If we consider the characteristics of a relationship, we need to think about the question from the perspective of each of the two parties.

  1. The relying party: be it a bank, merchant, club, government, employer or other operator of a website or facility; are interested in serving, selling and supporting the user
  2. The user: be it a individual, consumer, citizen or employee; are interesting in accessing information, exploring, shopping, browsing, communicating, sharing or otherwise enjoying something.

A relationship can then either be enduring or can be that of a guest.

  • The user wants to know if the party they are attempting to engage with is who that party claims to be.  Rely party simultaneously needs to believe the individual is who they claim to be.
  • What the users identity is or better said what attributes of user’ identity are necessary is down to the objectives and longevity of the relationship.

Being assured of these truths is what proofing or identity verification is all about.  Data privacy and need to know then filter into the conversation.  This then needs to be balanced against risks the relying party and the user are taking,

With all of this in mind each party can decide what level of identity verification is required.  This task is all about how one balances privacy, convenience, security and risk.