Category: Identity

Where are we going

Each morning I read trade articles on Blockchain, Faster Payments, Mobile Wallets, Authentication, Identity and other alerts & subjects of interest. Each day the writers leave me thinking about the future of society, howbwe will address cyber security, what we can do to funally eliminate fraud and which solutions will help us to mitigate risk. These then drives concern about where we will end up, as we drive to define effective means of identity and authentication, capable of supporting the individual desire for convenience and gratification.

Facial recognition deployed to speed up entry and exit to and from countries and through airports are here. The surveillance state is emerging at alarming speed. These same cabilities could potentially deliver a safer environment. Which will it be?

Physical and behavioral biometrics many feel should become the primary means of authentication. Yet, false acceptance and more importantly false rejection will result in inconvenience some expect the consumer to tolerate while other remember friction typically ends up with the consumer abandoning the journey.

The cost of payments, the escalating concern of the retail sector, remund us thatnpayments are sourcesnof revenue for some and friction for others.

Identity theft and the ability to create synthetic identifies are the fears of many. Consumers whose identity is stolen struggle to regain their standing.

In the end all we seek is:

  • Pay for something
  • Identify ourselves
  • Protect our hard earned money
  • Live a safe and productive life
  • Be assured you are you and not someone else

Proofing or Identity Verification is the Key to any Relationship

When we consider our activity in cyberspace and even in person. The most important element is the relationships we develop.

If we consider the characteristics of a relationship, we need to think about the question from the perspective of each of the two parties.

  1. The relying party: be it a bank, merchant, club, government, employer, or another operator of a website or facility; are interested in serving, selling, and supporting the user
  2. The user: be it an individual, consumer, citizen, or employee; are interested in accessing information, exploring, shopping, browsing, communicating, sharing, or otherwise enjoying something.

A relationship can then either be enduring or can be that of a guest.

  • The user wants to know if the party they are attempting to engage with is who that party claims to be. Rely party simultaneously needs to believe the individual is who they claim to be.
  • What the users’ identity is or better said what attributes of the user’s identity are necessary is down to the objectives and longevity of the relationship.

Being assured of these truths is what proofing or identity verification is all about. Data privacy and the need to know then filter into the conversation. This then needs to be balanced against risks the relying party and the user are taking. This is especially important when employers are looking to recruit new employees. During the hiring process, having this sort of screening is important to establishing the candidate’s qualifications as well as creating a safe and secure work environment.

With all of this in mind, each party can decide what level of identity verification is required. This task is all about how one balances privacy, convenience, security, and risk.

More and more to secure our digital world

The behavioral economics of authentication

Password Management Remains an Issue — What’s Next?

These articles cause me to think about the future and how the consumer will ultimately respond to the changes now taking place to how we Log-in to a website.  Yesterday, or better said 10 years ago, we all understood that simple User Name password.  A single screen with a reasonably consistent user interface.  Sometime we might have to put up with two screens, One for the User name and the next for the password.

Today we are being confronted with a variety of methods to authenticate ourselves to the websites we frequent.  Many register cookies on your machine and when your told they needs to be deleted, we are confronted with a second or even third layer of security and identity proofing.  Often times we are then told to wait for an email sent to some email address we once registered or asked to enter the number we will receive in a text message to a mobile phone number we once registered.  Some websites are using one of the various authenticators our mobile phones may now be hosting.

In my case, ignoring the various authenticators I have already deleted, I am using:

  1. Samsung Pass
  2. Google Authenticator
  3. Microsoft Authentication
  4. Norton Password Vault
  5. Samsung FIDO Certified “SIDF”, inside my Galaxy 7s phone
  6. email or text messages with a code I must type in
  7. Emails with a link as a means of verification

What is clear is there are start-ups and legacy technology companies busy trying to profit from authentication.

My concern is the consumer will be confronted with more and more as everyone claims they have a better widget capable of securing our digital world.

Why not come to consensus on a common approach to authentication?

Account TakeOver should be the Bankers concern

FASTER PAYMENTS, FASTER FRAUDSTERS

Another article published by PYMNTS.COM causes me to reflect on a discussion I had last we at the Payment Summit organized by the Secure Technology Alliance.  When the US Faster Payments work groups where stood up on e of the working groups focuses on security, yet no particular drive exists to protect the consumer of the corporate treasure from their account being hacked into by some phishing, vishing or other criminal act.  Account takeover will become a much more interesting attack vector.  Moneys will irrevocably flow out of the hacked account and to whatever account the criminal so directs them.

Key word real time gross settlement and faster payments depend on the irrefutability of the funds.  once executed they instantaneously transfer to the receiving party.  What is required is a concerted effort to implement strong multi-factor authentication, at least at the time the transaction is authorized by the sending party.  Some will say the risk is no greater than what exists today when a consumer or treasurer executes a Wire Transfer or any form of transfer between two financial institutions.  This maybe true.  the availability and assumed convenience will as the article described lead to heightened risk.

As I have written in other blogs we need to embrace strong Multi-Factor Authentication.  The standards exist, the security of the device in many case is present.  Relaying parties need to decide security is worth the investment.  They need to recognize the value of  satisfying the consumers’ need to have access to their funds properly protected.

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Biometrics carry risks.

Hacking Our Identity: The Emerging Threats from Biometric Technology

As I skimmed through this article I was reminded of the reality of biometrics.  It is a statistical algorithm designed to compare what was registered to that was just sensed.  It is an imprecise process.  The author reminds us of the importance of our identity in each and every interaction we engage in.  She further ponders the question, of the potential threats to the biometric solutions that countries, people and enterprises are embracing, as we work to address the questions of Authentication and Identification in our complex digital and physical world.

The article asks the questions:

      • Do the countries and enterprises understand the technology and processes used to support biometrics as a means of authentication.
      • Do they appreciate the need to secure and protect this most sensitive of data?
      • Is the data they store able to be used to compromise the individual of the integrity of that which it seeks to protect?
      • Are we at risk of creating a surveillance society?

Finally there is the question of the accuracy of biometric matching.  It is interesting to observe the comparison of the accuracy of biometric matching to PIN or password matching.  We all recognize the challenges of PIN and password.  It is not the concept it is the question of how many complex PIN or passwords is the human mind capable of retaining without writing them down or storing them someplace that can be compromised.

As I have argued in other blogs, the answer must be in the possess of something unique which has a False Reject Rate FRR and a False Accept FAR Rate, both approaching zero.  Clearly the PIN or password has such a characteristic the challenge is in remembering so many.  An object or a thing “Something You Have”, be it a card, phone, watch or bracelet with a Restricted Operating Environment inside e.g. secure element, TEE or TPM, secured using strong cryptography, paired with a biometric makes the most sense.

Identifiers, Tokens and Authentication

Often times I have wondered why everyone is so enamored with Tokens and Tokenization. Some time ago I begged the question of the broken token in a presentation to the Smart Card Alliance.

My premise is simple.

Identifiers are not authenticators. Replacing the identifier with a token as a result of turning an Identifier, the PAN, Social Security Number or other identifying index value, is a bandage on a festering mistake.

What we need to do is address the challenge of authentication in a convenient and frictionless way. Having to protect an identifier was the issue that created PCI and the whole issue of PII data. The Identifier should not need to be protected. It was and still should be an index and means of recognizing the relationship the relying party has with you. The authentication function is to make sure the person linked to that identifier is you!

User name: Identifier

Password: *********

Was not a bad start. Single factor authentication “what you know”.

Given the number of relying parties we all maintain relationships with, it is time to retire the password; Introducing “what you have” a secure thing (be it a chip card, Fob, Mobile Phone or Personal computer) and exploit the power of cryptography. Then add a second factor, a password or PIN, is a great first step. Changing the PIN or Password to a Biometric is a great leap into a truly secure environment.

The Key is to embrace the first factor “What You Have” a true token.

SCA Workshop Tokenization - 2015

We are here to help you figure out the right approach for your organization.

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Karen Webster
CEO, Market Platform Dynamics
President, PYMNTS.com

Karen,

Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:

The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.

We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.

When we think of “What You Have” we think of a “Thing”.  An object that cannot be replicated or cannot be counterfeited.

An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.

In the physical world “the thing” is a card or passport.  You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism.  In the digital world, we depend on Cryptography.  This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”.  Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip.  Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.

Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured.  This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.

Think Bitcoin for a second.  The key to its architecture is the Private Key associated with your store of coins.  Lose it and they are lost.  Many people store these in hardware, based on the use of a ROE.

The second factor is all about proving that you are present.  Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.

This is what FIDO and what WebAuthN is all about.  Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices.  This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing.  This is what Bill Gates started talking about in 2002.  BILL GATES: TRUSTWORTHY COMPUTING

As we move to Faster Payments we must move to Secure payments.  Immutability and irrefutably become key requirements.  To achieve this goal I suggest we need to understand one fundamental security principle.

The First Factor
is Something(s) You Have
My Thing(s)

The Second and Third factors
Prove You Are Present

Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy

Let me identify myself to My Thing.

Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)

Authentication, Trust, Identity and Identification

This week the following title caught my eye Why Authentication Needs to Simplified for Users and Organizations. As one of those users who wants authentication to be easier, I was driven to reflect back on what companies have offered as mechanisms to secure this amazing landscape called the World Wide Web or the Internet. Each of the four devices on the right are samples of the primary factor “What You Have”. They date back over 25 years and each included a Secure Element currently referred to as a Restricted Operating Environment ROE. The one with the keyboard was issued to me by my european bank in the 90’s. It was used as step up authentication to secure the transfer of funds.

Cumbersome to say the least. I had to enter a PIN, a number displayed on the screen then type the number displayed on LCD into a field on my personal computer. What I always asked myself, why can’t they integrate that thing inside my keyboard or laptop.

Reflecting forward and thinking about what we have to do today to authenticate ourselves. We are confronted with a myriad of solutions each different each claiming to be the right answer to the wider question. Secret questions, PINs, patterns, passwords, an SMS or email with one time passcode, the Google authenticator, the Microsoft authenticator, the FIDO U2F keys, the Fingerprint sensor on my phone, the camera on my desk top, how I use my mouse, where I am located, is there a cookie in my machine.

On top of all of those commercial solutions, there are numerous demo authenticators clients and prospects have asked me to look at.

Each different.

Each requiring the user to appreciate when and how to use it.

What is the answer. First we must agree on the requirements.

  1. Convenient
  2. Intuitive
  3. Easy to Integrate
  4. Secure

Starting with secure it must be able to offer a unique method of authentication that cannot be spoofed, counterfeit or otherwise compromised. It must have a false accept rate approaching zero and a false reject rate also approaching zero.

As it relates to easy to integrate the people who manage IAM (identity & access management systems – learn this here now), computers, and applications need to be able to quickly and with a minimum of effort, replace what is now used to identify and authenticate the user, with something new.

Intuitive this is the real challenge. There is the variety of users that must be considered. Are they their willing to learn or capable to make the leap, we hope they will?

Finally convenient which demands fast, easy, memorable and even something that is device independent.

How did we get here? Nobility provided individuals letters of introduction, sealed with wax and a signet ring to confirm the origin. This letter assured the attributes, capabilities and identity of the carrier. We trusted because of the seal we recognized

We, one of 7 billion people on this planet, have more contacts on LinkedIn, Facebook and a myriad of other social networks than many towns and cities when a ring and wax was an effective means of authentication.

Today we carry a number of documents. Each designed to provide proof of our identity. We simultaneously expect schools, employers, friends and other agents to be ready to offer proof of our claims. Did we graduate? Did we work there? Are we of good character? Did we received particular certificate?

Insurance companies, airlines, merchants, hotel and banks all provide cards and other means of identity. Each designed to inform someone of our rights, privileges or capabilities.

But, and this is a big but. We do not have an effective and convenient way of sharing these rights, attributes, and privileges on the internet. We let people identify themselves with user Ids and passwords. As the number of digital relations grow the challenge of maintaining secure passwords gets worse. As the challenges of phishing and vishing attacks got more sophisticated the risks, fraud and loses escalated.

We understand these challenges helped to secure card payment systems, were involved in defining new authentication standards and have seen and been exposed to way more ideas than necessary. Happy to help your organization’s secure your consumer and employee relationships.

Making you you – A question of Identity

The Economist | Making you you https://www.economist.com/node/21755427?frsc=dg%7Ce

An intriguing question, who defines our identity. Is it the certificate we may or may not have which was issued  issued to our parents at Birth, assuming some entity has that role? Who is this entity with the right to guarantee you are you or I am Philip?

When we hear of the challenges some must deal with in order to vote, we quickly realize it is others who hold the ability to define our identity or for that matter alter or erase our identity.

This article explores the history of systems developed to create means of linking an individual to the assets, obligations and rights they possess. What is clear, it is another who defines and establishes societies means of establishing your identity.

As we move into the world of virtual identity there are those who are and have sought to assume what often was the role of the village elders, the church or most often the government.

Are we the people comfortable with these technocrats, in it for profit, becoming the ordinators of our identity? Clearly advertisers and those seeking to take advantage, happily collect data about us and will happily use this data to push us to buy what they want to sell or take advantage of us in ways we may not be able to recover from.

For those of you incline to think about the question of identity, I recommend reading what The Economist has to say.

Disruption or the Reality of Legacy

Often times people speak of disruption as this traumatic thing being imposed upon them, their industry or society. Yet, if we look under the covers disruption more than likely is all about a competitor, not locked into a legacy approach, approaching the market with different tools.

The world of payments, as so many others, have implemented technology then gone on to enhance or update multiple times. Each time, someone or some group of people, had to adapt therefore invest to keep up. More often than not, a community would decide to hold on to what they built, sometime ago, hoping no one tried to disrupt the status quo.

With payment, the need to embrace more effective approaches parallels the robustness and frequency of transactions. It also parallels the desire of sellers to do business with anonymous buyers. A lack of trust and a need to reduce the amount of cash we carry drove markets to promissory notes. These promissory notes further evolved, as trusted intermediaries entered the market and created more efficient methods of providing that guarantee of payment. If you are still a little in the dark about what these are, you can Google questions such as “what is a promissory note?” “What are the elements of a promissory note?”, etc. so you are fully up-to-date with the information that you need.

Not wanting to duplicate what is already written about the history of money and payments we can jump forward through the paper phase to where we are in North America: Cash, cards, some checks and electronic debits & credits.

If we look inside the evolution of legacy. We find what we have, is a stumbling block, holding innovation back. We need to decide to adapt what exists or remove and replace.

Digital Identity and Multi-Factor Authentication, A Necessity in an Increasing Digital World

Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s

Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World

The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:

  • Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
  • Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
  • Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
  • John Dancu, CEO at IDology
  • Vivian van Zyl, Senior Product Architect at FIS

The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience. The discussion considered the balance between friction and security. All of the panelist articulating the demand for convenience. The Audience questions which is it the desire, or is it the demand, of the American consumer.

All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing. The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification. In addition to that, it becomes important to have data trails and access history in place to determine and log all access to as well as use of information by employees of the organization or external parties. This can be considered a critical step in resolving any identity fraud or data theft issues that might occur within the company; partnering with trusted digital forensics teams can ensure that the right information is extracted and a proper case built against the attacker.

Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.

The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web. How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to watch carefully and be part of the move to restore the consumers’, OUR, right to the data that is us.

of Identity and Authentication in a Connected World of things.

Various engagement and conversations pull me into thinking about the realities and the necessities, of this emerging world of connected people, objects and thoughts.

Looking back, this topic has been part of my life since 1982 when I was first introduced to the concept of a smart card. At that time we spoke of using the smart card to securely configure a trading deck on Wall Street and in the City of London. The goal securely and automatically configure the voice, video and digital support a particular market trader.

In 1993 to when I was tasked to drive the development of EMV, we could have talked about the fact we were creating a means of secure digital identity. A trusted Identity document based on the trust that existed between the cardholder and the financial institution.

Instead We talked about:

  • Card Authentication “the CAM” now Data Authentication to assure the card was unique and genuine.
  • Cardholder Verification “the CVM” to verify the right user was presenting the card.
  • Card risk management to allow the issuer to support authorization in a offline world.
  • Should we include an electronic purse to support low value transactions?

Today the Debit card could easily be enabled as a secure means of digital identification, with the Financial Institution being the trusted party. Simply knowing the public key of the international or domestic debit card payment scheme allows the party reading the card will know the person was issued this card by that financial institution.

While we in financial services focused on our requirements, the telecom industry was working on the SIM & GSM specifications under ETSI leadership. They created another form of Secure Digital Identity. They focused on securing the identity of the communications channel and were less worried about making sure the right consumer was present, although there is the ability to allow the user to lock the SIM and now even the mobile phone.

2013 I had the opportunity to join the FIDO Board. Within that body, the objective was to separate the concept of identity from the act of authentication. It works from the premise that as digital relationships expanded, the use of passwords and PINs are becomes an issue. The FIDO Alliance also recognized that the only way to secure our digital world, like we secured payments and mobile communications was with the introduction of multi-factor authentication rooted in the belief that the first factor had to be “what You Have” a secure element / enclave, TEE, TPM … capable of generating and or storing secret (symmetric) and private (Asymmetric) keys unique to the object and more importantly unique to the relationship.

Clearly identity and authentication are essential to secure relationships. And, in a digital world, communication is the mechanism that connects people and things together.

Helping consumers manage their relationships assuring privacy is an interesting angle. If I am understanding your platform, at least at the level of the subscription for telecommunications services this you are helping to manage.

Anyway. Back to the pitch. I would like to see about scheduling another conversation and figure out if there is anything I can do to earn an income and create revenue for you.

From Password and PIN to Biometrics

The Evolution of Authentication

When first we sought to create secure and convenient means of identification, we relied on user names paired with passwords and PINs.  These values are typically stored centrally within the relying party’s database.  Often times, these values are encrypted at point of entry, and once received by the relying party passed through a one-way function, before being stored in the database.  This use of cryptography to encrypt the PIN or Password in transit and perform the one-way function before storing the result is simply to prevented the PIN or Password from being captured in transit or reverse engineered.

Each time the user logs in, they enter their password or PIN, it is received by the relying party, run through the same one-way function and compared to the value stored at user registration

Over the last 30 or so year there has been mounting concern as to the long-term viability of depending on the user being able to remember, create a unique & complex value and accept responsibility to frequently change their passwords and PINs.  Especially given the myriad of sites and digital relationships we each continue to establish.

To assure the integrity of passwords and PINs, the challenge is making sure the length and randomness creates difficultly and minimizes the chance someone can guess what the Pin or password is.  By adding special characters and insisting on password and PIN policies, the rely party has attempted to reduce risk and the chance for rouge penetration.

Unfortunately, people forget their password, phish & vishing attacks work, key-loggers and other clever ways of obtaining the user name and password have increased.  The threat of rouge intrusions and the resulting reputational and financial lose is out of control.

As these loses escalated, the cost of the various techniques to support more secure authentication have been developed.  The market always understood if we could merge a unique object something you Have, with a secret you Know or a biometric something you Are; you would be able to establish a superb form of multi-factor authentication.  Many, such as the ICAO, EMV and PIV specifications, embraced the idea of cryptography operating within a secure element or smart card. They further embraced the idea of loading the registered biometric rending into the chip and incorporate the matching algorithm within the software.  By then using an external PIN pad or biometric sensor, multi-factor authentication could be enabled.  Unfortunately, at considerable cost.

In Europe, in order to secure access to websites they looked to physical objects capable of displaying a onetime password as the answer.  In some cases, the user had to first enter a PIN then a number displayed on the screen and then type the value displayed on the device into a field in browser window. Something you have with a secret, a one-time password, unique to each event.

Clearly PINs and passwords carry with them two flaws.  They need to be remembered and they need to be typed in.  Biometrics on the other hand offer convenience and do not require the user to remember a complex set of characters.  Fortunately, the size, cost and complexity of biometric sensors has decreased significantly and it is viability to integrate sensors into a user operated device.  The first company to offer a phone with a biometric fingerprint sensor was Motorola, quickly followed by Apple on their iPhone 5S.  Today it is rare to find a mobile phone which does not included a biometric sensor and related algorithms.

Now with an identifier (user name), a device with a unique digital signature and the ability to support biometrics, all the virtues of multi-factor authentication and the wonders of biometrics such as: fingerprints, veins, retina, iris, EKG, behavior or selfies are available to assure the registered user is present.

All because the sensor can capture the biometric and software will render the output of the sensor into images, patterns or templates.  The sensor and the related software have unique characteristics as to how the matching processes work.  It then simply requires us to accept that the output of the sensor becomes the input into the matching algorithm.

The last concern – how do we measure the reliability of the biometric sensors and algorithms.  To help people understand the reliability of these sensors and matching algorithms, there are an assortment of acronyms such as: FRR, FAR and PAD.  These three are the ones I am most familiar with.  They measure and quantify the risk of false acceptance or false rejection and provide a measure of the assurance of life.

We now can leverage the biometric sensors in user devices

Paired with the assurance the device is unique

And be confident the registered user is present.

What Happens When the Lights Go Out

Since 1984, when I was told I needed to carry this mobile phone with me, there has been that nagging issue of needing to make sure it had enough life to get me to the next charge point.  My first phone was luck if it could last a half a day so they gave me two, one was always being charged while the other hung on my shoulder.  In 1993 while working on the development of the EMV Specifications we focused on the ability to authorize a transaction when the Point of Sale POS device was unwilling or unable to reach the issuer.  In 2013 I listened to Visa representatives explain how 100% of all payment transactions could be executed online.  Then I ponder getting a Tesla Model 3 and learn it is only capable of traveling a maximum of 310 miles, it make me wonder; how do I finish the last 19 miles to my fathers home.

Today, I was reading an article emanating from the Money 2020 event when IDEMIA spoke of the idea of the mobile drivers license and that nagging feeling emerged.  What happens when the power goes off after the hurricane hit and someone asks me for my drivers license.  Its locked securely inside my dead mobile phone.  I then saw that their competitor Gemalto and even NIST are working on this concept of the mDL.

We live in a world where electricity is becoming as essential as water and food.  Yet, we hear of power outages that last weeks and even months.

It is like with Mobile Payments, if the phone is dead and in order to pay it must, then what?  The card remains the essential element of a successful payment transaction.

I dream of the day when I can merge my leather wallet and my mobile device into one.  Yet, I appreciate there are technical challenges like the need for electricity.  Until we lead with these technical challenges and not simply the dream.  Exciting concepts and ideas will go where so many have gone before.

A Letter to Karen Webster of PYMNTS.COM

Karen, you come to mind off and on, especially when I’m try to keep up with what is happening in the wild world of payments, block chain, cryptocurrency, identity, authentication, trust, identification and who knows what else.

One thing is clear.  Lot’s of companies are investing significant sums of money in these various “opportunities”.  Yet are we, as a society, on the right path?

We could look to Washington DC, and the other capitals around the world, and this same question would apply.  But, not to get distracted.

Let’s start with identity and authentication in the digital space

As you may remember, EMV was something I got deeply involved with, both here in the USA and back when we originally conceived of the specification.  We the three founding payment associations had one goal – solve for counterfeit.  And, when the issuer or country so desired address lost and stolen fraud.  Focused on the physical world of commerce, the Point of Sale.  Our original goal was simple.  Assure global interoperability by defining a global migration path away from the magnetic stripe.  We mutually agreed we had to select a technology capable of protecting the physical token, the card, well into the 21st century.

Simultaneously, as was so beautifully captured by the Pete Steiner’s famous 1993 New Yorker cartoon, we knew there would be an issue in the digital space, that thing we then call the World Wide Web.  MasterCard and Visa set out to define the Secure Electronic Transactions SET, then Visa patented a concept called 3D Secure and more recently  worked together with the other owners of EMVCo to create EMV 3D Secure.  Each of these, attempts to find a meaningful way of  authenticating the cardholder when they paid with a credit or debit card.

Today billions of identities have been compromised.  The techniques used during an enrollment process online, to verify who you, are no longer viable.  Identifiers like our social security number and Person Account Number (PAN), unfortunately, became authenticators, a role they were never designed to support.  As EMV was deployed criminal shifted their focus to the Internet and PCI had to be introduced to address the challenges of criminals acquiring payment card and PII data.

As the World Wide Web morphed and grew in value and importance, the potential of monetizing the vast amount of data companies where collected began to scare people;  as this recently found comic so aptly demonstrates.  People, governments and corporations started to struggle with their desire for privacy offset against the value of data corporations are collecting.

Way back then, an opportunity to address the issue was offered by Bill Gates.  As is always the case, Microsoft the then technical giant  wanted something to support what society would ultimately need.  The idea of the social good was lost to the value of corporate profit and control.

As the Internet grew to become this marketplace, library, museum, cinema, place to play and place to meet and connect; we imposed well understood enterprise security techniques (username and password) to the consumer space.  The password thus became our challenge.  How do we convince customers (let alone employees) of the importance of complex, hard to remember passwords – unique to every security conscious relationship we establish on the World Wide Web.

Are biometrics the answer, has the FIDO Alliance and W3C created a set of authentication standards we can all embrace?  Hopefully.  Unfortunately, most opportunists are seeking to monetize their often proprietary solution, creating what they think is a best of breed consumer experience.

My fear, we are moving from the familiar experience of typing our user name and password; to multiple unique experiences at the front door of each and every web site we seek to log-in to. 

As an example my Samsung Android phone has a fingerprint sensor and is FIDO certified.  There is a Samsung Pass Authenticator, Microsoft Authenticator, Google Authenticator and several demo versions of various other authenticators.  I also receive SMS messages with one time tokens I am asked to enter onto the screen.  My PC it also is enabled with a FIDO U2F set of dongles.

Unfortunately my tablet has none of these and assumes I will simply remember, thank you Norton Identity Safe, my various passwords.  What a mess we are created all with monetization and the desire to offer a unique consumer experience as the justification.

With all those already installed, I await the introduction of WebAuthN, within the various browsers installed in my PC, tablet and phone. 

Moving to Block Chain and Cryptocurrencies

The wild west.  The makings of a speculators dream.  The realm of the incomprehensible, built on complex mathematical concepts and the desire to remove the man in the middle and replace them with the miners and nodes distributed around the center.  Or, is the idea of the distributed ledger the solution to the challenges of trust in an every expanding universe of connected people and things.  One can only wonder?

People speak of removing central governments.  Yet, they remind us that there is a governing body, book of rules and set of code that is designed to assure immutability.  If I understand their, logic we should not trust Governments instead we  trust these new open societies and digital enterprises?  they speak of removing intermediaries and replace them with nodes and miners.  New players responsible for creating and signing the new blocks and distributing it all those who maintain a current copy of the chain.

Is there potential, Absolutely.  The challenge is to understand why one would wish to move data from a trusted central repository to a distributed trustless environment.  Cost and latency should be part of the discussion and most importantly the level of trust the parties have with each other, identified intermediaries and governing bodies involved in the ecosystem.

Finally Payments

Barter, gold sovereign, IOU, government or bank back notes and coins, checks, cards, account based solutions, digital coins and what next.  Payments have been this ever evolving space.  Some seek to monetize the methods businesses, consumers and governments use to pay for the good and services they seek to acquirer, use or explore.  Others argue that the cost of payment should not be a source of profit.  The interesting twist here is more about the stage an economy is at in their migration from one from of payment to another.  Questions of legacy and history limit a markets ability to embrace the new and retire the old.

We could shift the conversation and focus on the store of funds: be it the safe in the wall, the checking or savings account at an institutions or digital coins stored in digital memory.  We could talk about the entities that focus on the experience and employ the already existing mechanisms.  We could think about block chain, crypto currency, identity and authentication.

Does the consumer care? or would we be pleased to simply hear the merchant say thank you for your payment.   The frictionless experience of get out of an Uber car or when we click the buy button on Amazon we know the payment will be made and that we will see a receipt in our email.  Remove the friction and make sure that only what I owe is paid, that is the experience we seek.  We the consumer are not interested in the detail.  We just want to know we successfully paid, using the source of funds we set up as our default.

In Conclusion

Yesterday, with this blog incomplete, I listened to  The Economist article titled Rousseau, Marx and Nietzsche – The prophets of illiberal progress – Terrible things have been done in their name.  What grabbed my attention is that it spoke to the depth of my wider concerns.  The article concludes with the following:

The path from illiberal progress to terror is easy to plot. Debate about how to improve the world loses its purpose—because of Marx’s certitude about progress, Rousseau’s pessimism or Nietzsche’s subjectivity. Power accretes—explicitly to economic classes in the thought of Marx and the übermenschen in Nietzsche, and through the subversive manipulation of the general will in Rousseau. And accreted power tramples over the dignity of the individual—because that is what power does.

As I think of our capitalist environment, I am concerned and wonder if the publication of the Economist article is  timed to educate and alarm.  The reality is we are experiencing a concentration of power leading to an increase in the distance between those in the upper 1% and those we call the middle class.  Therefore, there is a need to about what is good for the whole, yes a tiny bit of socialism, to restore balance to make sure the wealth and benefits accrue to all and not just the few.

As identification, authentication and payment systems, discussed above, evolves we need to think about the structure of how these solutions will be offered to the market.  Are we seeking to address a social issue like crime or terrorism? Are we seeking to improve confidence?  Are we attempting to focus on the consumer, citizen and employee needs?  Or, is it all about shareholder value and the search for profit?

Like in the article discusses, my fear is Profit will create confusion and complexity.  Not more convenient and frictionless experiences.

An Identifier is not an Authenticator

Not too long ago, the House Ways and Means committee learned about and understood the difference between Identifiers (such as the PAN SSN, Driver License number, Email, User name, or account number) and an Authenticator.

A recent document produced by the Identity Coalition speaks to the challenge of identity. Found on their website https://www.betteridentity.org/

One paragraph reads

As a general rule, to be useful across multiple systems a widely used identifier must be persistent, meaning that it stays constant over time. The complexities induced by shifting an identifier to one that is not  persistent – but revocable – are significant.

This is a pivotal thought and one we should embed in our thinking.

This report starts with a discussion about who can play a role and who has established coherent verification and proofing mechanisms that can be used as a root of trust.  The Social Security number, given its pervasive place among the data stored about us, became an area of focus:

There are five steps that the government should take to change – and improve – the way we treat the SSN.

  1. Frame every proposal about the future of the SSN on the basis of whether it looks to impact the use of the SSN as an authenticator, an identifier, or both.
  2. Stop using the SSN as an authenticator. Use of the SSN as an authenticator rests on the idea that the SSN is a “secret” – and that knowledge of an SSN can thus be used to prove that someone is who they claim to be.
  3. Preserve use of the SSN as an identifier – but look to reduce its use wherever feasible.
  4. Consider changing laws and regulations that require companies to collect and retain SSN.
  5. The government should not seek to replace the SSN.

As I read through these choices, I replace the acronym SSN with PAN or any other identifier and I end up with the same concern.  We have allowed identifiers to become authenticators and now struggle to replace them with something else (i.e., a token).  When what we should have done is recognized that authentication was the missing element of the identity puzzle.

The report then continues with a set of recommendations including two areas of personal interest.

Strong Authentication Equals Multi-Factor Authentication

Promote and prioritize the use of strong authentication. Inherent in any policy change that prohibits use of the SSN as an authenticator is a way to replace it with something better. Here, the problem is not just with SSNs, but also with passwords and other “shared secrets” that are easily compromised by adversaries.

Multi-stakeholder efforts like the Fast Identity Online (FIDO) Alliance, the World Wide Web Consortium (W3C), and the GSMA have developed standards for next-generation authentication that are now being embedded in most devices, operating systems and browsers, in a way that enhances security, privacy and user experience.

International Coordination and Harmonization.

This one has particular meaning to me.  My family lives in two countries, we are citizens of a third and we have lived in four.  I want to be assured that whatever the process is to authenticate our identities in one will meet the basic requirements of all.

An interesting read and one I strongly recommend we work to promote.