Something to wonder about

What You Have

The Two Sided Market

When we think of investing in various macro business needs e.g. revenue. We see that establishing relationships with customers to stimulate sales is why we create the goods and services, hopefully, others want.

If the buyer has something the seller wants, in exchange for the good or service they desire, then a transaction occurs. The challenge is simple, each party defines the value of what they are providing or exchanging and presto the trade occurs.

When society grows and the complexity of what each of us produces and when our needs are not aligned to this process called barter, a means of monetization is established. Society creates a trusted form of exchange – pebbles, coins, money, a promissory note or now even cyptocurrencies.

In other words, society creates an answer to enable the exchange of goods and services between parties who do not have goods and services the other party seeks in exchange.

With cash, coins or other trangible representations of value, commerce is easy. When we complicate things and worry about carrying cash and seek to buy things with debt. A need for a Network emerges.

These payment networks, by necessity, add complexity. They create the need to establish two sides to the market, one focused on the relationship with the buyer and the other with the seller.

Issuance and Acceptance. Two words to descibe the two sides of a network. It’s only when the two sides of the market have sufficient participants. Only at the tipping point, enough critical mass exists, to create a self sustaining network. This is the network. At this moment the network blossoms. If either side of the market does not achieve critical mass, the network collapses.

Any two entities familiar and trusting in the Brand, or each other, can easily establish a temporary relationship. Adding anonymity to the requirements, increases the leave of trust and recognition the Brand must establish.

In a digital environment we have to define mechanisms to share and establish trust across trillions of electrons. The two sides will not pursue understanding of nor focus on security. Until the risk exceeds a threshold unique to each party on either side of the market.

To often in the past, the idea of the individuality of the individual or the need to design security in from the beginning. Has left us with a legacy of system all needing design of custom approaches to how to integrate security with requisites necessary to capture, calculate and manage risk.

The Artifact of Trust

When a mutually trusted set of parties gives the citizen, consumer, employee or courtier a card, a device or an object and provides every acceptor with a reader capable of recognizing the trusted thing; then the two parties are in a position to establish “trust”. The consumer has a thing which is recognized and trusted by the acceptor. This is often referred to as “What You Have”.

Once the thing is recognized by the acceptor, then, the process of identification and authorizations (the transaction) can take place. The object – the artifact – carries an identifier. It possesses characteristics that establish its unique character. The object also posesses a means of assuring the acceptor the presentation of that identifier repreents a unique entity.

The simplest artifact of establishing “trust” is a hand held thing, be it a key, fob, card, watch, pendant, phone, ear piece. It does not matter what it is, all that counts is that the merchant recognizes it and that the consumer is willing to carry and present it.

Trust, for the merchant, means they can, according to the rules, recognize and authenticate the thing. They are then in a possition to pursue a temporary and trusted relationship. What can be achieved during the time the relationship of trusted is bounded, is the constrained by an additional layer. In this layer the consumer, the acceptor and any third parties address which the rights and privileges are to be granted or pursued. This is when the exchange, sale, conversation, tranaction, event or access is granted.

Two sides meet several common mediums of exchange are available.

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Digital Identity



Question for all those who advocate migration from card to electronic

We all are aware and many of us dream of a time when all of our physical identity artifacts are digital. We dream of consolidating these credentials in our electronic wallet, otherwise known as our mobile phone.

Today while visiting an outpatient imaging center, I was asked for my driver’s license. She would only accept the physical document, I offered to send an image by email. Her goal to scan my identity document into the electronic patient file she was creating. The idea of an image of the driver’s license in an email, well.

Sure the system could easily be changed to record digital credentials delivered by NFC or BLE. The first question, given the expensive medical system we have here in America; at whose cost?

Time could not be argued as a saving, she would only have saved a second or three of time to pass the card back to me.

People discuss contactless cards and contrast them to the convenience of a Mobile Wallet. What we often forget is the reality. As long as we need to carry other physical identity artifacts, the convergence of our leather wallet into our electronic device is not happening.

In my humble opinion, it is an all or nothing situation. Yes, I will add digital credentials into the mobile wallet. But, unfortunately, the leather wallet is still part of my attire.

Better still, it does not need to be recharged. My leather wallet still works after the phone’s battery has died.

Authentication or Identification

Two words Authentication and Identification.

Reading what Wikipedia had to say about authentication leads to an interesting array of discussions across a wide set of sciences and other social segments. The exploration led to a search for a definition of Identification:

  • The act of identifying, or proving to be the same.
  • The state of being identified.
  • A particular instance of identifying something.
  • A document or documents serving as evidence of a person’s identity.

Next exploring what Wikipedia had to say about Authentication leads to a much richer discussion aligned around the idea of assuring the truth of a particular attribute, someone is claiming to be true. Seeking to assure a degree of parallelism to the discussion:

Authentication is

  • something which validates or confirms the authenticity of something
  • computing proof of the identity of a userlogging on to some network

These two words: authentication and identification, some think represent the same act, yet when we bring into the conversation – privacy the two words have very different meanings.

We then have to think about the how and the what we are attempting to do.

In the physical world there are a set of situations and considerations. We will leave those for another article.

When we think about the digital world, this place were our physical presence is not present. We must find solutions that prove we are who we are without necessary needing another to vouch for our identity each time.

As a consumer we want the freedom to visit multiple sites and believe that where we visit and who we interact with is not open to all to know.

As I write, I can hear some say, all our stuff is known so why try to hide. They are correct and then they miss the concern – who knows. Not to get distracted.

Verification, a third word must enter into the discussion. In order for anything associated with only serving or sharing with a clear and identified party one needs to be able to provide Identity.

Digital Identity

Words to ponder as we think about the best way to secure our digital persona.

Identifier – A text string we use to uniquely identify ourselves to a relying party, person, government, employer, club or entity we wish to have or need to maintain a relationship with.  This group of entities hereafter will referred to as a replying party. 

Identity – We each are unique and have attributes 

Verification – A process the entity we seek to establish a relationship with uses to determine the truth of the attributes we share. One could argue this is or should be a mutual process.  Many call this identity verification or identity proofing.

Registration – When we take these three words identifier, verification and identification and think about the first time we present ourselves to a relying party in the global digital environment. We typically present ourselves through a user interface to the entity we are interested in establishing a relationship with.  We register and the relying party creates a record of our existence.  They seek to recognize and record our identity.

This process typically requires us to invent or the relying party to present us with a unique identifier and agree to identify ourselves with this unique string, often called a user name, email address, bank account number, social security number, employee id, passport number, drivers license number or payment (card) account number ‘PAN’.  The ultimate goal of registration is for the relying party tonassure themselves we are unique and that the attributes we share are linked to our person. They verify our identity.

Today the challenge is to find an efficient, convenient and none intrusive method of Verification.

Authentication – We exist, we can be recognized and are able to present oneself over and over again to the relying party, using our identifier.  The challenge is how do we prove or assure our identity to the relying party each time. We need to authenticate ourselves.

Identification – Many confuse the dialogue above with this word.  The difference is how we present ourselves or better said how the relying party expects us to present ourselves.

With the wide use of biometrics and  many of the identifier we spoke of earlier, our identifier many not simply be some random string.  A biometric is personal and linked to our body or actions.  This biometric can be converted into an identifier and therefore once accepted as genuine and integrates the act of authentication into recognition of our identity.

Certain identifiers create a level of assurance, because the relying party trusts the attributes it asserts based on who issued that identifier.  They are willing to trust in our identity and associated attributes because of the verification done by the isuing party.  It a passport, an employee id, bank card or a drivers license.  The instrument has characteristic, privileges and attributes linked to the issuing party, not simply attributes associated with the individual.

As we move from a physical world to a digital world.  As people seek to use our identity to present themselves as someone they are not.  As we seek to separate the various relationships we establish.    Requires that we find ways of assuring our privacy while securing our relationships.  All this demands we find more secure methods of authentication that are convenient. 

Money 2020 – 2017 – Las Vegas – Wednesday Digital Identity and Payments

With David Birch We asked the Question.  Identity – Authentication – Identification – Authorization and ultimately verification, where are we.

Simple.  We have the technology.  We have the standards and more are coming.  Authenticate, is done, use FIDO.

Identification with Biometrics is illuminatingly possible.  Even the one I know how to spoof, Voice, with other factors layered in, does the job very well.

The challenge is Privacy and Confidentiality must be inherent while regulatory practices must be incorporated.

PA&A Money 2020 FINAL

 

 

 

 

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.

NSTIC and EMV should merge

October 03, 2011

Cyberspace trust: Proving you’re not a dog

A very real discomfort underlies the classic joke: “On the Internet, nobody knows you’re a dog.” How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate’s Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you’re reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.

http://portalsandrails.frbatlanta.org/2011/10/cyberspace-trust-proving-youre-not-dog.html

Philip thinks:

  • The next step is to merge the identity sought by everyone and easily relegated to the Banks to manage.  Facebook and GMail offer an option if their KYC can be improved.  With face to face meeting it is possible to truly prove identity, requiring a branch network.
  • Transaction processing is legacy in the developed world while the emerging economies offer an opportunity to build new.  Existing standards and processes need to be respected as they transform to absorb the new information attachments and Internet offers we now need to cope with.
  • The Wallet forms the basic unit to create a trusted network employing smart cards, trusted computing, persistent computing and inteligence to enable the consumer experience.
  • Privacy and integrity of that trust is essential to the system
  • The individual is key
  • Respect rights and obligations

 

 

 

 

EMV is truly becoming the base for secure Card Authentication and Cardholder Verification

INCREASING EMV CARD AND TERMINAL DEPLOYMENTS CONFIRM EMV AS GLOBAL PAYMENT STANDARD
06 October 2010: As of 1 September 2010, over one billion EMV®* cards and 15.4 million EMV terminals were active globally. These are the latest EMV deployment figures reported by EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa.

http://www.emvco.com/download_agreement.aspx?id=561