16 December 2017
Anthony Pickup

Anthony Pickup on Payments

Anthony Pickup - MYRECS LTD

10Posts 40,513Views 8Comments

Ubiquitous Authentication a decades old problem for the NOW generation.

27 March 2015  |  2215 views  |  0

In the 1960’s the user name and password system for accessing computer systems was first deployed.

In mid 1970’s the ATM card and PIN was first deployed and this evolved into the now ubiquitous ATM card and Online PIN in the Eighties.  Until this time PIN’s were a mixture of Online and Offline but as networks expanded and more sharing of networks happened the Online PIN became the standard. What most people don’t realise is that the PIN is actually resident on the card.

These authentication methods are classed as two factor with one factor being the user name or ATM card provided to the user, the second being the PIN or password. The current use of User Name and Password where the user defines their Username and Password (e.g. Mickey Mouse and Disneyland) in reality are just single factor and level of assurance one given that the users self certifies themselves.  

The beauty of the user setting up their credentials mean that services can be provisioned ‘now’ and not have to wait for other processes to occur.  The beast is that the user has to remember what details were set-up and the weakness of the authentication that can be derived.  The weakness of this is all knowledge is provided by the user setting up the credential and not provided by the party relying on the identity.  Some username and password solutions that say validate the email via a separate transaction or lock the use of the service to a physical device such as a mobile application can increase the trust level of the authentication. 

So we now have a significant challenge as the costs to provide User Name and Password infrastructures come by default in many systems.  The initial deployment costs are low but as we know the operational costs are high and for the end user they are often not fit for purpose.  Indeed we are starting to see various authentication methods being deployed by different organisations.  These range from techniques that have little or no involvement of the end user through to techniques that require significant end user effort. 

For example little effort is needed where organisations are managing the ID of individuals through say the physical MAC address of the device or IP address.  The other extreme is where an organisation checks the identity of the individual and provides them with a physical token together with an assigned User Name.

Other techniques involving biometrics are being used on specific channels such as voice authentication for call centre initiated session and transactions.  Indeed we are seeing multiple biometrics methods being used to validate identity by FaceBanx for in home gaming applications.  The use of multiple biometric factors is interesting as they use one to biometric reduce the set of matches and a second to uniquely identify the individual.  The benefit of this technique to reduce the set of templates checked by a biometric based authentication process.  However, a one template to one set of biometric data is believe to be the accurate method of verifying biometric data.

With other biometrics now coming to the authentication market such as: heart rhythm, gesture (physical movement based characteristics) together with the existing methods based around the finger, face, voice or eye will find specific niches for End User authentication.  These successful methods will meet a specific business need rather than general ubiquitous method as the costs of development and implementation can be high.

The use of methods linked to what a user does on the internet using ‘Big Data’ / continuous authentication techniques and social media ID are growing rapidly.  The two most popular are ‘facebook id’ / ‘google id’ to access other 3rd party sites where the user and company are happy to share information about the identity being used.  These and other company wide systems are now providing shared sign on infrastructure which could be used if a ubiquitous method can be found.

One approach being looked at is to combine a Big Data information such as location, continuous authentication such as behavioural history analysis with a biometric to solve the problem.  The issues one can foresee will be around the deployment of any biometric and end user acceptance of a high level of data privacy. 

This article ‘https://www.linkedin.com/pulse/death-password-quick-brown-fox-jumps-over-lazy-dog-obituary-bhat’ sets out the problem well.  The article also identifies the approach taken by Tickvantage to provide a solution to this problem.

Tickvantage has approached this challenge for End User authentication method using a mobile phone device. We have created a service that is simple, convenient and secure enough for End Users and people who rely on the identity. Our solution is designed to be compliant to the GSMA mobile connect[1] service but flexible enough to support multiple authentication models.

One important issue with any End User authentication service is to try and increase the costs for hackers and defend against automated attacks from multiple locations.  With the use of an End Users personal mobile phone device removes generic cyber-attacks from an unknown location with this type of solution.      

Therefore the method needs to use the two factors, one of a shared secret in a numeric form and a hardware based token.  This though is only part of the solution there are two further challenges for an identity solution that Tickvantage meets.

  1. How to make an authentication process to work with end users and parties that rely on the identity of an end user?
    These are termed ‘Reliant Parties’ in the electronic identity industry.  For this Tickvantage identified a numeric shared secret can be used but to create a flexible solution this authentication data is checked in the ‘Cloud’ or by different ‘Reliant Parties’ as required.
  2. How to create a registered identity and what data associated with that data can be trusted?
    The identity and the data associated to it are termed ‘Attributes’ in the electronic identity industry.  For this a pragmatic approach is needed.  Indeed initially an identity is created without attributes and as the end user wants to access services they provide data that can be validated by third parties to associate with the identity. 
    Tickvantage believes in each market this will be different but at some point a numeric shared secret needs to be set-up with a voice biometric template and needs to be built into a process where an end user sees the value in providing this data. 

The use of other biometrics such as face, iris or fingerprint rely on a device having this functionality built into it.  Tickvantage believes that these methods will be integrated at a later stage if there is a business requirement from the ‘Reliant Party’ that can only be met with these technologies. 

Tickvantage offers such a solution with the ability to be flexible and to work with or be integrated into Big Data / continuous authentication based solutions.   

 

 

[1] http://www.gsma.com/personaldata/mobile-connect

 

a member-uploaded image TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)

Latest posts from Anthony

Can a new entrant be a threat to the big card schemes?

29 September 2017  |  6464 views  |  1 comments | recomends Recommends 0 TagsPaymentsStart upsGroupFintech

How PSD2 and GDPR may improve retail payments for all

16 June 2017  |  8843 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupFinancial Services Regulation

Why do some retailers prefer CASH?

18 May 2015  |  6282 views  |  1 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

The impact of the Apple Watch on Apple Pay on In-store payments?

06 May 2015  |  2799 views  |  1 comments | recomends Recommends 0 TagsMobile & onlineInnovation

Anthony's profile

job title Consultant
location Manchester
member since 2014
Summary profile See full profile »
After supporting the retailCURe credit union to launch through PRA and FCA compliance to launch their services to the retail industry. Now looking for the next challenge. In the identity, payments and...

Anthony's expertise

Member since 2014
7 posts8 comments
What Anthony reads

Who's commenting on Anthony's posts

Chris Brown