Authentication, Trust, Identity and Identification

This week the following title caught my eye Why Authentication Needs to Simplified for Users and Organizations. As one of those users who wants authentication to be easier, I was driven to reflect back on what companies have offered as mechanisms to secure this amazing landscape called the World Wide Web or the Internet. Each of the four devices on the right are samples of the primary factor “What You Have”. They date back over 25 years and each included a Secure Element currently referred to as a Restricted Operating Environment ROE. The one with the keyboard was issued to me by my european bank in the 90’s. It was used as step up authentication to secure the transfer of funds.

Cumbersome to say the least. I had to enter a PIN, a number displayed on the screen then type the number displayed on LCD into a field on my personal computer. What I always asked myself, why can’t they integrate that thing inside my keyboard or laptop.

Reflecting forward and thinking about what we have to do today to authenticate ourselves. We are confronted with a myriad of solutions each different each claiming to be the right answer to the wider question. Secret questions, PINs, patterns, passwords, an SMS or email with one time passcode, the Google authenticator, the Microsoft authenticator, the FIDO U2F keys, the Fingerprint sensor on my phone, the camera on my desk top, how I use my mouse, where I am located, is there a cookie in my machine.

On top of all of those commercial solutions, there are numerous demo authenticators clients and prospects have asked me to look at.

Each different.

Each requiring the user to appreciate when and how to use it.

What is the answer. First we must agree on the requirements.

  1. Convenient
  2. Intuitive
  3. Easy to Integrate
  4. Secure

Starting with secure it must be able to offer a unique method of authentication that cannot be spoofed, counterfeit or otherwise compromised. It must have a false accept rate approaching zero and a false reject rate also approaching zero.

As it relates to easy to integrate the people who manage identity & access management systems IAM, computers and applications need to be able to quickly and with a minimum of effort, replace what is now used to identify and authenticate the user, with something new.

Intuitive this is the real challenge. There is the variety of users that must be considered. Are they their willing to learn or capable to make the leap, we hope they will?

Finally convenient which demands fast, easy, memorable and even something that is device independent.

How did we get here? Nobility provided individuals letters of introduction, sealed with wax and a signet ring to confirm the origin. This letter assured the attributes, capabilities and identity of the carrier. We trusted because of the seal we recognized

We, one of 7 billion people on this planet, have more contacts on LinkedIn, Facebook and a myriad of other social networks than many towns and cities when a ring and wax was an effective means of authentication.

Today we carry a number of documents. Each designed to provide proof of our identity. We simultaneously expect schools, employers, friends and other agents to be ready to offer proof of our claims. Did we graduate? Did we work there? Are we of good character? Did we received particular certificate?

Insurance companies, airlines, merchants, hotel and banks all provide cards and other means of identity. Each designed to inform someone of our rights, privileges or capabilities.

But, and this is a big but. We do not have an effective and convenient way of sharing these rights, attributes, and privileges on the internet. We let people identify themselves with user Ids and passwords. As the number of digital relations grow the challenge of maintaining secure passwords gets worse. As the challenges of phishing and vishing attacks got more sophisticated the risks, fraud and loses escalated.

We understand these challenges helped to secure card payment systems, were involved in defining new authentication standards and have seen and been exposed to way more ideas than necessary. Happy to help your organization’s secure your consumer and employee relationships.

Making you you – A question of Identity

The Economist | Making you you https://www.economist.com/node/21755427?frsc=dg%7Ce

An intriguing question, who defines our identity. Is it the certificate we may or may not have been issued to our parents at Birth, assuming some entity has that role? Who is this entity with the right to guarantee you are you or I am Philip?

When we hear of the challenges some must deal with in order to vote, we quickly realize it is others who hold the ability to define our identity or for that matter alter or erase our identity.

This article explores the history of systems developed to create means of linking an individual to the assets, obligations and rights they possess. What is clear, it is another who defines and establishes societies means of establishing your identity.

As we move into the world of virtual identity there are those who are and have sought to assume what often was the role of the village elders, the church or most often the government.

Are we the people comfortable with these technocrats, in it for profit, becoming the ordinators of our identity? Clearly advertisers and those seeking to take advantage, happily collect data about us and will happily use this data to push us to buy what they want to sell or take advantage of us in ways we may not be able to recover from.

For those of you incline to think about the question of identity, I recommend reading what The Economist has to say.

of Identity and Authentication in a Connected World of things.

Various engagement and conversations pull me into thinking about the realities and the necessities, of this emerging world of connected people, objects and thoughts.

Looking back, this topic has been part of my life since 1982 when I was first introduced to the concept of a smart card. At that time we spoke of using the smart card to securely configure a trading deck on Wall Street and in the City of London. The goal securely and automatically configure the voice, video and digital support a particular market trader.

In 1993 to when I was tasked to drive the development of EMV, we could have talked about the fact we were creating a means of secure digital identity. A trusted Identity document based on the trust that existed between the cardholder and the financial institution.

Instead We talked about:

  • Card Authentication “the CAM” now Data Authentication to assure the card was unique and genuine.
  • Cardholder Verification “the CVM” to verify the right user was presenting the card.
  • Card risk management to allow the issuer to support authorization in a offline world.
  • Should we include an electronic purse to support low value transactions?

Today the Debit card could easily be enabled as a secure means of digital identification, with the Financial Institution being the trusted party. Simply knowing the public key of the international or domestic debit card payment scheme allows the party reading the card will know the person was issued this card by that financial institution.

While we in financial services focused on our requirements, the telecom industry was working on the SIM & GSM specifications under ETSI leadership. They created another form of Secure Digital Identity. They focused on securing the identity of the communications channel and were less worried about making sure the right consumer was present, although there is the ability to allow the user to lock the SIM and now even the mobile phone.

2013 I had the opportunity to join the FIDO Board. Within that body, the objective was to separate the concept of identity from the act of authentication. It works from the premise that as digital relationships expanded, the use of passwords and PINs are becomes an issue. The FIDO Alliance also recognized that the only way to secure our digital world, like we secured payments and mobile communications was with the introduction of multi-factor authentication rooted in the belief that the first factor had to be “what You Have” a secure element / enclave, TEE, TPM … capable of generating and or storing secret (symmetric) and private (Asymmetric) keys unique to the object and more importantly unique to the relationship.

Clearly identity and authentication are essential to secure relationships. And, in a digital world, communication is the mechanism that connects people and things together.

Helping consumers manage their relationships assuring privacy is an interesting angle. If I am understanding your platform, at least at the level of the subscription for telecommunications services this you are helping to manage.

Anyway. Back to the pitch. I would like to see about scheduling another conversation and figure out if there is anything I can do to earn an income and create revenue for you.