Digital Transactions Authoritative, insightful and timely information for payments professionals
By Gideon Samid – Gideon@AGSgo.com
Banks, traders, stores, clubs: All hold in confidence their customers’ or users’ data, and imposters galore are threatening their business. An unease prevails in their executive suites. The current compromise between security, cost, and convenience is not very well balanced. It is time for a sober, strategic look at remote authentication.
Let’s write down some key premises. First, No Certainty. Remote personal identification is never absolute. It is inherently a statistical statement. There is always a chance that a stranger will find a way to send over the expected bit stream, and thereby steal the identity of his victim.
Second, No Biometry. Powerful as biometric parameters are for on-site identification, they are misleading, even dangerous, for online setups. Digitized biometric data is stealable, and its owner cannot switch away from it. In other words, you can’t change your fingerprints the way you can change your PIN.
Third, Re-Authentication. A site with thousands of users must expect a significant percentage of them to be leaking their identification attributes to insistent hackers. Therefore, it must break the old rule of no re-authentication, and develop solutions that offer a proper response to the suspect behavior of an already admitted user.
Fourth, Threat Analysis. The threat determines its countermeasures. Some targets are primarily vulnerable to random theft; some are choice targets for insistent hackers with long time horizons and a penchant for careful planning and preparation. The defense must be suited to the assessed threat.
Fifth, Cost Analysis. Every means of authentication comes with a price tag. Costs include research and development, deployment, maintenance, and the burden of use. Deployment includes integration into the broader IT framework, and maintenance includes massive replacement in case of a major compromise.
Taking these premises as guides, it is clear that the same password used repeatedly as the sole means of authentication is a poor solution. It must be augmented. Two augmentation routes have developed. One route is the non-repeat password. The other route is the second-channel password. Both routes improve the chances to catch imposters. The first route has been widely implemented through dedicated hardware fobs that display a frequently changing second password. The second route is generally implemented by the Web site calling or sending a text message to the user’s mobile phone. Neither method is foolproof, and the literature is replete with compromising scenarios. In both methods, the user must have handy and operational another device (his fob or his phone).
Strategic thinking based on the premises above calls for an easily distributable and readily replaceable PIN, which in and of itself will never be communicated over insecure networks. The PIN serves as a cryptographic seed for a quick and easy dialogue that satisfies the identity examiner. Furthermore, the desired solution should have a means for re-invoking a step-wise stronger re-authentication procedure to account for the suspicious behavior of a previously authenticated user.
Also, ideally, the authentication process is a two-way street. While the Web site authenticates the user, the user authenticates the Web site (to stop phishing scams). Another desired parameter is PIN flexibility and adaptability. For some cases, a small, four- or five-digit, memorable PIN will be sufficient. For others, such a PIN would have to be augmented with a longer, safe-kept PIN, or a phone-embedded PIN.
An example of the new generation of authentication solutions is PINpen, where a PIN generates a unique graphic so that it’s practically infeasible to deduce the PIN from the graphic. The Web site displays several graphics for the user to choose from. (The graphics are different in each session). If the examiner is a fraudster, he cannot display a set that would include the right graphics because the fraudster does not have the PIN. By contrast, for example, the user of a password fob like the one mentioned earlier would be okayed by an imposter Web site, fooling the user into divulging critical information. A sequence or re-authentication also offers an alert. If only, say, the third authentication procedure stopped a hacker, one has to investigate how the first two were compromised.
One thing is for sure: Remote personal authentication will remain a lively battleground in this unending cyberwar, and no once-and-for-all solutions are in sight.
