Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

7/16/2014
12:00 PM
Andre Boysen
Andre Boysen
Commentary
100%
0%

Passwords & The Future Of Identity: Payment Networks?

The solution to the omnipresent and enduring password problem may be closer than you think.

We all know that the user ID/password model is antiquated. Everyone from consumers, to service providers, to merchants, to identerati (those that live and breathe identity all day) complain about passwords and the need to eradicate them from the world.

Access to online services needs to scale -- without requiring new credentials each time someone wants to use a new service or site. We’ve seen this model before, and interact with it every day. The payment cards model offers hope for a more efficient identity future. Let’s take a closer look.

Imagine if you needed a different credit card for each merchant you visited. You probably wouldn’t visit many and there would be almost zero utility to each card. The payments card industry realized this and created an ecosystem built on interoperability and standards, with a few different stakeholders:

Financial institutions. These stakeholders back the card issuers by providing the actual funds and that fuel the payment system because they ensure merchants are paid. They also invest heavily in ensuring data privacy and securing accessibility to funds.
Card issuers. These are trusted brands with which consumers share their financial information and agree to pay on the terms of the service agreement. Merchants trust them because they know they will be paid. These are high-value accounts that consumers keep protected and trust that the bank will too.
Payment cards (credit and debit). The payment card numbers provide enough detail that the account is legitimate and valid. They are built on standards that ensure interoperability between banks, merchants, and consumers. They are also easy for consumers to use and trusted by merchants.
Merchants. Online or brick-and-mortar, most merchants accept credit or debit card payments.
Consumers. People just want to buy what they want to buy, and payment cards offer a vehicle. Consumers keep these protected, yet can use them nearly anywhere.

With that basic model, let’s look at how it can be applied to identity and stakeholders:

Financial institutions/identity issuers. Consumers already have deep relationships with financial institutions they trust, and these organizations already invest heavily in security and privacy. It would be a logical extension for them to serve a role in an identity model of the future. After all, identity and payment information are each high-value, personal, and necessary to transact business. Consumers have choices of who they want to engage with, just like their banking decisions. Great for users, and great for providers -- brand extension, sticky service, new revenue streams.
Mobile devices. Like the credit cards that people carry everywhere, mobile devices rarely leave someone’s side. They are the personal devices people rely on most -- especially in an increasingly mobile and connected world. By anchoring consumer IDs in the device, passwords can be eradicated while still providing the proof of identity when needed to access the online services people want or need. This can happen without mobile operator support, but there is new revenue if they get behind it.
Merchants. Applying this model of identity, like credit/debit cards, merchants get out of the business of credential issuance and into the role of credential acceptance. The mobile device ID provides the proof of identity, like a credit/debit card, and authenticates the transaction. In payments, merchants want good funds without regard for card issuer. There is more scale for them if they go this way for identity and authentication.
Consumers. Like credit cards, consumers simply want identity to work. Consumers choose which of their devices to trust (and how to authenticate one) and which identity issuer to trust. Now, consumer ID can be anchored in devices that consumers trust (and protect), and can be used to engage with the merchants and brands they want -- without having to create new unique credentials at each merchant.

As an industry, we need look to payment networks as the future of identity. This approach will make it easier and more convenient for users to be secure -- and harder for hackers to get the identity jewels. It also would make it easy for everyday people (and harder for the bad guys). It’s a model that is already built on trust with credit card providers and security with financial institutions. It’s what we can emulate in today’s mobile world where devices are always with people to serve as their personal identity keys. 

Andre is responsible for positioning SecureKey's growth strategy, cultivating opportunities in new and existing markets and promoting demand for the company's solutions globally. He serves as SecureKey's digital identity evangelist. Prior to joining SecureKey, he co-founded ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
geriatric
100%
0%
geriatric,
User Rank: Moderator
7/16/2014 | 3:06:10 PM
Identity Management
So - are you saying that the financial institution would be involved with iDm? OK, but what happens when the member/customer wants to switch? And how would you propose handling mergers? Would the identity repository be owned by a consortioum of FIs? Perhaps an indirect entity a 'la NACHA? Just curious what you have in mind.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/16/2014 | 7:06:42 PM
Re: Identity Management
Yes, banks and wireless carriers are in a great position to serve the consumer to access many online destinations - much like credit cards help consumers interact with merchants today. It is important to recognize that at least two distinct services are required - one for authentication and one for identity services - auth is required for sure, identity services can be provided by banks or other providers in the network. Credential switching from bank1 to bank2 is supported in the Canadian model - www.securekeyconcierge.com - where Canadians can use banks to access public sector services of all kinds. As to mergers, it will be a biz decision whether to merge the brands or not, but to the extent they do merge brands, the credential switching model above could facilitate it. NACHA is very well situated to help run such a network, but it is important to keep the credentials with the proper providers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/17/2014 | 8:56:57 AM
interesting idea
This is a very interesting idea, Andre. Is there more to it than a theoretical model? That is, is anone actively working to build such a system or pull together an alliance (such as FIDO) to generate a consensus on issues like interoperability, standards etc. to make it work?
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 9:09:52 AM
Re: interesting idea
Thanks Marilyn

 

There are two examples for this approach - one I mentioned in the previous comment is in use by the Government of Canada. The second example is in the process of launching with USPS called FCCX (federal cloud credential exchange). The interop and standards continue to develop and evolve thru Kantara and OIX. 

FIDO is going to be important as dynamic authentication overtakes passwords as the primary authentication methodology. FIDO will be like bluetooth whereby when users buy personal devices at the store (mobile, tablet, laptop etc) they will be able to bring them home and pair them with their webservices to anchor their digital identity. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/17/2014 | 12:16:04 PM
NFC
 

If we can make NFC common and secure that can helps us to authenticate and authorize users in an automated and secure way. For it to work it needs to be common protocol that is being utilized by different systems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/17/2014 | 12:17:56 PM
Re: interesting idea
We need to find a common protocol to avoid problems that would come with it. One of the reason Internet is internet today is because it has a common protocol: TCP/IP.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 1:30:23 PM
Re: NFC
I agree that NFC has potential to make this much easier for users to enrol and recover for both services and devices. NFC is already widely used for payment cards around the globe and more and more consumer electronics are coming with reader technology.

The Province of British Columbia in Canada has included a contactless NFC chip based on payment technolgy in their newest generation Services Card. It will transform how BC serves online and in person for citizens in there. It will also one day faciliate citizens accessing services outside BC. Things like opening a bank account line, or being able to electronically sign a letter of permission for a child to go on a school trip, or even eVoting.

 

 
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 1:34:48 PM
Re: interesting idea
Authentication standards are vital to overcoming the problems with the current model. Users are being asked to learn access behaviors everyday. Passwords, OTP, SMS, finger scan, or look at the camera and say "boo!" - this will normalize the noise and make it harder for users to recognize attack vectors. 

Cars work well because the steering, gas pedal, brake and turn signals are all in the same place. So to with payment rituals - all the card schemes do it the same way. 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:24:40 PM
cards vs devices
there is a huge difference between cards and devices. cards are not connected. that is what makes them a good identity instrument. as soon as you connect something to the outside world - it is just the matter of time before it gets hacked.

 
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:32:06 PM
Re: cards vs devices
Hi Gev

 

I am not sure I understand your comment - can you elaborate?
Page 1 / 2   >   >>
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18654
PUBLISHED: 2021-06-22
Cross Site Scripting (XSS) in Wuzhi CMS v4.1.0 allows remote attackers to execute arbitrary code via the "Title" parameter in the component "/coreframe/app/guestbook/myissue.php".
CVE-2020-22168
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\change-emaild.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22169
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\appointment-history.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22170
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22171
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\registration.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.