Operations // Identity & Access Management
7/16/2014
12:00 PM
Andre Boysen
Andre Boysen
Commentary
100%
0%

Passwords & The Future Of Identity: Payment Networks?

The solution to the omnipresent and enduring password problem may be closer than you think.

We all know that the user ID/password model is antiquated. Everyone from consumers, to service providers, to merchants, to identerati (those that live and breathe identity all day) complain about passwords and the need to eradicate them from the world.

Access to online services needs to scale -- without requiring new credentials each time someone wants to use a new service or site. We’ve seen this model before, and interact with it every day. The payment cards model offers hope for a more efficient identity future. Let’s take a closer look.

Imagine if you needed a different credit card for each merchant you visited. You probably wouldn’t visit many and there would be almost zero utility to each card. The payments card industry realized this and created an ecosystem built on interoperability and standards, with a few different stakeholders:

Financial institutions. These stakeholders back the card issuers by providing the actual funds and that fuel the payment system because they ensure merchants are paid. They also invest heavily in ensuring data privacy and securing accessibility to funds.
Card issuers. These are trusted brands with which consumers share their financial information and agree to pay on the terms of the service agreement. Merchants trust them because they know they will be paid. These are high-value accounts that consumers keep protected and trust that the bank will too.
Payment cards (credit and debit). The payment card numbers provide enough detail that the account is legitimate and valid. They are built on standards that ensure interoperability between banks, merchants, and consumers. They are also easy for consumers to use and trusted by merchants.
Merchants. Online or brick-and-mortar, most merchants accept credit or debit card payments.
Consumers. People just want to buy what they want to buy, and payment cards offer a vehicle. Consumers keep these protected, yet can use them nearly anywhere.

With that basic model, let’s look at how it can be applied to identity and stakeholders:

Financial institutions/identity issuers. Consumers already have deep relationships with financial institutions they trust, and these organizations already invest heavily in security and privacy. It would be a logical extension for them to serve a role in an identity model of the future. After all, identity and payment information are each high-value, personal, and necessary to transact business. Consumers have choices of who they want to engage with, just like their banking decisions. Great for users, and great for providers -- brand extension, sticky service, new revenue streams.
Mobile devices. Like the credit cards that people carry everywhere, mobile devices rarely leave someone’s side. They are the personal devices people rely on most -- especially in an increasingly mobile and connected world. By anchoring consumer IDs in the device, passwords can be eradicated while still providing the proof of identity when needed to access the online services people want or need. This can happen without mobile operator support, but there is new revenue if they get behind it.
Merchants. Applying this model of identity, like credit/debit cards, merchants get out of the business of credential issuance and into the role of credential acceptance. The mobile device ID provides the proof of identity, like a credit/debit card, and authenticates the transaction. In payments, merchants want good funds without regard for card issuer. There is more scale for them if they go this way for identity and authentication.
Consumers. Like credit cards, consumers simply want identity to work. Consumers choose which of their devices to trust (and how to authenticate one) and which identity issuer to trust. Now, consumer ID can be anchored in devices that consumers trust (and protect), and can be used to engage with the merchants and brands they want -- without having to create new unique credentials at each merchant.

As an industry, we need look to payment networks as the future of identity. This approach will make it easier and more convenient for users to be secure -- and harder for hackers to get the identity jewels. It also would make it easy for everyday people (and harder for the bad guys). It’s a model that is already built on trust with credit card providers and security with financial institutions. It’s what we can emulate in today’s mobile world where devices are always with people to serve as their personal identity keys. 

Andre is responsible for positioning SecureKey's growth strategy, cultivating opportunities in new and existing markets and promoting demand for the company's solutions globally. He serves as SecureKey's digital identity evangelist. Prior to joining SecureKey, he co-founded ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/19/2014 | 1:19:06 PM
Re: cards vs devices
The issue of concentration risk comes up a lot. I agree that a simple app on a phone is not a great way to go. A trust model has to go with it. The app is simple, but the security model is sophisticated. If you take out the word mobile and substitute in the word debit card in your argument, you might make the assertion that consumers would face great peril in payment networks. Experience shows that is not true. Users are careful with their payment cards, as they are with their mobile phones. Possession of the payment card alone is insufficient - a PIN is also required. On mobile a PIN can be used and now a fingerprint on iOS and Android can be used as well. Payment cards outside the US use EMV - an order of magnitude more secure than magstripe cards. Similar techniques are emerging for mobile and consumer devices to do the same thing - FIDO is an example here. Also important is the layered security model in place for cards which will also be used for identity management - risk based assessment of every transaction helps protect users. Revocation for cards and phones is already easy for users - remote wipes for modern smart phones is pretty easier for users to accomplish.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 12:10:58 PM
Re: cards vs devices
Gev,

I agree with you on this point.  If the identification method is simply an app on a mobile phone then it is only a matter of time before it is hacked.  Also, if someone leaves their phone unattended while they go to lunch their co-workers can access their facebook, banking account, and make some purchases on amazon.  

Something needs to be done, but at this point in time I am not comfortable with the idea of using my phone as my identification method.
James McCloskey
50%
50%
James McCloskey,
User Rank: Apprentice
7/17/2014 | 4:35:45 PM
Banks vs ... postal services?
Excellent post, Andre.  I agree that there ultimately needs to be some "payment card-like" (common, trusted, highly-usable) approach to identity services, but I also agree with gev's implicit distrust of a bank-centric model.

You noted the USPS FCCX initiative, and I think that's not a bad concept to pursue.  After all, when it comes right down to it, national postal services' core function is the secure delivery of information: you put something in the mail for me, and after some period of time, it arrives.  As government agencies (or at least affiliated), and with points of presence located across each country already, I think that there is a good argument to be made for having a federation of national postal services providing the basis for intra- and inter-nation identity services.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:53:47 PM
Re: interesting idea
My own perspective is this story, while it may be embarassing, is really not endightment of the whole banking system. Incidents like this are rare for banks in Canada. 

Banks, and especially banks in Canada, are globally regarded as well managed and good stewards of trust and a pillar for the economy. 

 

 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:46:21 PM
Re: interesting idea
yes it does, since we are talking about financial institutions, standards and trust.

if Canada's financial institution is allowed to be so woofoly lacking in securing its own atms how can we trust it to maintain our identities?
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:42:45 PM
Re: interesting idea
I think I found the story you are talking about. 

http://news.nationalpost.com/2014/06/10/two-boys-show-bmo-how-to-hack-into-atms-branch-manager-sends-note-excusing-them-for-being-late-to-class/

This story has nothing to do with cards. The access for the ATM for operations staff was secured by a simple password with no card required at all. 

Actually, had a card been required by operaitons personnel to access ATM admin functions then there would not have been a story. 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:34:17 PM
Re: interesting idea
I recall reading an article here about a month ago about school kids hacking BOM ATM partly because the password was exactly 6 char long.

I realise that Montreal is not in BC, but still it is in Canada. I wonder in the attitude to bank security is the same though.

If so, this discussion sounds a bit funny.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:32:06 PM
Re: cards vs devices
Hi Gev

 

I am not sure I understand your comment - can you elaborate?
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:24:40 PM
cards vs devices
there is a huge difference between cards and devices. cards are not connected. that is what makes them a good identity instrument. as soon as you connect something to the outside world - it is just the matter of time before it gets hacked.

 
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 1:34:48 PM
Re: interesting idea
Authentication standards are vital to overcoming the problems with the current model. Users are being asked to learn access behaviors everyday. Passwords, OTP, SMS, finger scan, or look at the camera and say "boo!" - this will normalize the noise and make it harder for users to recognize attack vectors. 

Cars work well because the steering, gas pedal, brake and turn signals are all in the same place. So to with payment rituals - all the card schemes do it the same way. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.