Five Considerations for Selecting a Consumer Authentication Vendor

In today's mobile-first world, consumer authentication is driven by the need of having a smooth user experience. Of course, it has to be secure and tick all of the boxes for privacy and regulation but when I talk with clients, both authentication vendors and service providers, they all say that the number one priority is having a great user experience (UX). If the authentication user experience fails then customers will simply walk away and go somewhere else or choose an alternative payment method.

I was recently asked to create a white paper for RSA and EyeVerify on key considerations for selecting a consumer authentication vendor. I identified five key considerations:

1. Consumer choice
2. Convenience
3. Demonstrable fraud reduction
4. Meeting a 'mobile first' strategy'
5. Regulation compliance

These five considerations are powerful criteria for organizations when assessing authentication solutions and vendors.

Consumers must be given a choice of convenient, easy to use authentication services. The availability of a wide range of device-based authentication technologies including multiple biometric solutions supports this requirement. Convenience and consumer choice can also be combined in a well-designed consumer authentication solution. The combination of risk based authentication (RBA) and mobile biometric authentication services (MBAS) can meet this criteria. Risk based authentication can meet a good percentage of normal authentication scenarios and mobile biometrics can be applied to authentication scenarios that require further ‘proof’ of true identity; a combination of frictionless and friction-light authentication.

Service providers are increasingly pressured to support legacy service channels including physical (bank branch and retail store) and telephony at the same time as evolving their offering to work across a wide range of new technology, first web, now mobile and moving swiftly into the Internet of Things (IoT). When choosing an agile technology partner that can support multiple delivery channels, omnichannel support, an organization must ensure that they choose an authentication solution that can operate across a wide range of these channels. The mobile first strategy can allow organizations to design and deploy effective authentication services that meet this consideration.

Fraud is rising in all sectors. A consumer authentication vendor must be able to demonstrate fraud reduction as a result of deploying the chosen authentication solution – measurable and tangible fraud reduction benefits.

Around the world, regulatory powers are adapting existing regulation or introducing new ones to ensure that consumers are protected when using the latest digital services. A trusted technology partner must be able to demonstrate:

1. It can help organizations address the latest federal and industry regulations; and
2. It actively participates in influencing regulatory bodies to ensure that convenience and ease of use are not sacrificed at the expense of over rigid security requirements.

Getting the balance between security and convenience is an essential ingredient in supporting flexible digital service delivery.

To read the white paper in full, you can download it from the Goode Intelligence website here.

Thank you - Alan

Will Brexit affect PSD2's Strong Customer Authentication Requirements?

There is no doubting that Brexit is having a profound affect on the UK and ripples of disruption have been felt around the world as result of the UK's decision to leave the EU.

I have written extensively on EU and EC legislation and its impact on a number of cyber security matters including mobile security, identity, authentication and biometrics. 

Recent researchhas investigated the impact of PSD2  on security; in particular the impact on how payment service providers (PSPs) manage customer authentication. 

To summarise the main objectives of PSD2:

• Contribute more to a more integrated and efficient European Payments market
• Improve the level playing field for payment service providers (PSPs), including new players
• Make payments safer and more secure
• Protect consumers
• Encourage lower prices for payments

The European Parliament adopted PSD2 in October 2015 and EU member states have two years in which to implement the new procedures. The EC states that there is a different date of application for the new security measures, including Strong Customer Authentication (SCA) and standards for secure communication. This is subject to the adoption of the regulatory technical standards which are being developed by the European Banking Authority (EBA) and adopted by the EC. It is anticipated that the new security measures shall apply 18 months after the adoption of the standards by the EC.

PSD2 provides rules for payment security and customer authentication, concentrating on protecting consumers when paying on the internet. 

PSD2 applies to all payment service providers (PSPs) operating in the EU, including banks, payment institutions or third party providers (TPPs) and relates to all electronic means of payment.

The EC defines SCA as a process that “validates the identity of the user of a payment service or of the payment transaction”.

SCA is based on the use of two or more elements:

1. Knowledge - something only the user knows, e.g. a password or a PIN
2. Possession - something only the user possesses, e.g. a card or an authentication code (OTP) generating device
3. Inherence - something the user is, e.g. a biometric authenticator such as fingerprint, voice or eye-print

PSD2 states that these elements have to be independent of each, meaning that if one element is breached or compromised then this does not compromise the “reliability” of the others. The design of the authentication solution must also protect the confidentiality of the authentication data or identity credentials. 

As the UK has voted to exit the EU, will this mean that UK banks and PSPs will not be bound to comply with these regulations (and in fact other EU legislation)? This is a difficult question to answer as the exact nature of the UK's exit and what will exactly be negotiated as the UK triggers Article 50 is still very much up in the air. What I think will happen is this:

• UK banks and PSPs that have functions in the EU will have to comply with PSD2 - it also makes competitive sense to support PSD2
• PSD2's authentication requirements are pretty-much the basic requirements for supporting strong customer authentication and it makes common sense to support them especially some of the risk-based authentication services that enable lower-risk payment transactions to be exempt from strong customer authentication
• Some UK retail banks are owned by European organisations who will want to have a common strategy for customer authentication that supports PSD2

As the UK's ex Prime Minister, Harold Wilson said in the 1960s "A week is a long time in politics" and I am sure that there will much debate over the coming months and years about the relevance of EU legislation to the EU. If you are a UK bank and have started projects to ensure compliance to PSD2 then I am pretty sure that these will not be halted as a result of Brexit.

Please let me know your thoughts my commenting on this blog. Thank you and remember in the global economy no nation is an island!

You can download the Goode Intelligence White Paper "The impact of PSD2 on authentication and security" from here.

Payments drives consumer biometrics and the push for enterprise

I was fortunate to be out in Washington DC last week (8-11 September) speaking at an RSA Global Summit on the future of authentication and presenting my research on mobile and wearable biometric authentication.

The Summit coincided with Apple's latest product launch on the 9th September and I was able to catch up with the announcements during a couple of breaks - unfortunately not aided by Apple's live streaming debacle that was at times verging on the ridiculous. (I particularly enjoyed the Chinese commentary and some severe editing that left out much of what Cook was saying. I got the applause but not the reason for the applause - perhaps that was Apple's corporate comms team in charge of editing?)

As well as a number of new hardware launches including bigger bolder iPhones and a watch....(will it support biometrics for authentication?). We saw Apple make a push into payments with 'Apple Pay'; using the Touch ID fingerprint system to provide authentication for payments (both online and physical). I have been watching Apple create the building blocks for this payment solution over the last couple years - Passcode, iBeacon, Passbook, Touch ID, Secure Enclave and finally NFC. Nice to see the finished solution.

As I said in a couple of interviews with the press last week, what Apple has done is not revolutionary; what it has successfully done is to cement a number of emerging technologies into a usable solution. This is backed by strategic partnerships with the world's largest retail payment  providers and links over 800 million global iTunes users to a mobile payments solution. And from a biometric authentication point of view, with Touch ID, it offers quite possibly the best user experience and the highest penetration of available mobile devices - a frictionless payment tool in a sleek piece of metal and glass. It will be interesting to see how it links other features such as loyalty, social and coupons to the payment app to make it any more appealing than using a plastic card - the value is not in the payment transaction per se.

By also opening up the Touch ID environment to third parties (Touch ID API) it allows other service providers (including financial services providers) to take advantage of this frictionless authentication solution. We have already seen announcements from MINT and Simple bank that they are utilising Touch ID for their mobile banking apps plus a proof of concept from Nok Nok Labs with a FIDO Ready solution. I expect that we will see many more announcements as the devices start to get in the hands of consumers (there is apparently pent-up demand for the latest iPhone from 4S and 5 users wanting to upgrade).

It is quite possible that the trend of Bring Your Own Identity (BYOI) may be accelerated as a result of Apple's Touch ID solution. All a service provider need do is to build an app that uses the Touch ID API and that's my authentication sorted - right?

Talking of FIDO, this year has also seen the world's two largest Internet payment companies, PayPal and Alipay adopt FIDO standards (through Nok Nok Lab's S3 Authentication Suite) to leverage mobile-based fingerprint sensors to provide the prime authentication solution for mobile payments (where the device obviously supports it).

Payments is definitely driving consumer biometrics.

So what about the enterprise? Are they ready to embrace BYOI and adopt authentication solutions for their employees and business partners? I think the answer is a guarded yes but it may take some time.

My time spent at the RSA Global Summit last week in DC was very informative in listening to the thoughts and opinions of enterprise users. Consumer is definitely driving innovation in authentication and this is taking its time to trickle down into the enterprise. In the main, they have BYOI and consumer-based mobile biometric authentication technology on their radar but also need some assurances that the trust, privacy and security models (there is obvious overlap between these three) employed by mobile device OEMs (including Apple, Samsung and Huawei) is good enough to meet security policy and industry regulation.

FIDO can help; by creating a user authentication standard fit for a modern connected world, ratified by some of the world's leading technology companies and service providers, organisations and end users can have a higher level of assurance that trust, privacy and security demands are met. FIDO has real positives in the 'first mile' of authentication but also needs connections to subsequent miles of the authentication and authorisation journey.

Enterprise users in particular demand comprehensive and integrated authentication solutions that combine convenient user authentication (probably on a mobile or wearable device) with other associated risk and security solutions including single sign on/federation, risk based authentication and risk management, business aware authorisation that is context aware and threat intelligence/threat analytics, That's potentially a lot of integration work!

Please free to leave a comment on this blog - I am always interested in receiving feedback and openly discussing this fascinating topic.

Thank you, Alan.

The Changing Face of User Authentication and the Road to Bring Your Own Identity

I recently presented on an Infosecurity Magazine webinar entitled “How to Make Access to your Sensitive Data More Secure - The Easy Way”.  During my presentation I explored how user authentication is adapting to meet the changes created by a number of linked transformational trends that include cloud computing, mobility and the Consumerisation of IT.

The presentation focused on one of Goode Intelligence’s specialist areas, mobile-based authentication (both the phone as an authenticator and mobile authentication when an IT service is accessed from the mobile device). It also touched on other areas of Identity and Access Management (IAM) and the development of these corresponding areas is vital to the successful transformation of user authentication services (both mobile and non-mobile). It is imperative that we meet the security challenges of the next generation of IT services – to defend the borderless enterprise.

We are increasingly accessing a huge wealth of digital information, both inside and outside of the enterprise network, from a myriad of devices. In this new world of IT, traditional authentication solutions, both single-factor (passwords) and two-factor (smart cards and OTP tokens), have become clumsy, inconvenient and less secure. Password management is a headache; in the main we either write down strong passcodes or alternatively re-use passwords that we can easily remember (there are password management tools that exist).  Alternatively, when traditional two-factor authentication is used then this is often not designed for cloud, mobile or BYOD. Authentication solutions designed for traditional, behind firewall, enterprise systems are increasingly not effective for new, agile, IT services.

So what are the alternatives? How do we match convenience and security and ensure identity is successfully proven across a wide variety of different devices (enterprise-issued and employee-owned) accessing many services located on-premise, hybrid and wholly in the cloud?

I believe that we are close in achieving the goal of supporting a much more agile and mobile world of IT service provision with strong, convenient, authentication. We know what the problem is and we have many of the building blocks to make this a reality. These building blocks include Risk-based authentication (RBA), federated identity, multi-factor authentication and user choice.

Match risk with appropriate security – combining user intelligence with business context

At Goode Intelligence, we are seeing increasing demand for more intelligent forms of authentication where the choice of authentication method used is real-time risk driven. The financial services sector has been an early adopter of RBA technology as it has a history of measuring (managing) risk.

RBA matches the most appropriate authentication method to the assessed risk. To be successful in this you must first know who the user is and what they plan to do.

User intelligence can be gathered from a number of inputs and the mobile device can play an important part in this process. When combined with more active forms of authentication, by learning the unique characteristics of its owner; where they are usually located (geo-location), the days and times that they are normally active and even how they hold and touch the device (behavioural analysis).

An accurate risk score can be calculated by combining user intelligence with business context. What is the user trying to achieve - Is it a high-value financial transaction to an unknown recipient or attempting to access the latest sales data? Based on this risk score the authentication engine can then choose the most appropriate authentication method to prove identity. A one-time-password (OTP) generated by the authentication engine and sent to the user’s registered mobile device via SMS may be sufficient or alternatively the authentication level may be ‘stepped-up’ to a stronger factor – a biometric or even a separate hardware device.

Federated Identity – the road to single sign on and a more frictionless experience

For both enterprise and consumer users the prospect of having to uniquely identify themselves to multiple applications and web services is an onerous task. This is probably why for mobile devices the auto-authenticate option is widely deployed – thumbs up for convenience, thumbs down for security.

Organisations are increasingly turning their attentions to Identity federation, sometimes referred to as Single Sign-On (SSO), as one way to solve this problem. Identity federation allows for a standards-based way to share identity amongst multiple organisation and applications. Standards include the Security Assertion Markup Language (SAML), the OpenID protocol and WS-Federation.

The benefit to the user is that they only need to authenticate once to access a number of different organisations and applications. Using techniques such as SAML-insertion identity is then shared transparently with other applications. The user is authenticated once and then other application providers can verify the authenticity of the provided federated identity.

Multi-Factor Authentication/Identity Verification and context

Two-factor authentication (2FA) is so last year!

Over the last 24 months we have seen virtually all of the major internet players, Google, Twitter, LinkedIn, Microsoft and Facebook deploy some form of 2FA (mainly mobile OTP-based). Microsoft was so enamoured at mobile phone-based 2FA that it acquired a vendor, PhoneFactor. The option to use 2FA in these networks I usually optional so it is difficult to gauge how popular these services are outside the InfoSec geek community. 

In terms of trends in the authentication market there is a definite movement towards supporting multiple factors (MFA), sometimes referred to as infinite factors. This is not necessarily the third factor – often associated with what you are, biometrics. MFA is about allowing a choice of factors and then matching them against context.

I feel that the combination of MFA and contextual awareness is one of the most exciting areas of authentication at the moment and we expect it to be a standard feature of premium authentication solutions. Many of the authentication vendors, including RSA, Entrust and SecurEnvoy, have already increased their portfolio of factors that can be deployed for use with their authentication engines and I believe that the number of factors, and user choice, will increase in the next 12 months. Factors include both traditional – hardware/software tokens and smart cards – and emerging – mobile, biometrics, image-based and behavioural.

The power of having multiple factors at your disposal is multiplied when you add contextual analysis. This is where mobile devices really come into their own as authenticators. Smart mobile devices have so many in-built sensors that have the capability to capture important information about the context of how and where these devices are being used. Geo-location through a combination of GPS and cellular-network positioning (even more accurate with LTE/4G services), ambient noise levels captured through the microphone (important in voice biometrics), user identification through the camera and embedded fingerprint sensors (Even before Apple’s iPhone 5S and Touch ID there were over 20 million smartphones shipped with fingerprint sensors). All of this contextual information can be captured and then passed onto services that support risk-based and intelligence-based authentication. A relatively accurate identity scoring can be calculated on a continuous basis and then fed into the authentication service providing a method of identifying whether the authorised owner of the device is initiating a service and then calculating whether additional authentication is required. This is sometimes referred to as step-up verification (although step-up verification is also a part of non- mobile authentication and RBA services).

User choice – The road to Bring Your Own Identity (BYOI)?

We have bring your own device/platform/software…. Is it time for bring your own identity? Let the user choose what is the most convenient and secure way to protect their digital assets? People decide how best to protect their property and automobile cars why not let them choose how they should protect their digital lives?

I feel that we are already seeing evidence of this with Internet passports, e.g. Facebook ID and Google Authenticator, that allow registered users to authenticate to other services that support authentication from the passport provider. For instance, if I choose to I can use my Facebook ID to authenticate into my Spotify streaming music service. 

The big question is whether this will expand to services that are more sensitive, i.e. have more risk. Will my bank allow me to use my Google Authenticator to login to its internet bank service and then transfer funds out of the account? Does the bank trust credential s issued by a social network? Possibly not funds transfer but what about a balance enquiry? Step-up verification could be used for when I want to transact or to request an increase to my overdraft limit.

Alternatively what if a universal digital ID was issued by a government and managed by a trusted authentication service provider? I wouldn’t discount it but we are at the early stages of BYOI and perhaps initiatives such as the FIDO Alliance, Open Identity and the GSMA’s Mobile Identity Programme may help provide the plumbing and the initiatives to support it. 

Alan Goode September 2013 

A Smart Mobile Identity for our smart mobile lifestyle

I must admit that I didn’t come up with the term Smart Mobile Identity. For that I have to thank Joey Pritikin at AOptix who I was lucky enough to meet at the recent Biometrics exhibition and conference in London during the last week of October 2012. I first came across the term in a presentation that Joey gave at last year’s Biometrics conference where he discussed how standard smart phones can be leveraged for biometric purposes, including user authentication and  identity verification [Presentation: Smart Mobile Identity – Beyond Single Purpose Handheld Biometric Devices].

In my opinion, the term Smart Mobile Identity really sums up the next generation of mobile-based authentication and identity verification solutions – something that I have been involved in for the best part of ten years through various roles including my current one as Managing Director of Goode Intelligence.

To me, Smart Mobile Identity is about leveraging the capabilities of a modern smart mobile device (SMD) to ensure that our identities are proven or verified when identity proof (authentication if you like) is required. Not only for proving identity when accessing digital services through a desktop computer but also for mobile initiated access and even when we present ourselves in the physical world; at a country border or when accessing health or social security services. I also include proving our identity when accessing digital services using other connected devices, such as gaming consoles, automobiles, smart TVs etc; adaptive and agile authentication and identity verification to support the Internet of things. As someone who owns an Xbox 360 Kinect device, the idea of using a voiceprint or a facial scan to access Xbox LIVE is a realistic possibility.

For mobile device-based authentication and identity verification solutions, the simplest scenario is being sent a one-time-password (OTP) via SMS when authenticating ourselves into a network-based service, e.g. Google’s Authenticator or 2-step verification process. However, this is changing rapidly and we are in the midst of an evolution in mobile-based authentication and identity verification solutions; moving away from porting existing, non-mobile centric, services to the mobile to designing solutions specifically for mobile. Using the microphone for voice biometrics, a GPS sensor for Geo-location, a combination of the accelerometer and touchscreen for continuous behavioural assessment, securely storing digital certificates in the SIM or Secure Element (SE) and the camera for facial and eye vein biometrics (take a look at start-up EyeVerify for this). All these examples work with standard SMDs now; no need for any specialist equipment.

In addition to these examples, new opportunities are being presented with the next generation of SMDs that contain new types of embedded sensors, including NFC, embedded fingerprint and voice recognition sensors. You can also adapt existing SMDs with add-on sleeves that enable fingerprint recognition (Precise Biometrics Tactivo sleeve) and can support smart cards and NFC. The need for single-purpose devices to capture and verify biometrics in the field may become obsolete as a result of these developments.

Smart mobile devices offer so many opportunities for authentication and identity verification and this blog can only scratch at the surface of what can and will be offered – some of the solutions even encroach into the realms of science fiction. I was fascinated to come across the iTravel patent from Apple detailing what the Cupertino tech giant believes to be the possibility of using a mobile wallet for travel purposes. Managing the end-to-end travel process from reservation, to ticket receipt/validation, check-in and baggage claim through to identification at border control. I think all but the last scenario achievable now but I believe that we are far off from using our mobile devices as virtual passports.

That said, perhaps we are seeing pieces of the jigsaw that tell us how Apple will integrate the recently acquired fingerprint sensor technology from AuthenTec – an agile, and very personal, way to protect our wallets or in Apple’s case our Passbook. Swiping a finger to lock and unlock our digital wallets.

Every discussion that I have with technology companies involved in this space, and this includes many of the major authentication and biometric vendors, involves how best to utilise the smart mobile device for authentication and identity verification purposes. My recent attendance at the RSA Europe conference and Biometrics Conference, both held in London, was largely occupied with meetings with clients and tech vendors that were investing serious R&D resources into this area of technology.

A number of forward looking organisations and technology vendors are already leveraging the capabilities of the smart mobile device for authentication and identity verification purposes. Through my work at Goode Intelligence I have been exploring the capabilities of mobile devices for authentication and identity verification and this includes the recent publication of two free-to-download white papers; Two-Factor Authentication Goes Mobile and The Case for Mobile MFV.

Goode Intelligence will continue to track this market and you can expect some new publications covering smart mobile identity in the coming months.

Please get in touch if you want to discuss this further or are a technology innovator working in this exciting field.