2FA – Starts With The “What You Have” Factor

https://twofactorauth.org/

I ran into this site today and am happy to see how Josh has offered a listing of sites, across multiple verticals, who have and have not embraced Multi-Factor Authentication.


What the primary factor is, is the key to the strength of authentication.

“What You Know” could be extremely secure, except we depend on the human to make sure they protect it, make it unique and complex.

“What You Are” can only be as secure as the quality and accuracy of the sensors and the algorithms used to match what is sensed now to what was registered then.

For me a “Restricted Operating Environment” capable of securing secret and private KEYS and use them to securely performing cryptographic functions, be they Symmetric and / or Asymmetric is the primary factor.  The DEVICE(s) we use to access the service provided by the relying party simply needs to be registered, recognized and therefore the UNIQUE “What We Have” factor.

If we know the device is UNIQUE. Then the only outstanding question is, is the registered user using it, while not under duress.  If the relying party is not comfortable with the presence of the registered user, then the Relying Party needs an additional factor to assure presence.  Be it the “What You Know” and / or “What You Are” one adds to assure presence during the transaction or the authentication dialogue.

If the Relying party is comfortable the registered user is using their registered device, why add friction?

Prevention is what we need to focus on.  Lock the door with strong keys . Detection is after the fact and necessary.  Investigation helps to punish the evil doer and improve the quality of security.

We need to focus on making sure the methods used to allow someone onto the relying parties website or when they execute a transaction.  Like in the physical world, it is about making sure the user’s KEY is unique and the right individual is in possession of the the key.

In other words.  The user is present using a registered and recognized device.

 

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Karen Webster
CEO, Market Platform Dynamics
President, PYMNTS.com

Karen,

Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:

The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.

We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.

When we think of “What You Have” we think of a “Thing”.  An object that cannot be replicated or cannot be counterfeited.

An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.

In the physical world “the thing” is a card or passport.  You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism.  In the digital world, we depend on Cryptography.  This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”.  Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip.  Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.

Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured.  This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.

Think Bitcoin for a second.  The key to its architecture is the Private Key associated with your store of coins.  Lose it and they are lost.  Many people store these in hardware, based on the use of a ROE.

The second factor is all about proving that you are present.  Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.

This is what FIDO and what WebAuthN is all about.  Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices.  This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing.  This is what Bill Gates started talking about in 2002.  BILL GATES: TRUSTWORTHY COMPUTING

As we move to Faster Payments we must move to Secure payments.  Immutability and irrefutably become key requirements.  To achieve this goal I suggest we need to understand one fundamental security principle.

The First Factor
is Something(s) You Have
My Thing(s)

The Second and Third factors
Prove You Are Present

Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy

Let me identify myself to My Thing.

Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)

Deciphering Digital – Your Phone is Your Wallet

Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference.  Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution.  ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.

My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.

IoT Payments Wednesday Morning

Continuation of my running thoughts as I listen and participate at the Secure Technology Alliance.

Role of the TSP

  • Wearables a small part of the IoT market and to scale the vendors need to not have to worry about “Payments”.
  • Should device manufactures understand payments? Can they?
  • The TSP must appreciate its role and what it is not.
  • As we look at IoT we need to recognize the scale of the shift from a issuer centric to a consumer centric model. The payment credential carrier no long belongs to the Issuer.

  • What is the role of the Token Requestor? It provides a consolidated view for the consumer. It consolidates rhe view of all the edge devices.
  • Who is the ultimate revenue source? The consumer? How does one create the consolidated view with so many instances of tokens?
  • What is the life of a token? This then leads to the question of the relationship with the manager (issuer) of the Means of Payment.
  • With the pre-provisioned credential how does one manage long term life cycle.

Root of Trust

  • Is PKi the right approach to the necessary level of trust this emerging environment requires.
  • We must remember the complexity of a PKi infrastructure.
  • In the payment space the use of secure devices e.g. HSM was mainly on the acquiring side. Now as a result of EMV issuers became much more concerned with keys and key management.
  • As we move into a mobile and more broadly connected world the need to assure trust in the software, device whatever.
  • This discussion is very much about the value and need for HSMs.
  • The question is raised as to the future of PKi given the US Gov’t perspective.
  • And, what of the introduction of Quantum Computing and the associated risk to the available cryptographic algorithms and keys?

In-Vehicle Payments

  • A car can be used a place to shop, it could pay for service rendered, it can be linked to service providers. NFC/BLE/In-app and Card on File.
  • The car can host merchant apps.
  • The idea of a POS device in the car leaves me lost. Who is the seller?

Smart Cities and Multi-Modal

  • To address smart cities one has to think across the wider context.
  • What are the roles the FTA can support, becomes a question of what the cities want.
  • Mobility on Demand driven by the needs to reduce congestion and improve life.
  • Built on local partnership within the community
  • A recognition that a multimodal approach is necessary. A focus on user centric approaches to transport.

Multimodal Payment Integration

  • The challenge begins with the fragmentation of the transit environment. It is not transit it is all about Mobility.
  • They want a brand and system agnostic solution that is intelligent and can help better manage spend.
  • How large is transit, public only, 6,500 transit operators supporting 1 trillion rides per year.
  • The roadmap is in development, it is early days.

Wearables – lessons learned

  • What ìs a wearable? Do define them based of feature and function. Cloths, jewelry…
  • We use a wearable when we need them. Athletic, climate, entertainment or work.
  • These electronic wearable needs to consider the use cases that should be integrated into a limited number of devices we would wear.
  • Three words – simple – connected – enablements
  • How will we enable more specifically load the various certificates we need to access, employ and pay for.
  • Interoperability will become the challenge. Do we imagine a world restricted by brand / manufacturer? Or, open to a wide array of designs and capabilities then how do we get there.
  • Secure element
    Data management & personalization
    Mobile device software integration
    Device life cycle management

    Tokenization as a methodology ans ecosystem is essential to the growth of payment in the IoT space.

BLE of IoT Payments

  • The cloud may restrict what could be communicated.
  • BLE is “local” allowing secure application management and secure transactions.

Managing Trust and Security

  • Identity is the key to much.
  • The next question therefore it trust in the Identifier.
  • Authentication with what, in what where?
  • Life cycle management. How do you know your device been wiped clean of all your credentials.

IoT 2017 Payments Tuesday Afternoon

Continuing the learning and commentary

IoT Payments 2017 – Austin TX October 10th and 11th

Context-based payments

  • Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
  • Growth in fraud in online payments is typically a result of the deployment of EMV.
  • As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
  • What is context? Our digital footprint as we go through our daily lives.
  • The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
  • It is all about acquiring data and building a profile, your context.
  • What is the unique identifier that links all the objects to the individual.

Bridging the Security Gap

  • Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
  • The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
  • The fear of who is able to access the vast array of data available through these connected devices.
  • Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
  • In the world of IoT who will define the security requirements and who shall pay becomes the key question.
  • We should consider using Common Criteria as a baseline for the security of IoT devices.
  • Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.

The key to top of wallet

  • Changing our top of wallet card is not something we are driven to do.
  • So many sites drive to Card on File
  • The objects will end up with an embedded payment within
  • There is a hierarchy of needs
  • BASIC WANTS & NEEDS

  • MASS & PERMITTED RECOMMENDATION

  • SOCIAL & RELEVANT 1REFERRALS

  • ON-BEHALF

    As he speaks of On-behalf a document produced back in 1996 must be found

  • Will the IoT evolution increase consumption, Maybe?

Wearables 101

  • What is the connectivity
  • Where are the credentials stored
  • Is it a configurable device relative to which credentials
  • Types
  • Contactless cards and devices
    The mobile ecosystem introduces the token requestor

    A solid overview of the world of tokenization

  • The tap experience with a wearable is an interesting design experience.
  • A wearable is smaller and much more personal.
  • As seen from the payment networks
  • Like a card
  • Mobile device (secure element)
  • HCE
  • Wearable are in market today
  • Wearable are in market today

Risk Based Payment Security

  • Beth took a walk through the history of payment acceptance
  • The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
  • Risk is or was always about the balance between security and convenience.
  • Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
  • The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
  • Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
  • We need to agree on a common set of security values not necessarily on a common standard.
  • When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
  • Security must be designed in from the beginning.

The day came to a close.

IoT 2017 Payments Tuesday Morning

October 10th

Random comments offered as the various speakers speak at the conference at the Hyatt Regency Austin.

  • MasterCard spoke of the opportunity IoT offers in this connected world and how technology can transform physical retailing.

Prof. Gideon Samid, PhD, PE.

  • Speaks of the use of randomness as the key to the security of the future.
  • The challenge of IoT is the processing capabilities of these devices.
  • Digital Money & Contract you cannot separate identity from the value. Cyber economics and the associated cyber security is all about setting up a scheme where for each action there is a payment for service rendered, hence an audit trail is established for each action.
  • What happens to anonymity in this new world where every action is identified and recorded.
  • Anonymity will be dictated by regulation and the political domain. BitMint embraces the controls inherent in the 4th amendment.

IoT payment landscape

  • A brief wander back through the way back machine as we watch time mover forward.
  • Samsung shared a vision of what this new world of IoT looks like.
  • Cars, washing machines and so much more connected and controlled.
  • Samsung is a Token Requestor post identity and development. The. Samsung Pay technologies now in the phone can easily be transferred into almost any device.
  • Gemalto was asked to address the multiplicity of devices emerging in the market place. There are just a plethora or new form factors.
  • The question is all about getting the key set into these devices. The aggregation model as a Token Service Manager is what Gemalto has developed.
  • There are two basic models the pre-personalized and the over the air personalization.
  • There is then the emergence of the new domestic Token Service Providers. G&D speaks of the breadth of security required for these IoT devices.
  • We now need to think about Life Cycle Management especially when considering payment credentials. Key to this conversation relates to upgrading and replacing the device carrying the credential.
  • How will the consumer figure out where all their payment credentials are.
  • How shall the standards evolve to support all of this new and competitive plethora of IoT objects?
  • We must a careful and embrace standardization to support interoperability.
  • Why can’t this market embraced the device and not cloud model to store the payment credentials.
  • We are layering security onto the existing legacy infrastructure. The payment brands are responsible to define what the rules and technology requirements.
  • Tokenization was created as a means of solving for device limitations by pushing the point of compromise into the cloud.
  • MST is a nice transitional technology, NFC is more than likely the future, at least in some peoples view.
  • The point of interaction bottom line the point of acceptance.

Lunch

Tuesday Afternoon

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.