Operations // Identity & Access Management
7/16/2014
12:00 PM
Andre Boysen
Andre Boysen
Commentary
100%
0%

Passwords & The Future Of Identity: Payment Networks?

The solution to the omnipresent and enduring password problem may be closer than you think.

We all know that the user ID/password model is antiquated. Everyone from consumers, to service providers, to merchants, to identerati (those that live and breathe identity all day) complain about passwords and the need to eradicate them from the world.

Access to online services needs to scale -- without requiring new credentials each time someone wants to use a new service or site. We’ve seen this model before, and interact with it every day. The payment cards model offers hope for a more efficient identity future. Let’s take a closer look.

Imagine if you needed a different credit card for each merchant you visited. You probably wouldn’t visit many and there would be almost zero utility to each card. The payments card industry realized this and created an ecosystem built on interoperability and standards, with a few different stakeholders:

Financial institutions. These stakeholders back the card issuers by providing the actual funds and that fuel the payment system because they ensure merchants are paid. They also invest heavily in ensuring data privacy and securing accessibility to funds.
Card issuers. These are trusted brands with which consumers share their financial information and agree to pay on the terms of the service agreement. Merchants trust them because they know they will be paid. These are high-value accounts that consumers keep protected and trust that the bank will too.
Payment cards (credit and debit). The payment card numbers provide enough detail that the account is legitimate and valid. They are built on standards that ensure interoperability between banks, merchants, and consumers. They are also easy for consumers to use and trusted by merchants.
Merchants. Online or brick-and-mortar, most merchants accept credit or debit card payments.
Consumers. People just want to buy what they want to buy, and payment cards offer a vehicle. Consumers keep these protected, yet can use them nearly anywhere.

With that basic model, let’s look at how it can be applied to identity and stakeholders:

Financial institutions/identity issuers. Consumers already have deep relationships with financial institutions they trust, and these organizations already invest heavily in security and privacy. It would be a logical extension for them to serve a role in an identity model of the future. After all, identity and payment information are each high-value, personal, and necessary to transact business. Consumers have choices of who they want to engage with, just like their banking decisions. Great for users, and great for providers -- brand extension, sticky service, new revenue streams.
Mobile devices. Like the credit cards that people carry everywhere, mobile devices rarely leave someone’s side. They are the personal devices people rely on most -- especially in an increasingly mobile and connected world. By anchoring consumer IDs in the device, passwords can be eradicated while still providing the proof of identity when needed to access the online services people want or need. This can happen without mobile operator support, but there is new revenue if they get behind it.
Merchants. Applying this model of identity, like credit/debit cards, merchants get out of the business of credential issuance and into the role of credential acceptance. The mobile device ID provides the proof of identity, like a credit/debit card, and authenticates the transaction. In payments, merchants want good funds without regard for card issuer. There is more scale for them if they go this way for identity and authentication.
Consumers. Like credit cards, consumers simply want identity to work. Consumers choose which of their devices to trust (and how to authenticate one) and which identity issuer to trust. Now, consumer ID can be anchored in devices that consumers trust (and protect), and can be used to engage with the merchants and brands they want -- without having to create new unique credentials at each merchant.

As an industry, we need look to payment networks as the future of identity. This approach will make it easier and more convenient for users to be secure -- and harder for hackers to get the identity jewels. It also would make it easy for everyday people (and harder for the bad guys). It’s a model that is already built on trust with credit card providers and security with financial institutions. It’s what we can emulate in today’s mobile world where devices are always with people to serve as their personal identity keys. 

Andre is responsible for positioning SecureKey's growth strategy, cultivating opportunities in new and existing markets and promoting demand for the company's solutions globally. He serves as SecureKey's digital identity evangelist. Prior to joining SecureKey, he co-founded ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/19/2014 | 1:19:06 PM
Re: cards vs devices
The issue of concentration risk comes up a lot. I agree that a simple app on a phone is not a great way to go. A trust model has to go with it. The app is simple, but the security model is sophisticated. If you take out the word mobile and substitute in the word debit card in your argument, you might make the assertion that consumers would face great peril in payment networks. Experience shows that is not true. Users are careful with their payment cards, as they are with their mobile phones. Possession of the payment card alone is insufficient - a PIN is also required. On mobile a PIN can be used and now a fingerprint on iOS and Android can be used as well. Payment cards outside the US use EMV - an order of magnitude more secure than magstripe cards. Similar techniques are emerging for mobile and consumer devices to do the same thing - FIDO is an example here. Also important is the layered security model in place for cards which will also be used for identity management - risk based assessment of every transaction helps protect users. Revocation for cards and phones is already easy for users - remote wipes for modern smart phones is pretty easier for users to accomplish.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 12:10:58 PM
Re: cards vs devices
Gev,

I agree with you on this point.  If the identification method is simply an app on a mobile phone then it is only a matter of time before it is hacked.  Also, if someone leaves their phone unattended while they go to lunch their co-workers can access their facebook, banking account, and make some purchases on amazon.  

Something needs to be done, but at this point in time I am not comfortable with the idea of using my phone as my identification method.
James McCloskey
50%
50%
James McCloskey,
User Rank: Apprentice
7/17/2014 | 4:35:45 PM
Banks vs ... postal services?
Excellent post, Andre.  I agree that there ultimately needs to be some "payment card-like" (common, trusted, highly-usable) approach to identity services, but I also agree with gev's implicit distrust of a bank-centric model.

You noted the USPS FCCX initiative, and I think that's not a bad concept to pursue.  After all, when it comes right down to it, national postal services' core function is the secure delivery of information: you put something in the mail for me, and after some period of time, it arrives.  As government agencies (or at least affiliated), and with points of presence located across each country already, I think that there is a good argument to be made for having a federation of national postal services providing the basis for intra- and inter-nation identity services.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:53:47 PM
Re: interesting idea
My own perspective is this story, while it may be embarassing, is really not endightment of the whole banking system. Incidents like this are rare for banks in Canada. 

Banks, and especially banks in Canada, are globally regarded as well managed and good stewards of trust and a pillar for the economy. 

 

 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:46:21 PM
Re: interesting idea
yes it does, since we are talking about financial institutions, standards and trust.

if Canada's financial institution is allowed to be so woofoly lacking in securing its own atms how can we trust it to maintain our identities?
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:42:45 PM
Re: interesting idea
I think I found the story you are talking about. 

http://news.nationalpost.com/2014/06/10/two-boys-show-bmo-how-to-hack-into-atms-branch-manager-sends-note-excusing-them-for-being-late-to-class/

This story has nothing to do with cards. The access for the ATM for operations staff was secured by a simple password with no card required at all. 

Actually, had a card been required by operaitons personnel to access ATM admin functions then there would not have been a story. 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:34:17 PM
Re: interesting idea
I recall reading an article here about a month ago about school kids hacking BOM ATM partly because the password was exactly 6 char long.

I realise that Montreal is not in BC, but still it is in Canada. I wonder in the attitude to bank security is the same though.

If so, this discussion sounds a bit funny.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:32:06 PM
Re: cards vs devices
Hi Gev

 

I am not sure I understand your comment - can you elaborate?
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:24:40 PM
cards vs devices
there is a huge difference between cards and devices. cards are not connected. that is what makes them a good identity instrument. as soon as you connect something to the outside world - it is just the matter of time before it gets hacked.

 
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 1:34:48 PM
Re: interesting idea
Authentication standards are vital to overcoming the problems with the current model. Users are being asked to learn access behaviors everyday. Passwords, OTP, SMS, finger scan, or look at the camera and say "boo!" - this will normalize the noise and make it harder for users to recognize attack vectors. 

Cars work well because the steering, gas pedal, brake and turn signals are all in the same place. So to with payment rituals - all the card schemes do it the same way. 
Page 1 / 2   >   >>
More Blogs from Commentary
The Perfect InfoSec Mindset: Paranoia + Skepticism
A little skeptical paranoia will ensure that you have the impulse to react quickly to new threats while retaining the logic to separate fact from fiction.
Weak Password Advice From Microsoft
Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.
Internet of Things: 4 Security Tips From The Military
The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. Itís time to take a page from their battle plan.
Passwords Be Gone! Removing 4 Barriers To Strong Authentication
As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.
RAM Scraper Malware: Why PCI DSS Can't Fix Retail
There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Best of the Web
Dark Reading Radio