Thursday, 26 September 2013

The Changing Face of User Authentication and the Road to Bring Your Own Identity

I recently presented on an Infosecurity Magazine webinar entitled “How to Make Access to your Sensitive Data More Secure - The Easy Way”.  During my presentation I explored how user authentication is adapting to meet the changes created by a number of linked transformational trends that include cloud computing, mobility and the Consumerisation of IT.

The presentation focused on one of Goode Intelligence’s specialist areas, mobile-based authentication (both the phone as an authenticator and mobile authentication when an IT service is accessed from the mobile device). It also touched on other areas of Identity and Access Management (IAM) and the development of these corresponding areas is vital to the successful transformation of user authentication services (both mobile and non-mobile). It is imperative that we meet the security challenges of the next generation of IT services – to defend the borderless enterprise.

We are increasingly accessing a huge wealth of digital information, both inside and outside of the enterprise network, from a myriad of devices. In this new world of IT, traditional authentication solutions, both single-factor (passwords) and two-factor (smart cards and OTP tokens), have become clumsy, inconvenient and less secure. Password management is a headache; in the main we either write down strong passcodes or alternatively re-use passwords that we can easily remember (there are password management tools that exist).  Alternatively, when traditional two-factor authentication is used then this is often not designed for cloud, mobile or BYOD. Authentication solutions designed for traditional, behind firewall, enterprise systems are increasingly not effective for new, agile, IT services.

So what are the alternatives? How do we match convenience and security and ensure identity is successfully proven across a wide variety of different devices (enterprise-issued and employee-owned) accessing many services located on-premise, hybrid and wholly in the cloud?

I believe that we are close in achieving the goal of supporting a much more agile and mobile world of IT service provision with strong, convenient, authentication. We know what the problem is and we have many of the building blocks to make this a reality. These building blocks include Risk-based authentication (RBA), federated identity, multi-factor authentication and user choice.

Match risk with appropriate security – combining user intelligence with business context
At Goode Intelligence, we are seeing increasing demand for more intelligent forms of authentication where the choice of authentication method used is real-time risk driven. The financial services sector has been an early adopter of RBA technology as it has a history of measuring (managing) risk.

RBA matches the most appropriate authentication method to the assessed risk. To be successful in this you must first know who the user is and what they plan to do.

User intelligence can be gathered from a number of inputs and the mobile device can play an important part in this process. When combined with more active forms of authentication, by learning the unique characteristics of its owner; where they are usually located (geo-location), the days and times that they are normally active and even how they hold and touch the device (behavioural analysis).

An accurate risk score can be calculated by combining user intelligence with business context. What is the user trying to achieve - Is it a high-value financial transaction to an unknown recipient or attempting to access the latest sales data? Based on this risk score the authentication engine can then choose the most appropriate authentication method to prove identity. A one-time-password (OTP) generated by the authentication engine and sent to the user’s registered mobile device via SMS may be sufficient or alternatively the authentication level may be ‘stepped-up’ to a stronger factor – a biometric or even a separate hardware device.

Federated Identity – the road to single sign on and a more frictionless experience
For both enterprise and consumer users the prospect of having to uniquely identify themselves to multiple applications and web services is an onerous task. This is probably why for mobile devices the auto-authenticate option is widely deployed – thumbs up for convenience, thumbs down for security.

Organisations are increasingly turning their attentions to Identity federation, sometimes referred to as Single Sign-On (SSO), as one way to solve this problem. Identity federation allows for a standards-based way to share identity amongst multiple organisation and applications. Standards include the Security Assertion Markup Language (SAML), the OpenID protocol and WS-Federation.

The benefit to the user is that they only need to authenticate once to access a number of different organisations and applications. Using techniques such as SAML-insertion identity is then shared transparently with other applications. The user is authenticated once and then other application providers can verify the authenticity of the provided federated identity.

Multi-Factor Authentication/Identity Verification and context
Two-factor authentication (2FA) is so last year!

Over the last 24 months we have seen virtually all of the major internet players, Google, Twitter, LinkedIn, Microsoft and Facebook deploy some form of 2FA (mainly mobile OTP-based). Microsoft was so enamoured at mobile phone-based 2FA that it acquired a vendor, PhoneFactor. The option to use 2FA in these networks I usually optional so it is difficult to gauge how popular these services are outside the InfoSec geek community. 

In terms of trends in the authentication market there is a definite movement towards supporting multiple factors (MFA), sometimes referred to as infinite factors. This is not necessarily the third factor – often associated with what you are, biometrics. MFA is about allowing a choice of factors and then matching them against context.

I feel that the combination of MFA and contextual awareness is one of the most exciting areas of authentication at the moment and we expect it to be a standard feature of premium authentication solutions. Many of the authentication vendors, including RSA, Entrust and SecurEnvoy, have already increased their portfolio of factors that can be deployed for use with their authentication engines and I believe that the number of factors, and user choice, will increase in the next 12 months. Factors include both traditional – hardware/software tokens and smart cards – and emerging – mobile, biometrics, image-based and behavioural.

The power of having multiple factors at your disposal is multiplied when you add contextual analysis. This is where mobile devices really come into their own as authenticators. Smart mobile devices have so many in-built sensors that have the capability to capture important information about the context of how and where these devices are being used. Geo-location through a combination of GPS and cellular-network positioning (even more accurate with LTE/4G services), ambient noise levels captured through the microphone (important in voice biometrics), user identification through the camera and embedded fingerprint sensors (Even before Apple’s iPhone 5S and Touch ID there were over 20 million smartphones shipped with fingerprint sensors). All of this contextual information can be captured and then passed onto services that support risk-based and intelligence-based authentication. A relatively accurate identity scoring can be calculated on a continuous basis and then fed into the authentication service providing a method of identifying whether the authorised owner of the device is initiating a service and then calculating whether additional authentication is required. This is sometimes referred to as step-up verification (although step-up verification is also a part of non- mobile authentication and RBA services).

User choice – The road to Bring Your Own Identity (BYOI)?
We have bring your own device/platform/software…. Is it time for bring your own identity? Let the user choose what is the most convenient and secure way to protect their digital assets? People decide how best to protect their property and automobile cars why not let them choose how they should protect their digital lives?

I feel that we are already seeing evidence of this with Internet passports, e.g. Facebook ID and Google Authenticator, that allow registered users to authenticate to other services that support authentication from the passport provider. For instance, if I choose to I can use my Facebook ID to authenticate into my Spotify streaming music service. 

The big question is whether this will expand to services that are more sensitive, i.e. have more risk. Will my bank allow me to use my Google Authenticator to login to its internet bank service and then transfer funds out of the account? Does the bank trust credential s issued by a social network? Possibly not funds transfer but what about a balance enquiry? Step-up verification could be used for when I want to transact or to request an increase to my overdraft limit.

Alternatively what if a universal digital ID was issued by a government and managed by a trusted authentication service provider? I wouldn’t discount it but we are at the early stages of BYOI and perhaps initiatives such as the FIDO Alliance, Open Identity and the GSMA’s Mobile Identity Programme may help provide the plumbing and the initiatives to support it. 

Alan Goode September 2013 

Wednesday, 11 September 2013

iPhone 5S Touch ID - What Apple announced (how much did I get right)

AT 10am EDT yesterday (10/09/2013) Apple held their latest event to announce two new iPhones (iPhone 5S and iPhone 5C) and the latest version of iOS (iOS 7). The event coincided with my attendance at a school information meeting. I thought it wise not to follow Twitter on how the event was progressing even though I was itching to find out whether the fingerprint sensor had made it to the phone - besides, the school hall has awful mobile reception.

The previous day (09/09/2013) I wrote a blog making predictions on how Apple would utilise the fingerprint sensor. So how did I do?

First, let's take a look at what Apple announced yesterday.

What Apple Announced?

Source: Apple
Along with a faster processor and the next version of iOs (iOS 7) Apple announced the fruits of their AuthenTec acquisition, Touch ID - "a new fingerprint identity sensor". In other words an optical fingerprint sensor embedded underneath the Home button of the iPhone 5S.

In a video released to coincide with the announcement, Apple's chief design guru, Jony Ive, emphasises that Touch ID is more about convenience than security by saying that it "enhances the user's experience" and "is the next step in using your iPhone" as well as "protecting all of the information" held on the phone.

Touch ID will have two functions at lauch:

  1. Unlock the phone (iPhone Passcode replacement)
  2. Authenticate into iTunes (Apple ID Passcode replacement)

How does it work?
Once a user has enrolled (a user can enrol a single or multiple fingers) with Touch ID they can then replace the Passcode to unlock a locked device with the touch of their enrolled finger(s). One of the issues of previous smartphones with embedded fingerprint sensors (including the Atrix 4G) was a lack of other supporting functionality outside of the unlock phone feature. Apple have taken a positive step forwards by also allowing the fingerprint to provide authentication for iTunes payments - replacing the Apple ID password with the fingerprint. Is this the entry point (or pilot) for Apple's fingerprint-authenticated mPayments and will Apple store payments come next?

As with any embedded fingerprint sensor the service is a combination of hardware and software. The new Home button is made from sapphire crystal that both protects the sensor and acts as a lens to enhance the fingerprint. A steel ring has been inserted surrounding the button that detects the finger and wakes up the sensor (probably saves the battery). The optical sensor takes a high resolution image of the print (taken from the subepidermal surface of the skin to counteract damaged  and ageing epidermi). The captured image is then compared with the stored template that was captured during the enrolment process.

Is it secure?
According to Apple, all fingerprint information is encrypted and stored securely in a 'Secure Enclave' on the new A7 chip. Details of this process have not yet been released but I am guessing that a unique key is used for this encryption. There is also mention on whether the hardware protecting the template is FIPS 140-2 compliant. 

Dan Riccio, SVP, Hardware Engineering, Apple, has stated that the template is "never accessible by other software, never stored on Apple's servers or backed up to the iCloud". Expect to see these these claims coming under the microscopes of security researchers eager to test out this latest piece of security kit.

No security is 100% secure and optical fingerprint sensors are no exception. There have been a number of well-documented replay and relay attacks on sensors that can circumvent the security or the security process that supports the sensor. I am pretty sure that Touch ID will be successfully targeted and we will see the tech and national press quick to highlight the security failings of Apple's flagship iPhone. The question is whether these attacks can be replicated by the average thief  (hundreds of iPhones are stolen on a daily basis). Are we also going to see phone thieves force their users to unlock their devices with their fingerprints or even chop off a finger, as Lookout Mobile Security's Marc Rogers suggests in this interview with the Mirror newspaper. Possibly, but it will be tricky for a violent thief to do this as which finger has the user enrolled? However, if this does happen than it could end up being a PR disaster for Apple.  

It is also interesting to hear Apple emphasise features such as convenience and user convenience, not security or theft deterrence. If Touch ID is accurate and speedy, iPhone unlocks and iTunes transactions will be performed at a faster rate than those performed by password-verification. 

Did I get my predictions right?
Yesterday I predicted that:
  • Apple would release an iPhone with an embedded fingerprint sensor contained in the home button
  • The main uses of the fingerprint sensor would be:
    • To protect the device (phone unlock)
    • Link to iTunes for authentication
    • Enable mobile payments using the iTunes account at Apple stores
  • It wont be opened up to third party developers at launch
4 out of 5 isn't bad and I feel that if there is a positive reception from iPhone 5S users to Touch ID then Apple will look to other services being included in the service and one of these will be mPayments at physical stores. 

I am also confident that we will see this technology embedded within other Apple devices including both the iPad and the iPad mini.

How many iPhone 5S's will Apple sell and what does it mean for the mobile biometric market?
There is a feeling that the lower-priced iPhone 5C will sell more than the Touch-ID equipped 5S but how many units will Apple shift? On its launch last year the iPhone 5 sold more than 5 million units in its first weekend. The last official figures from Apple for Q3 2013 stated that 31.2 million iPhone were sold around the world (that's going to be mixture of 4's, 4S's and 5's).

Based on these figures I am estimating over 20 million iPhone 5S units will be sold around the world by the end of Christmas 2013 - that's a lot of fingerprint sensors. That's more mobile fingerprint sensors than AuthenTec had shipped before being sold to Apple.

Back in 2011 I forecast that there would be 19.4 million mobile devices shipping with embedded fingerprint sensors by 2015. Apple are probably going to blow that forecast in a single quarter.

As a result of this momentous news for the biometrics industry I am going to revise the forecasts from 2011 and publish these in the coming weeks. I feel that Touch ID will have a direct impact on the biometrics industry in general and in particular the mobile biometrics industry. Other mobile phone manufacturers will probably follow-suit with similar solutions, not just fingerprint. Apple also acquired a lot of  fingerprint IP when they purchased AuthenTec. This may well restrict what other mobile device ODMs can do with embedded fingerprint sensors.

One this is for certain, the Apple announcement yesterday will propel biometrics into the mainstream. This knock-on effect will not just be for fingerprint sensors but for many other modalities including voice, facial, eye (iris and retina) and other emerging ones such as heart rhythm and behaviour. Linked to attempts to standardise authentication and identity verification (notably The FIDO Alliance) and the movement of identity services to the cloud will bring about a revolution in how we authenticate and identify ourselves for digital services across multiple endpoints (Remember the smart phone is part of a constantly evolving cycle of technology innovation and we are at the beginning of the start of another one - wearable computing).

It is certainly an exciting time for those of us that work in the security and authentication industries.

Alan Goode - September 11 2013

Monday, 9 September 2013

iPhone 5S Fingerprint Sensor: What I think Apple will do with it - it's not just about security!

I am writing this blog a day before Apple's September 10 event where it has been widely predicted by journalists and analysts alike that Apple will launch the next generation iPhone with an embedded fingerprint sensor (EFS).

So how will Apple use the fingerprint sensor?

I have been covering this market for many years now (Goode Intelligence published a report in June 2011 investigating the market for mobile biometrics) and spoke with the team at AuthenTec (Fingerprint Sensor manufacturer) before they were acquired by Apple.

I am currently working on a number of projects for Goode Intelligence that cover this market, a report investigating the market for mobile authentication and identity verification  that covers biometrics and a report taking a look at the security of wearable technology and how it can be used for authentication purposes.
As part of this research I have talked to many biometric technology vendors, including fingerprint sensor manufacturers, buoyed by Apple's potential move in this area. All of them indicate that Apple will tomorrow launch an iPhone with a fingerprint sensor. I share this prediction - it may come back to haunt me tomorrow when we see an iPhone with no sensor - perhaps its an iWatch with a fingerprint sensor!

I predict that Apple could make use of the embedded fingerprint sensor (probably an optical EFS) in the following ways:

Protect the device
My last smartphone was an Android-powered Motorola Atrix 4G - I think I may have been one of the few owners in the UK. It was not a bad smartphone, OK it ran a pretty old version of Android but I could live with that because it had an embedded fingerprint sensor integrated into the rear of the phone doubling up as a power button (see below) - sound familiar? What I loved about this phone was the ability to unlock the device by using the fingerprint sensor (supplied by AuthenTec).

After a pretty simple enrolment process I could use a fingerprint swipe to unlock the device and in approximately 90% of occasions it worked first time. I regularly travel into London, commuting on public trains and tubes and by swiping the sensor with an enrolled finger I could avoid any potential passcode shoulder surfing - a real deterrent against theft.

What I didn't like about this phone, and this is a lesson for any ODM thinking of embedding a biometric sensor into a phone, was the lack of a supporting ecosystem. By using the lock feature, I could conveniently protect my phone from unauthorised use but little else. Motorola, and this is the same mistake made by other fingerprint sensor manufacturers who have sold to laptop and netbook OEMs, didn't create the supporting ecosystem (APIs or SDKs) that could be utilised by other stakeholders, such as third-party app developers and service providers. No one, outside of Motorola, could utilise the benefits of the sensor.

Motorola ATRIX 4G

So enough about Motorola, let us turn to Apple. I believe that Apple will launch with a fingerprint-enabled unlock feature on the iPhone 5S users. To protect this device in a similar manner to the Atrix 4G by unlocking the iPhone by use of  an enrolled finger swiping on pressing the iPhone home button. The iPhone 5S stroke - coming to a train near you soon!

The second feature that I feel will be fingerprint-enabled from tomorrow will be the ability to use a fingerprint in iPhone initiated eCommerce transactions. The iPhone as a payment method. Perhaps without needing NFC (for now anyway).

Apple has become not only a successful computer manufacturer but a very important retailer of digital media. Earlier this year (June 2013), Apple CEO, Tim Cook, announced the there were 575 million registered iTunes accounts around the world. Accounts do not equate to unique users but even so we must be talking of half a billion people who are iTunes users and who have registered their credit cards with Apple.

These 575 million iTunes accounts have downloaded a total of 50 billion apps from the app store and paid for billions of dollars of digital content including films, music and books. According to CNNMoney iTunes generated $12.9 billion in 2012. These figures detail the importance of Apple as a very successful retailer, both on-line and physical (There are a reported 413 physical Apple stores located in 14 countries).

Like any successful retailer Apple will suffer from financial fraud and there have been reports of fraud affecting Apple iTunes. By adding the requirement for a second factor (what you are - your fingerprint) in combination of what you have (the iPhone), fraud surrounding iTunes transactions (for iPhone 5S users) could be significantly reduced.

Fingerprints could also be used to protect Apple's wallet service, Passbook. Apple's vision is to have Passbook as a secure wallet service that contains valuable digital files, boarding passes, loyalty cards, event tickets and retail coupons. A convenient and secure method to protect this valuable information would be to fingerprint-enable Passbook.

Passbook may also be turned into a payment tool. I predict that we will see Passbook being used as a mPayment tool with the user's fingerprint being used to unlock the wallet and then to authenticate transactions. Initially I believe that this will be used (think of it as a pilot) in Apple stores. It could work like this. I am browsing in my local Apple store and I would like to purchase a new MacBook Air. I take my iPhone 5S out, open up the Passbook app and authenticate using my fingerprint. I choose the payment feature and this activates the barcode scanner. I scan in the barcode for the Air and press the 'Buy' button. It asks me to verify my identity and I scan my fingerprint (possibly also entering in my Apple ID passcode, although this may be a bit clunky for a physical store). It verifies me as the account holder and then initiates the transaction (checks whether I have the funds and goes through the fraud management system). Happily for me, and for Apple, I pass all the checks and it sends down a receipt to the phone (contained in the protected Passbook). The receipt could contain a barcode that a retail assistant could check before handing over my lovely shiny new gadget. It could work - quick, convenient and pretty secure.

Will it be open?
In conversations I have with technology vendors working in this space I am always asked my opinion on whether Apple will open up the sensor for third-party use (The authentication vendors may be secretly scared of having their business model disrupted by Apple - not the first and definitely not the last). My answer is a qualified no. Apple's history has been to keep its technology within its garden walls and not to open it up. I believe that any low-level authentication SDKs and APIs that directly call the sensor will be shut off from third-party access. It may wish to add some high-level functions to its iOS development library that make use of the sensor for payment and in-app billing features but, at least for the short-term, I would be surprised that they open it up to authentication vendors.

What may happen is a replication of a trend that we are seeing for consumer end-user authentication. The quasi-federated model where a large, trusted, internet service will provide authentication services on behalf of a third-party service provider. For instance, I can choose to authenticate into my Spotify account using my Facebook ID. Facebook have become the broker for my identity (This also includes Google). Apple could offer a similar sort of service using the fingerprint sensor as part of the response to the challenge. Widen its network, gather vital user intelligence and increase its sphere of influence through identity verification services.

To sum up
I know we have been here before (NFC), but I believe that a piece of security kit that has been hidden away in high-security buildings and been collecting dust on laptops around the world will get the Apple magic tomorrow and Apple will make it work. It is being driven by a combination of convenient security and a desire for Apple to benefit from half a billion credit card owners by enabling iPhone initiated payments at physical stores.

This will have a direct impact on the biometric industry and will propel biometrics into the mainstream.

I welcome any feedback from this blog (including typos and factual corrections).

Disclaimer: This is my personal viewpoint and does not reflect those of my employer, Goode Intelligence.