Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Karen Webster
CEO, Market Platform Dynamics
President, PYMNTS.com

Karen,

Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:

The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.

We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.

When we think of “What You Have” we think of a “Thing”.  An object that cannot be replicated or cannot be counterfeited.

An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.

In the physical world “the thing” is a card or passport.  You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism.  In the digital world, we depend on Cryptography.  This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”.  Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip.  Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.

Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured.  This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.

Think Bitcoin for a second.  The key to its architecture is the Private Key associated with your store of coins.  Lose it and they are lost.  Many people store these in hardware, based on the use of a ROE.

The second factor is all about proving that you are present.  Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.

This is what FIDO and what WebAuthN is all about.  Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices.  This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing.  This is what Bill Gates started talking about in 2002.  BILL GATES: TRUSTWORTHY COMPUTING

As we move to Faster Payments we must move to Secure payments.  Immutability and irrefutably become key requirements.  To achieve this goal I suggest we need to understand one fundamental security principle.

The First Factor
is Something(s) You Have
My Thing(s)

The Second and Third factors
Prove You Are Present

Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy

Let me identify myself to My Thing.

Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)

Disruption or the Reality of Legacy

Often times people speak of disruption as this traumatic thing being imposed upon them, their industry or society. Yet, if we look under the covers disruption more than likely is all about a competitor, not locked into a legacy approach, approaching the market with different tools.

The world of payments, as so many others, have implemented technology then gone on to enhance or update multiple times. Each time, someone or some group of people, had to adapt therefore invest to keep up. More often than not, a community would decide to hold on to what they built, sometime ago, hoping no one tried to disrupt the status quo.

With payment the need to embrace more effective approaches parallels the robustness and frequency of transactions. It also parallels the desire of sellers to do business with anonymous buyers. A lack of trust and a need to reduce the amount of cash we carry drove, markets to promissory notes. These promissory notes further evolved, as trusted intermediaries entered the market and created more efficient methods of providing that guarantee of payment.

Not wanting to duplicate what is already written about the history of money and payments we can jump forward through the paper phase to where we are in North America: Cash, cards, some checks and electronic debits & credits.

If we look inside the evolution of legacy.  We find what we have, is a stumbling block, holding innovation back.  We need to decide to adapt what exists or remove and replace.

Trust – the truth of our identity

Such a big word.

This Sunday our minister spoke of Mark 5:20-43 and how we must trust in Jesus.

Her evocative sermon provoked a wider or is it broader question,

“What is Trust”.

First we must ask the classic question what does the Dictionary and Wikipedia say. This then leads us to have to think of the use of the term. Are we using it to describe a legal structure, the nature of a business, a computational concept or the name of a film, song or other human creation?

Given this discussion started as a result of a sermon, the best approach is to consider the social and emotion context of trust. Understand the sociology, psychology, philosophy, economics and systems perspective, may offer clarity to the words “we trust … “. In the first paragraph the Wikipedia authors condensed a lot of thought into a short paragraph. {formatting of my doing}.

Definitions of trust typically refer to a situation characterized by the following aspects:

  • One party is willing to rely on the actions of another party (trustee); the situation is directed to the future.
  • In addition, the abandons control over the actions performed by the trustee.
  • As a consequence, the is uncertain about the outcome of the other’s actions; they can only develop and evaluate expectations.
  • The uncertainty involves the risk of failure or harm to the trustor if the trustee will not behave as desired.

In this flow of thought it is clear this word trust carries with it risk. It assumes we are thinking of tomorrow and there is an expectation the trustee will act in a manner that is consistent with our “the trustors” wishes, hopes and desires.

Vladimir Ilych Lenin expressed this idea with the sentence “Trust is good, control is better”.

In the field I have spent the better part of my life, computers have played a big part. Be it as a tool we programmed to perform a function or task. Or, the systems supporting the products and services we sought to promote. More recently, as we look to this global village we are a member of. We think about the need to establish mechanisms to assure trust between parties. Parties who probably will never meet, in person or even by chance speak to. We must therefore establish acceptable social and psychological mechanism with machines which we inherently are wary of.

Looking to the sociology of trust set of sentences stands out

“It does not exist outside of our vision of the other. This image can be real or imaginary, but it is this one which permits the creation of the Trust.” … “Because of it, trust acts as a reductor of social complexity, allowing for actions that are otherwise too complex to be considered (or even impossible to consider at all); specifically for cooperation.”

All of this leads one to wonder how in a anonymous world can trust be established.

Trust is specifically valuable if the trustee is much more powerful than the trustor, yet the trustor is under social obligation to support the trustee.

In a social context this thought offers a view as to the dominance a position the trustee must have in society. It also frames the responsibility and the obligation established by the trustor in the trustee.

This then leads one think about Multi-Factor Authentication. MFA is emerging as the standard method companies are used to assure one of degree of “trust”. Trust in a claim of the identity of another, be it a customer, employee, citizen or recognized guest.

Is this enough? How can a company be assured of the identity of an individual? How can we, a third party, accept the claims or attributes offers when they are presenting themselves to us. Especially when they present themselves across a global digital highway, prone to the nefarious acts of those who seek to take advantage and profit.

Proof of identity therefore becomes the primary means of establishing trust in an seemingly anonymous space – Cyber Space. This need for proof of identity is the role of the Trustee. These parties who we instinctively have faith in can give us the ability to trust in the claims of identity and the associated attributes representing the characteristics, assets and relationships a person has.

For now I will stop. The next step is to think of and look at words. enrollment, proof, identification,registration, identifier, authentication, rights, privileges, claims, certificates and authority.

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.

NSTIC and EMV should merge

October 03, 2011

Cyberspace trust: Proving you’re not a dog

A very real discomfort underlies the classic joke: “On the Internet, nobody knows you’re a dog.” How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate’s Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you’re reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.

http://portalsandrails.frbatlanta.org/2011/10/cyberspace-trust-proving-youre-not-dog.html

Philip thinks:

  • The next step is to merge the identity sought by everyone and easily relegated to the Banks to manage.  Facebook and GMail offer an option if their KYC can be improved.  With face to face meeting it is possible to truly prove identity, requiring a branch network.
  • Transaction processing is legacy in the developed world while the emerging economies offer an opportunity to build new.  Existing standards and processes need to be respected as they transform to absorb the new information attachments and Internet offers we now need to cope with.
  • The Wallet forms the basic unit to create a trusted network employing smart cards, trusted computing, persistent computing and inteligence to enable the consumer experience.
  • Privacy and integrity of that trust is essential to the system
  • The individual is key
  • Respect rights and obligations