In the 1960’s the user name and password system for accessing computer systems was first deployed.
In mid 1970’s the ATM card and PIN was first deployed and this evolved into the now ubiquitous ATM card and Online PIN in the Eighties. Until this time PIN’s were a mixture of Online and Offline but as networks expanded and more sharing of networks happened
the Online PIN became the standard. What most people don’t realise is that the PIN is actually resident on the card.
These authentication methods are classed as two factor with one factor being the user name or ATM card provided to the user, the second being the PIN or password. The current use of User Name and Password where the user defines their Username and Password
(e.g. Mickey Mouse and Disneyland) in reality are just single factor and level of assurance one given that the users self certifies themselves.
The beauty of the user setting up their credentials mean that services can be provisioned ‘now’ and not have to wait for other processes to occur. The beast is that the user has to remember what details were set-up and the weakness of the authentication
that can be derived. The weakness of this is all knowledge is provided by the user setting up the credential and not provided by the party relying on the identity. Some username and password solutions that say validate the email via a separate transaction
or lock the use of the service to a physical device such as a mobile application can increase the trust level of the authentication.
So we now have a significant challenge as the costs to provide User Name and Password infrastructures come by default in many systems. The initial deployment costs are low but as we know the operational costs are high and for the end user they are often
not fit for purpose. Indeed we are starting to see various authentication methods being deployed by different organisations. These range from techniques that have little or no involvement of the end user through to techniques that require significant end
user effort.
For example little effort is needed where organisations are managing the ID of individuals through say the physical MAC address of the device or IP address. The other extreme is where an organisation checks the identity of the individual and provides them
with a physical token together with an assigned User Name.
Other techniques involving biometrics are being used on specific channels such as voice authentication for call centre initiated session and transactions. Indeed we are seeing multiple biometrics methods being used to validate identity by FaceBanx for in
home gaming applications. The use of multiple biometric factors is interesting as they use one to biometric reduce the set of matches and a second to uniquely identify the individual. The benefit of this technique to reduce the set of templates checked by
a biometric based authentication process. However, a one template to one set of biometric data is believe to be the accurate method of verifying biometric data.
With other biometrics now coming to the authentication market such as: heart rhythm, gesture (physical movement based characteristics) together with the existing methods based around the finger, face, voice or eye will find specific niches for End User authentication.
These successful methods will meet a specific business need rather than general ubiquitous method as the costs of development and implementation can be high.
The use of methods linked to what a user does on the internet using ‘Big Data’ / continuous authentication techniques and social media ID are growing rapidly. The two most popular are ‘facebook id’ / ‘google id’ to access other 3rd party sites where the
user and company are happy to share information about the identity being used. These and other company wide systems are now providing shared sign on infrastructure which could be used if a ubiquitous method can be found.
One approach being looked at is to combine a Big Data information such as location, continuous authentication such as behavioural history analysis with a biometric to solve the problem. The issues one can foresee will be around the deployment of any biometric
and end user acceptance of a high level of data privacy.
This article ‘https://www.linkedin.com/pulse/death-password-quick-brown-fox-jumps-over-lazy-dog-obituary-bhat’ sets out the problem well. The article
also identifies the approach taken by Tickvantage to provide a solution to this problem.
Tickvantage has approached this challenge for End User authentication method using a mobile phone device. We have created a service that is simple, convenient and secure enough for End Users and people who rely on the identity. Our solution is designed to
be compliant to the GSMA mobile connect[1] service but flexible
enough to support multiple authentication models.
One important issue with any End User authentication service is to try and increase the costs for hackers and defend against automated attacks from multiple locations. With the use of an End Users personal mobile phone device removes generic cyber-attacks
from an unknown location with this type of solution.
Therefore the method needs to use the two factors, one of a shared secret in a numeric form and a hardware based token. This though is only part of the solution there are two further challenges for an identity solution that Tickvantage meets.
- How to make an authentication process to work with end users and parties that rely on the identity of an end user?
These are termed ‘Reliant Parties’ in the electronic identity industry. For this Tickvantage identified a numeric shared secret can be used but to create a flexible solution this authentication data is checked in the ‘Cloud’ or by different ‘Reliant Parties’
as required. - How to create a registered identity and what data associated with that data can be trusted?
The identity and the data associated to it are termed ‘Attributes’ in the electronic identity industry. For this a pragmatic approach is needed. Indeed initially an identity is created without attributes and as the end user wants to access services they provide
data that can be validated by third parties to associate with the identity.
Tickvantage believes in each market this will be different but at some point a numeric shared secret needs to be set-up with a voice biometric template and needs to be built into a process where an end user sees the value in providing this data.
The use of other biometrics such as face, iris or fingerprint rely on a device having this functionality built into it. Tickvantage believes that these methods will be integrated at a later stage if there is a business requirement from the ‘Reliant Party’
that can only be met with these technologies.
Tickvantage offers such a solution with the ability to be flexible and to work with or be integrated into Big Data / continuous authentication based solutions.
[1] http://www.gsma.com/personaldata/mobile-connect