11 August 2013

I AM WHO I AM... OR AM I?

Google
I have spent the last 18 months pondering on the whole sphere of identity and authentication and a number of things have happened:
The analysts continue to tell us that lax password management and policies continue to put individuals and organisations at risk (according to the Trustwave Global Security Report 2013, Welcome1 is the most commonly used password by count - followed closely by STORE123 and Password1 - whereas Password1 is still most widely used when looking at % of unique active directory samples, followed closely by password1 and Welcome1)



We have recently seen a number of high profile credentials breaches (e.g. LinkedIn, twitter, etc.). In all cases, following the breaches and public opprobrium, the organisations affected deployed two factor authentication (twitter after a spectacular, if short-lived, crash of the Dow Jones following the AP hack).

By 2020, Cisco estimates that the number of interconnected devices will have reached 40 billion, whilst the United Nations estimate that the world population will have reached 7.5 billion.

Javelin tells us that mobile is set to outpace other payment methods in the next 5 years (April 2013).

According to the National Fraud Authority in the UK (Annual Fraud Indicator June 2013), 27% of the UK adult population has been a victim of identity fraud, at an equivalent loss of £3.3 billion per year (an increase of more than 22% over the previous year).

The market is starting to consolidate and coalesce as evidenced by Equifax buying ID protection start-up TrustedID for About $30 Million, EMC buying identity management provider Aveksa for $225 million, Symantec buying authentication company PasswordBank for $25 million and many analysts predicting the exponential growth of the identity and authentication market, to name but a few.

In addition, the new digital economy dynamics have resulted in the concept of privacy being redefined, but by the same token, according to the Cisco 2013 Annual Security Report, 75% individuals don’t trust websites to protect personal information. Consequently, when something is inconvenient, human beings will invariably find innovative ways to get around the problem, and I found it fascinating that privacy concerns resulted in UK government officials advising users to use fake ID on social networking sites and that almost half of Australians give false data to websites as a privacy precaution  .

So, what can we conclude from the above? Well, very simply, we haven’t cracked it yet.


If we come at it from the consumer angle, convenience will be a major consideration, and unless compelled to do so (say, by regulation or the prospect of direct financial loss), individuals will lean towards simplicity and convenience according to their perceived individual risk exposure (and so, we have seen the emergence and relative success of password vaults). And because convenience is important to individuals, those that are in the business of convenience and consumer experience (say, social networks, app providers, etc.) are using federated identities because it makes it so much easier for the user (e.g. sign in with twitter/ facebook/ etc., who doesn’t like that!). But as we’ve already ascertained, identity information on those sites cannot be trusted for activities that require a high level of trust – you wouldn’t sign in to your bank account using your twitter ID would you? - or more to the point, would a bank ever consider letting you do it?... [UPDATE 5th September 2013: Well, I spoke too quickly as this piece of news emerges and indeed here...)

I am who I am…

So what does this tell us? Well, it has been my long held belief that the industry sectors best placed to provide trusted identities are 1) Governments and 2) Financial Services. I won’t dwell on government identity assurance schemes because we’re all familiar with them. But looking at financial services, what makes them so ideal for trusted identity provision? Well, they have to assure the identity of their customers because they are compelled to do so:
  • by laws and regulations: KYC, AML, FATCA, etc.
  • to manage their own risk (e.g. credit risk, fraud exposure, etc.)
I have already mentioned how traditional players in the credit checking space have started to inch towards the identity space - (see the Equifax reference earlier – similarly Experian acquired Decisioning Solutions earlier this year ). Undoubtedly, the era of traditional credit verification is behind us and we’re already seeing more and more suppliers providing document checking solutions as well as increasingly more innovation for social identity verification, most of which based on cloud infrastructures. And of course, let’s not forget all the innovations in the authentication space (e.g. QR codes, OTP, biometrics , etc.). Numerous analysts continue to predict stupendous growth in this market. In the online payment space, we’ve had 3D Secure for a very long time and many are clamouring for alternatives, or at least holistic and integrated solutions for other channels such as mobile and telephone.
It is interesting to see that it could be regulations (traditionally perceived as innovation inhibiting) that could instil fresh blood in this space. Indeed, the European Central Bank Recommendations For The Security Of Internet Payments  specifies that:
  • Strong authentication (two or more factors) is required for all online transactions acquired within SEPA zone effective 01 Feb 2015.
  • PSP’s must implement strong authentication or be liable for fraud
  • Online merchants must also support strong authentication.
  • Due Implementation Feb 2015 by PSPs & Payment Schemes
(also please note that the ECB definition of “PSP” is really just about anyone in the payment value chain…)
My conclusion is that the ECB recommendations will introduce some very strong competition to 3D Secure in the traditional online channel and promote innovation, but not necessarily in markets that have made heavy investment in the scheme (to start with), so watch out for developments in AsiaPac and the Nordics… As for mobile and social, there’s so much interesting stuff happening in the authentication space that we will start to see some winners emerging very soon…

So if we look at it from a risk angle, we see that The Clearing Group in the US and its 22 member banks are developing an
industry-wide dynamic credentialing solution to improve the safety and soundness of digital payments . As mentioned earlier, I have always thought that financial services institutions were ideally placed to provide trusted and verified identities, simply because they are compelled to do so not only by laws and regulations (e.g. money laundering, corruption/ bribery, anti-terrorism, KYC), but also for financial reasons (e.g. fraud, risk provisions). I was therefore very encouraged by a similar move by the UK government selecting The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, Verizon and Paypal for the provision of secure online identity registration service for people accessing public services . But it was rather odd that no British banks appeared on the list, so maybe our American counterparts are more forward thinking (indeed, see how the patent for facial authentication to reduce fraud  was filed in 2010 by JP Morgan Chase & recently awarded). Incidentally, when Barclays changed its terms and conditions to allow it to sell aggregated data on market trends , I thought that this perhaps was an indicator of further interesting moves from the bank, but I have not seen any evidence of this as yet.

So what should we be looking forward to? For a great visualisation of what the world could look like, see this excellent post from Dave Birch and if you’d like to delve a bit more into biometrics, see my last post  .

Until next time…
neirajones