Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog
Identity and Authentication Blog

Emerging Authentication for Mobile Payments

Mobile payments will become more integrated in the way we shop, buy and sell in the coming years. PCMag published an article this week discussing some of the innovative technologies being brought to the market to authenticate these transactions to to reduce the significant threat of fraud in an area that is growing faster than security technologies are being developed to protect it.

Contactless and and wearables-based authentication methods seem to be likely to be used in this case (as discussed previously in this blog). If the user is wearing their smart watch and tries to make a payment, simply validating that this second device is present makes the watch a kind of token. Niche players will also no doubt begin marketing authentication methods based on image and voice recognition, gesture capture and other data that can be captured about the user and used in an authentication context. 

These methods will be viable in the long run if they take a mobile-centric view of what it means to authenticate an individual. With mobile, many of the traditional authentication methods enterprises rely on will become obsolete, and flexibility/cross platform support will become key requirements as new authentication methods are required to work across an ever increasing number of devices in use. This will create a discussion that centers more around the user themselves (their unique attributes, behaviors, devices, locations...), and what it means to determine whether they are who they say they are. 


How Will Wearables Change Multi Factor Authentication?

Samsung is expanding the capabilities of it's new smartwatch, and making it increasingly compatible with it's other Galaxy devices (smartphones and tablets).

Wearables raise some compelling questions around multi factor authentication, especially where the devices are linked to function as a "team". Will these devices take the place of traditional hardware tokens? A company called Bionym has already launched a wearable device for this purpose, however these developments have the potential to move far beyond yes/no authentication and the device whose sole purpose is to authenticate a user, to contributing to a more nuanced view of who a user really is. When these devices communicate with each other, their mere presence, along with the data they are collecting and processing, create a more in depth view of the user that hasn't been accessible before. Possibly most interesting here are the possibilities for biometric and behavioral data these devices will be able to collect. If your watch can detect your heartbeat and use it as an authentication method for apps on your phone, you as a user have built-in authentication that doesn't require you to consciously do anything it all. 

We will see the newest generation of wearables have an impact in the authentication space, as the data available to determine the identity of the user is made more varied and communication improves across smart devices.



MasterCard Joins FIDO - What Will It Mean?

MasterCard's decision to join the FIDO Alliance has been much discussed since the announcement earlier this month. It is certainly encouraging to see large payment providers commit to FIDOs mission, which is focused on moving beyond usernames and passwords for authentication of end user transactions. 

FIDO's proposed user experience reflects an understanding on their part of the need to offer quick and easy authentication for users, especially in a mobile use case. Authentication cannot take a lot of time, require the end user to remember anything complex, or require the user to navigate multiple screens or to open additional apps. Big players in the space, like MasterCard, joining FIDO shows that there is widespread support for a standard for authentication that acknowledges that best solution will enhance both security and user experience.


Study Finds Consumers Are Open to Biometric Authentication

A study sponsored by PayPal and the National Security Alliance found that 53 percent of Americans are “comfortable” replacing passwords with a biometric (in this case, fingerprints). This article goes on to describe additional results of the study which indicate a growing acceptance in the consumer populations of moving beyond the traditional username and password for security. "Other responses to the survey sketches a picture of Americans that suggests we’re more reliant than ever on our smartphones but still very unsure about the proper security measure we should be taking on our mobile devices."

Increasing awareness of the need to take security measures that keep pace with the mobile technology being rapidly adopted by users is a good sign. Awareness that transactions like payments, transfers and accessing critical data on the part of the end users is the first step toward more secure behavior across the board. The article mentioned above goes on to say "One thing that does appear to be clear from the survey is that consumers want companies to do the bulk of heavy lifting when it comes to securing financial data. While those surveyed said that they’re comfortable with giving companies access to their biometric data to replace passwords, it turns out not that many of them actually use them for their phones."

As the conversation around new technologies continues, user awareness of the need to secure their devices will increase as well. 


Cloud Security Alliance Adds Mobile Security Guidelines

The Cloud Security Alliance has updated its Cloud Control Matrix with Mobile Security guidelines. To learn more about this update other new guidelines, see this article in Network World. To download the the full document, click here.

 The addition of Mobile Security specific guidelines speaks to some of the unique security challenges faced by organizations as users continue to accelerate their use of enterprise applications on mobile devices. BYOD has created a new realm of security concerns that challenges IT departments to develop and enforce specific policies and security initiatives for mobile, including authentication technology that is both effective and easy to use. Organizations can no longer assume that the device used to access enterprise apps and services is controlled by the enterprise, meaning that organizations will seek to secure applications and data, along with implementing mobile specific policies and requirements for users.


Advances in Mobile Authentication

Apple's announcement last week that the upcoming iPhone will have biometric (fingerprint) authentication represents the market's recognition that we need better authentication for our mobile devices - and it should be as easy as possible to use.

Whether Apple's fingerprint feature will catch on - how it will be accepted by users, how well it will work, and what it's ultimate success will be, is not the focus of this post. Authentication and security are taking center stage. Users are realizing that mobile devices are becoming our go-to methods to access critical information (work related applications, banking, social media...) and traditional methods of securing computers - both technical and situational, are no longer relevant. Mobile authentication requires accepting that the user is "mobile". They're in their car or out at lunch. They're on shared networks. They're in crowded spaces. For this use case, successful authentication technology needs to be fast, intuitive, and adaptive. Apple recognizes this - because your finger is part of you, it's always there. A single fingerprint is a quick and easy method of identifying yourself. 

In the coming months we will see the conversation around mobile authentication, and securing mobile apps and activities, continue. Innovative ways to provide better security for mobile will be increasingly adopted, and users will see some of the same advances in authentication that we have seen other areas of mobile technology.


What's the Future of Passwords? A Conversation

Introduction: As professionals in the authentication space, we stay up to date with technology providers and their solutions. For this post I have invited Josh Cornutt, Director of Software Development at WWPass to discuss whether it's time to get rid of passwords all together, and the challenges associated with doing so. 


Abby Porter, Director of Product Management, Delfigo: There has been a lot of recent discussion on the lack of security around passwords, especially since so many users choose easy-to-guess combinations that leave their accounts vulnerable to breaches. Both traditional passwords (words typed using the keyboard) and PINs (used on touch screen devices) are vulnerable, especially when the enterprise is reluctant to inconvenience end users with complex requirements. This issue highlights the challenges organizations continue to face with balancing security and user experience. 

Josh Cornutt, Director of Software Development, WWPass: Narisi would certainly take your statement one step further by including not only weak passwords, but passwords in general.  Even a strong password is still significantly weaker in comparison to technologies such as public-key cryptography or biometrics, which are now easier to use and implement in a corporate network than ever.  To take this one step further, even strong single-factor authentication methods have been publicly scrutinized for still not providing enough security for the modern internet user.  Multi-factor authentication is the way of future data security and there are plenty of very easy to use and powerful solutions available, why would corporations settle for anything less now?  I’d love to hear your thoughts as to why you think corporations have been slow to adopt these highly secure authentication methods and continue to rely on legacy authentication schemes such as traditional username and password combinations? 

Abby: In conversations with organizations who have existing password or PIN technology (which is just as vulnerable, if not more vulnerable) in place for their sites and apps, I have found that there is a lot of reluctance to inconvenience the end user, or to introduce new workflow that will be confusing. In the past I felt these conversations centered more on existing technology investments (for example, having invested heavily in tokens), but what I hear most often now is focused on the need for quick and easy authentication, and passwords and PINs are easily recognized, by users who have been conditioned to use them. I could not agree more that multi-factor authentication is the way to go, and believe that the emerging technologies in the market can actually enhance user experience. What do you see as the key drivers for adoption of multi-factor authentication?

Josh: Multi-factor authentication adoption in corporate environments seems to be largely driven by the need to meet and predict increasingly strict certification standards (HIPPA, SOX, PCI-DSS, etc…) either for their own profitability or due to other governing regulations.  For instance, when a corporation goes for PCI-DSS compliance, they’re met with section 8.3 of the PCI-DSS 1.2 standard which states the requirement to “Implement two-factor authentication for remote access to the network by employees, administrators, and third parties”.  This very plainly states that, if this company would like to move forward with PCI-DSS compliance, they will need to implement some form of two-factor authentication which will likely translate to either physical smartcard/token devices or biometrics (or both).  I agree that passwords and PINs are a quick and easy form of authentication, but they open up an organization to data theft as well as the inability to achieve certain compliances.  Multi-factor authentication is here to stay and as more core compliances start enforcing its use you will begin seeing it around every corner.  What do you think authentication into corporate environments will look like in 2-5 years?  Will we still be looking at traditional smartcard model where an employee physically carries around their identity?  Do you predict the “cloud” playing a role in near-future authentication methods (everything else is moving to the cloud, why not authentication)?

Abby: I definitely see more services moving to the cloud – though it seems to be going more slowly that was predicted initially. Security-as-a-Service and Authentication-as-a-Service are extremely compelling concepts, but it's tough to get organizations to break free of the idea that it all needs to be done on premise. Still, I'm seeing major players planning for, and going to, the cloud. I think in 2-5 years we'll see a lot of traction there. In terms of what they will look like, I think we'll see a more holistic view of security focused on the user (Identity focused, as opposed to access focused), and the winning technologies will excel where user experience is concerned. This has been a great discussion. Any final thoughts?

Josh: This has, indeed, been a very great discussion.  I agree with the overall prediction for Authentication-as-a-Service focusing more on user identity management instead of pure authentication/authorization as this concept matures.  User experience is everything in today’s market and there are many companies racing to develop a product that can elegantly mesh secure multi-factor authentication with the most comfortable user experience.  Thanks for joining me in this discussion, Abby.  Until next time!


Can Smartphones Replace Passwords?

Will smartphones replace passwords?

 "Because a smartphone is the one device few people are without, it's seen as the perfect place to store credentials. Add the many sensors in a phone that can be used to identify a user, and the case for using the device for authentication becomes stronger" says Antone Gonsalves in a recent post on the subject in Network World. As smartphones become ubiquitous in our day to day lives, the push to find an authentication solution that is designed for mobile, continues. 

Using the features available with many of the smartphones on the market today for the purpose of authentication is a prospect that has users and enterprises enthusiastic about the idea of leaving passwords behind - as well as embracing, instead of fighting against, the changing habits of users. "For mobile phones to replace passwords, the devices will have to know when the actual owner is logging into a site and not a crook that either stole a phone or found it. Biometrics is one possible answer, as long reliable and highly secure fingerprint scanners and voice and facial recognition technology can be developed." The emphasis on the importance of knowing that the user him/herself is the right person, and the need for additional authentication beyond possession of the device, will encourage organizations to look at authentication in terms of "who you are" - not just "something you know" or "something you have."


"Secure" Password Requirements

Matthew Yglesias posted a great entry on Slate on Monday highlighting the flaw in "secure" password policies. Using 1Password, the author was able to generate a password string that should have been secure for use with most websites (and would have been difficult to guess), however the system that was requiring him to make the change to his password asked that he include special characters - a common requirement in secure password policies. The result was a variation on his name, which could certainly be guessed.

This blog entry highlights some of the key challenges with continuing to use passwords to access secure sites and information. Creating a password that is impossible to guess or remember leads users to save them so that they can then be used by anyone who gets access to their device. Secure password policies, while designed to enhance security, still allow users to create passwords that are easy for hackers to guess and use to gain access to accounts. 


Page 6 of 11