Operations // Identity & Access Management
7/16/2014
12:00 PM
Andre Boysen
Andre Boysen
Commentary
100%
0%

Passwords & The Future Of Identity: Payment Networks?

The solution to the omnipresent and enduring password problem may be closer than you think.

We all know that the user ID/password model is antiquated. Everyone from consumers, to service providers, to merchants, to identerati (those that live and breathe identity all day) complain about passwords and the need to eradicate them from the world.

Access to online services needs to scale -- without requiring new credentials each time someone wants to use a new service or site. We’ve seen this model before, and interact with it every day. The payment cards model offers hope for a more efficient identity future. Let’s take a closer look.

Imagine if you needed a different credit card for each merchant you visited. You probably wouldn’t visit many and there would be almost zero utility to each card. The payments card industry realized this and created an ecosystem built on interoperability and standards, with a few different stakeholders:

Financial institutions. These stakeholders back the card issuers by providing the actual funds and that fuel the payment system because they ensure merchants are paid. They also invest heavily in ensuring data privacy and securing accessibility to funds.
Card issuers. These are trusted brands with which consumers share their financial information and agree to pay on the terms of the service agreement. Merchants trust them because they know they will be paid. These are high-value accounts that consumers keep protected and trust that the bank will too.
Payment cards (credit and debit). The payment card numbers provide enough detail that the account is legitimate and valid. They are built on standards that ensure interoperability between banks, merchants, and consumers. They are also easy for consumers to use and trusted by merchants.
Merchants. Online or brick-and-mortar, most merchants accept credit or debit card payments.
Consumers. People just want to buy what they want to buy, and payment cards offer a vehicle. Consumers keep these protected, yet can use them nearly anywhere.

With that basic model, let’s look at how it can be applied to identity and stakeholders:

Financial institutions/identity issuers. Consumers already have deep relationships with financial institutions they trust, and these organizations already invest heavily in security and privacy. It would be a logical extension for them to serve a role in an identity model of the future. After all, identity and payment information are each high-value, personal, and necessary to transact business. Consumers have choices of who they want to engage with, just like their banking decisions. Great for users, and great for providers -- brand extension, sticky service, new revenue streams.
Mobile devices. Like the credit cards that people carry everywhere, mobile devices rarely leave someone’s side. They are the personal devices people rely on most -- especially in an increasingly mobile and connected world. By anchoring consumer IDs in the device, passwords can be eradicated while still providing the proof of identity when needed to access the online services people want or need. This can happen without mobile operator support, but there is new revenue if they get behind it.
Merchants. Applying this model of identity, like credit/debit cards, merchants get out of the business of credential issuance and into the role of credential acceptance. The mobile device ID provides the proof of identity, like a credit/debit card, and authenticates the transaction. In payments, merchants want good funds without regard for card issuer. There is more scale for them if they go this way for identity and authentication.
Consumers. Like credit cards, consumers simply want identity to work. Consumers choose which of their devices to trust (and how to authenticate one) and which identity issuer to trust. Now, consumer ID can be anchored in devices that consumers trust (and protect), and can be used to engage with the merchants and brands they want -- without having to create new unique credentials at each merchant.

As an industry, we need look to payment networks as the future of identity. This approach will make it easier and more convenient for users to be secure -- and harder for hackers to get the identity jewels. It also would make it easy for everyday people (and harder for the bad guys). It’s a model that is already built on trust with credit card providers and security with financial institutions. It’s what we can emulate in today’s mobile world where devices are always with people to serve as their personal identity keys. 

Andre is responsible for positioning SecureKey's growth strategy, cultivating opportunities in new and existing markets and promoting demand for the company's solutions globally. He serves as SecureKey's digital identity evangelist. Prior to joining SecureKey, he co-founded ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/19/2014 | 1:19:06 PM
Re: cards vs devices
The issue of concentration risk comes up a lot. I agree that a simple app on a phone is not a great way to go. A trust model has to go with it. The app is simple, but the security model is sophisticated. If you take out the word mobile and substitute in the word debit card in your argument, you might make the assertion that consumers would face great peril in payment networks. Experience shows that is not true. Users are careful with their payment cards, as they are with their mobile phones. Possession of the payment card alone is insufficient - a PIN is also required. On mobile a PIN can be used and now a fingerprint on iOS and Android can be used as well. Payment cards outside the US use EMV - an order of magnitude more secure than magstripe cards. Similar techniques are emerging for mobile and consumer devices to do the same thing - FIDO is an example here. Also important is the layered security model in place for cards which will also be used for identity management - risk based assessment of every transaction helps protect users. Revocation for cards and phones is already easy for users - remote wipes for modern smart phones is pretty easier for users to accomplish.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 12:10:58 PM
Re: cards vs devices
Gev,

I agree with you on this point.  If the identification method is simply an app on a mobile phone then it is only a matter of time before it is hacked.  Also, if someone leaves their phone unattended while they go to lunch their co-workers can access their facebook, banking account, and make some purchases on amazon.  

Something needs to be done, but at this point in time I am not comfortable with the idea of using my phone as my identification method.
James McCloskey
50%
50%
James McCloskey,
User Rank: Apprentice
7/17/2014 | 4:35:45 PM
Banks vs ... postal services?
Excellent post, Andre.  I agree that there ultimately needs to be some "payment card-like" (common, trusted, highly-usable) approach to identity services, but I also agree with gev's implicit distrust of a bank-centric model.

You noted the USPS FCCX initiative, and I think that's not a bad concept to pursue.  After all, when it comes right down to it, national postal services' core function is the secure delivery of information: you put something in the mail for me, and after some period of time, it arrives.  As government agencies (or at least affiliated), and with points of presence located across each country already, I think that there is a good argument to be made for having a federation of national postal services providing the basis for intra- and inter-nation identity services.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:53:47 PM
Re: interesting idea
My own perspective is this story, while it may be embarassing, is really not endightment of the whole banking system. Incidents like this are rare for banks in Canada. 

Banks, and especially banks in Canada, are globally regarded as well managed and good stewards of trust and a pillar for the economy. 

 

 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:46:21 PM
Re: interesting idea
yes it does, since we are talking about financial institutions, standards and trust.

if Canada's financial institution is allowed to be so woofoly lacking in securing its own atms how can we trust it to maintain our identities?
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:42:45 PM
Re: interesting idea
I think I found the story you are talking about. 

http://news.nationalpost.com/2014/06/10/two-boys-show-bmo-how-to-hack-into-atms-branch-manager-sends-note-excusing-them-for-being-late-to-class/

This story has nothing to do with cards. The access for the ATM for operations staff was secured by a simple password with no card required at all. 

Actually, had a card been required by operaitons personnel to access ATM admin functions then there would not have been a story. 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:34:17 PM
Re: interesting idea
I recall reading an article here about a month ago about school kids hacking BOM ATM partly because the password was exactly 6 char long.

I realise that Montreal is not in BC, but still it is in Canada. I wonder in the attitude to bank security is the same though.

If so, this discussion sounds a bit funny.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:32:06 PM
Re: cards vs devices
Hi Gev

 

I am not sure I understand your comment - can you elaborate?
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:24:40 PM
cards vs devices
there is a huge difference between cards and devices. cards are not connected. that is what makes them a good identity instrument. as soon as you connect something to the outside world - it is just the matter of time before it gets hacked.

 
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 1:34:48 PM
Re: interesting idea
Authentication standards are vital to overcoming the problems with the current model. Users are being asked to learn access behaviors everyday. Passwords, OTP, SMS, finger scan, or look at the camera and say "boo!" - this will normalize the noise and make it harder for users to recognize attack vectors. 

Cars work well because the steering, gas pedal, brake and turn signals are all in the same place. So to with payment rituals - all the card schemes do it the same way. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.