Today.

How many passwords are you trying to manage! Does your LinkedIn contact list connecting you to more than 4,000 individuals? Does Facebook, Instagram, and other social media websites inundating you with news and stories about your friends, colleagues and interesting people?

How many cookies have your computers accumulated? How many databases have more information about you than they need? If we search the dark web, how valuable is your data?

Cando seeks to help you manage your data, identity, assets, and relationships.

Philip lives on Sea Island with his 93-year-old father, the Doctor. They pursue travel and Philip keeps his head into what is happening in financial services, blockchain, authentication, digital identity, and, whatever else people seeking to understand the transformation; particularly those in the identity and payments space.

What is happening means we can unlock our hotel rooms, cars, and homes from our phones. Our security system iwill be another app we have to find on our phone.

Instead, we need an intuitive assistant seeking to simplify our lives by taking on repetitive tasks like driving, working inside a data table or simply opening up the house for the season.

Normalizing data and performing the analysis capable of earning value is the name of the game. Management is about stimulating a team to work in the mutual interest of the organization. Executives define the strategy and articulate the vision in a manner conducive to success.

Cando seeks to help you manage your assets and relationships. Assets those places and things you use doing your daily life and those interactions you have with people and entities seeking to serve, sell and partner with you.

Then there are friends who we expect to be part of our lives and therefore have privileges and access capabilities.

All of this with a target of selling integration services to the top million and simply assuring each person has an identity thus serving the bottom billion. ultimately earning $1 per year per user to simply be there when it all breaks and you wish to restore your digital life.

At the core, your digital security will be based on the use of cryptography and sophisticated matching algorithms designed to assure anyone that you are that one individual in the populatations of the universe.

What You possess, What You Are, What You Claim … Your Certificates

NCCOE NIST Multi-Factor Authentication

What you Possess — The Thing

What you Are — You

Your Relationships

Responsibilities

Authority

Advice

— Secrets

My Certificates

Seven Words

World Wide Web Consortium

FIDO Alliance

Global Platform

The Trusted Computing Group

EMVCo
ISO
ANSI
ABA

Future interests

Artificial Intelligence
Machine Learning
Nature Language Interface
Predictive Analytics

2FA – Starts With The “What You Have” Factor

https://twofactorauth.org/

I ran into this site today and am happy to see how Josh has offered a listing of sites, across multiple verticals, who have and have not embraced Multi-Factor Authentication.

What the primary factor is, is the key to the strength of authentication.

“What You Know” could be extremely secure, except we depend on the human to make sure they protect it, make it unique and complex.

“What You Are” can only be as secure as the quality and accuracy of the sensors and the algorithms used to match what is sensed now to what was registered then.

For me a “Restricted Operating Environment” capable of securing secret and private KEYS and use them to securely performing cryptographic functions, be they Symmetric and / or Asymmetric is the primary factor. The DEVICE(s) we use to access the service provided by the relying party simply needs to be registered, recognized and therefore the UNIQUE “What We Have” factor.

If we know the device is UNIQUE. Then the only outstanding question is, is the registered user using it, while not under duress. If the relying party is not comfortable with the presence of the registered user, then the Relying Party needs an additional factor to assure presence. Be it the “What You Know” and / or “What You Are” one adds to assure presence during the transaction or the authentication dialogue.

If the Relying party is comfortable the registered user is using their registered device, why add friction?

Prevention is what we need to focus on. Lock the door with strong keys . Detection is after the fact and necessary. Investigation helps to punish the evil doer and improve the quality of security.

We need to focus on making sure the methods used to allow someone onto the relying parties website or when they execute a transaction. Like in the physical world, it is about making sure the user’s KEY is unique and the right individual is in possession of the the key.

In other words. The user is present using a registered and recognized device.

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Karen Webster
CEO, Market Platform Dynamics
President, PYMNTS.com

Karen,

Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:

The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.

We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.

When we think of “What You Have” we think of a “Thing”. An object that cannot be replicated or cannot be counterfeited.

An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.

In the physical world “the thing” is a card or passport. You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism. In the digital world, we depend on Cryptography. This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”. Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip. Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.

Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured. This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.

Think Bitcoin for a second. The key to its architecture is the Private Key associated with your store of coins. Lose it and they are lost. Many people store these in hardware, based on the use of a ROE.

The second factor is all about proving that you are present. Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.

This is what FIDO and what WebAuthN is all about. Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices. This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing. This is what Bill Gates started talking about in 2002. BILL GATES: TRUSTWORTHY COMPUTING

As we move to Faster Payments we must move to Secure payments. Immutability and irrefutably become key requirements. To achieve this goal I suggest we need to understand one fundamental security principle.

The First Factor
is Something(s) You Have
My Thing(s)

The Second and Third factors
Prove You Are Present

Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy

Let me identify myself to My Thing.

Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)

Deciphering Digital – Your Phone is Your Wallet

Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference. Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution. ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.

My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.

IoT Payments Wednesday Morning

Continuation of my running thoughts as I listen and participate at the Secure Technology Alliance.

Role of the TSP

Wearables a small part of the IoT market and to scale the vendors need to not have to worry about “Payments”.
Should device manufactures understand payments? Can they?
The TSP must appreciate its role and what it is not.
As we look at IoT we need to recognize the scale of the shift from a issuer centric to a consumer centric model. The payment credential carrier no long belongs to the Issuer.

What is the role of the Token Requestor? It provides a consolidated view for the consumer. It consolidates rhe view of all the edge devices.
Who is the ultimate revenue source? The consumer? How does one create the consolidated view with so many instances of tokens?
What is the life of a token? This then leads to the question of the relationship with the manager (issuer) of the Means of Payment.
With the pre-provisioned credential how does one manage long term life cycle.

Root of Trust

Is PKi the right approach to the necessary level of trust this emerging environment requires.
We must remember the complexity of a PKi infrastructure.
In the payment space the use of secure devices e.g. HSM was mainly on the acquiring side. Now as a result of EMV issuers became much more concerned with keys and key management.
As we move into a mobile and more broadly connected world the need to assure trust in the software, device whatever.
This discussion is very much about the value and need for HSMs.
The question is raised as to the future of PKi given the US Gov’t perspective.
And, what of the introduction of Quantum Computing and the associated risk to the available cryptographic algorithms and keys?

In-Vehicle Payments

A car can be used a place to shop, it could pay for service rendered, it can be linked to service providers. NFC/BLE/In-app and Card on File.
The car can host merchant apps.
The idea of a POS device in the car leaves me lost. Who is the seller?

Smart Cities and Multi-Modal

To address smart cities one has to think across the wider context.
What are the roles the FTA can support, becomes a question of what the cities want.
Mobility on Demand driven by the needs to reduce congestion and improve life.
Built on local partnership within the community
A recognition that a multimodal approach is necessary. A focus on user centric approaches to transport.

Multimodal Payment Integration

The challenge begins with the fragmentation of the transit environment. It is not transit it is all about Mobility.
They want a brand and system agnostic solution that is intelligent and can help better manage spend.
How large is transit, public only, 6,500 transit operators supporting 1 trillion rides per year.
The roadmap is in development, it is early days.

Wearables – lessons learned

What ìs a wearable? Do define them based of feature and function. Cloths, jewelry…
We use a wearable when we need them. Athletic, climate, entertainment or work.
These electronic wearable needs to consider the use cases that should be integrated into a limited number of devices we would wear.
Three words – simple – connected – enablements
How will we enable more specifically load the various certificates we need to access, employ and pay for.
Interoperability will become the challenge. Do we imagine a world restricted by brand / manufacturer? Or, open to a wide array of designs and capabilities then how do we get there.
Secure element
Data management & personalization
Mobile device software integration
Device life cycle management

Tokenization as a methodology ans ecosystem is essential to the growth of payment in the IoT space.

BLE of IoT Payments

The cloud may restrict what could be communicated.
BLE is “local” allowing secure application management and secure transactions.

Managing Trust and Security

Identity is the key to much.
The next question therefore it trust in the Identifier.
Authentication with what, in what where?
Life cycle management. How do you know your device been wiped clean of all your credentials.

IoT 2017 Payments Tuesday Afternoon

Continuing the learning and commentary

IoT Payments 2017 – Austin TX October 10th and 11th

Context-based payments

Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
Growth in fraud in online payments is typically a result of the deployment of EMV.
As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
What is context? Our digital footprint as we go through our daily lives.
The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
It is all about acquiring data and building a profile, your context.
What is the unique identifier that links all the objects to the individual.

Bridging the Security Gap

Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
The fear of who is able to access the vast array of data available through these connected devices.
Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
In the world of IoT who will define the security requirements and who shall pay becomes the key question.
We should consider using Common Criteria as a baseline for the security of IoT devices.
Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.

The key to top of wallet

Changing our top of wallet card is not something we are driven to do.
So many sites drive to Card on File
The objects will end up with an embedded payment within
There is a hierarchy of needs
BASIC WANTS & NEEDS
MASS & PERMITTED RECOMMENDATION
SOCIAL & RELEVANT 1REFERRALS
ON-BEHALF

As he speaks of On-behalf a document produced back in 1996 must be found
Will the IoT evolution increase consumption, Maybe?

Wearables 101

What is the connectivity
Where are the credentials stored
Is it a configurable device relative to which credentials
Types
Contactless cards and devices
The mobile ecosystem introduces the token requestor

A solid overview of the world of tokenization
The tap experience with a wearable is an interesting design experience.
A wearable is smaller and much more personal.
As seen from the payment networks

Like a card

Mobile device (secure element)

HCE

Wearable are in market today

Wearable are in market today

Risk Based Payment Security

Beth took a walk through the history of payment acceptance
The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
Risk is or was always about the balance between security and convenience.
Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
We need to agree on a common set of security values not necessarily on a common standard.
When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
Security must be designed in from the beginning.

The day came to a close.

IoT 2017 Payments Tuesday Morning

October 10th

Random comments offered as the various speakers speak at the conference at the Hyatt Regency Austin.

MasterCard spoke of the opportunity IoT offers in this connected world and how technology can transform physical retailing.

Prof. Gideon Samid, PhD, PE.

Speaks of the use of randomness as the key to the security of the future.
The challenge of IoT is the processing capabilities of these devices.
Digital Money & Contract you cannot separate identity from the value. Cyber economics and the associated cyber security is all about setting up a scheme where for each action there is a payment for service rendered, hence an audit trail is established for each action.
What happens to anonymity in this new world where every action is identified and recorded.
Anonymity will be dictated by regulation and the political domain. BitMint embraces the controls inherent in the 4th amendment.

IoT payment landscape

A brief wander back through the way back machine as we watch time mover forward.
Samsung shared a vision of what this new world of IoT looks like.
Cars, washing machines and so much more connected and controlled.
Samsung is a Token Requestor post identity and development. The. Samsung Pay technologies now in the phone can easily be transferred into almost any device.
Gemalto was asked to address the multiplicity of devices emerging in the market place. There are just a plethora or new form factors.
The question is all about getting the key set into these devices. The aggregation model as a Token Service Manager is what Gemalto has developed.
There are two basic models the pre-personalized and the over the air personalization.
There is then the emergence of the new domestic Token Service Providers. G&D speaks of the breadth of security required for these IoT devices.
We now need to think about Life Cycle Management especially when considering payment credentials. Key to this conversation relates to upgrading and replacing the device carrying the credential.
How will the consumer figure out where all their payment credentials are.
How shall the standards evolve to support all of this new and competitive plethora of IoT objects?
We must a careful and embrace standardization to support interoperability.
Why can’t this market embraced the device and not cloud model to store the payment credentials.
We are layering security onto the existing legacy infrastructure. The payment brands are responsible to define what the rules and technology requirements.
Tokenization was created as a means of solving for device limitations by pushing the point of compromise into the cloud.
MST is a nice transitional technology, NFC is more than likely the future, at least in some peoples view.
The point of interaction bottom line the point of acceptance.

Lunch

Tuesday Afternoon

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.