October 2018

othiriondebriel's picture

A large percentage of our lives is now conducted digitally (both on a personal level and at work), and this is set to continue with our demand for speed and convenience. This means there are billions of digital identities stored in many different systems with varying degrees of security, and cybercriminals are devising more sophisticated methods to leverage any weakness.

In a 2018 Global Economic Crime and Fraud Survey, PwC found that 64% of respondents said losses due directly to their most disruptive fraud could reach US$1 million. 

If the upwards trend in identity theft continues, we will need a more logical approach to identity access management (IAM) that balances convenience with security, especially considering PSD2 and the directives for greater consumer protection along with the growing importance of Open banking trend. As banks have a proven track record regarding storing and protecting customers’ identities, perhaps we should look to them to become central ‘holding tanks’ for digital identities.

Identity management models

There are three models of identity management: internal, centralized and distributed. They all have good and bad points.

Internal identity management

This is the typical model where a single organization provides and manages the identities for its employees to gain access to various internal systems, physical access and other internal services. The organization calls all the shots as to how an ID is created and used. There is no centralization across the ecosystem, so users will have multiple identity credentials to keep track of, in addition to identities they may need outside of work, such as bank logins.

Centralized identity management

A more user-friendly model is centralized, where a single organization (including governments) acts as an identity provider that authenticates users to everyone else in the system. The national citizen register in the Netherlands uses this model.

The beauty of centralized ID management is that multiple application providers can be accessed by the same user identity, which streamlines service delivery—more convenient for users as it reduces the number of identities needed. It provides a single version of the truth, and a complete, accurate and standardized view of non-confidential data across different users.

Having just one location for all that data can be risky, depending on the security initiatives implemented. If users lose trust in the system, even without just cause, reputations can plummet.

Distributed identity management

This is an interesting model for identity management, as multiple identity providers share information with other providers within their ecosystem. In the TUPAS system in Finland, banks act as identity providers, so that a user’s bank credentials provide access to a wide range of services from other providers.

This model provides users with a convenient ‘digital wallet’ of credentials, meaning they don’t rely on information from a single provider. The downside is that the information from different identity providers isn’t standardized.

Where banks come in

As financial institutions already have their customers’ trust as a provider and manager of secure identities, it’s a logical step for them to lead the way in identity access management across a distributed ecosystem. In light of PSD2, ID protection is even more vital, and who better than banks to share data securely? This extension from authentication into identification seems like a natural and logical move for the banks. They will need an optimized infrastructure that offers:

  • the right authentication platforms for federated identities
  • a layered authentication approach using advanced threat detection capabilities, complying with PSD2
  • cost effectiveness
  • lower risk
  • a platform that builds trust
  • an appealing user experience

Choosing the right partners will be crucial and it’s in the best interest of financial institutions to consider new approaches to engage new and existing customers.

Resources

For more information on how HID Global is helping financial institutions, feel free to consult the following resources:

Webinar – Open Banking and the Challenges to Implementation

White paper – The Role of Digital Identity in the Future of Banking

Browse HID Global's advanced secure identity solutions for the Banking & Financial Industry.

jmacinnis's picture

PKI certificate technology has long been a foundational technology in securing web traffic between users and web services. PKI (public key infrastructure) defines the method that a web browser uses to determine that a website is genuine and belongs to the correct business or organization. In other words, PKI certificates are used to ensure the identity of a remote computer/server.  Most browsers have the padlock icon to show that a website can be trusted.  PKI certificates can be examined by clicking on the pad lock in the browser window and then clicking on 'View Certificates.’

The key to establishing trust within PKI depends on using a certificate authority (CA) which acts as a trusted third party. The primary role of the CA is to digitally sign and publish the server or web site’s public key using the CA’s private key. This is referred to as asymmetric cryptography.  Since the browser has a trusted relationship to the CA it can then verify that the server or website is who they claim to be. 

Using smartcards and mobile technology, security conscious organizations are now issuing PKI certificates to employees, contractors and visitors instead of relying on login/password.  I enjoy using PKI certificates to verify my identity for a few key reasons. I no longer have to remember and maintain a complex password. Instead I use my smartcard with PKI credential and a PIN. There is no password that can be stolen or forgotten, yielding a higher level of security for the organization.  Another benefit is ease of use for securing communications. With a simple click I can now sign email transmissions, lending proof to the recipient that the email in fact came from me and has not been modified. This can help prevent phishing and spoofing attacks. Since public keys are shared, I can also encrypt emails and documents using a recipient’s public key so that only the intended recipient (possessing the corresponding private key) can read the file or transmission.

In case private keys are compromised or an employee quits and no longer needs access, PKI includes revocation technology.  This happens when the CA administrator determines that a certificate should no longer be trusted. CA’s maintain and publish a Certificate Revocation List (CRL) for this purpose.

Security experts are now of the opinion that certificate-based authentication using PKI is the best way to provide strong two factor authentication. In the past, certificate-based authentication which relies on PKI was considered to be complex and hard to manage. It turns out that a well-designed and modern implementation of certificate-based authentication can be easy to use, provide a higher degree of security, deliver flexibility in enabling a role-based security policy and can be very cost effective.

HID Global can help you meet the challenge with credential management products, such as ActivID® CMS and ActivID ActivClient®. HID Global’s Credential Management System (CMS) can be deployed for the enterprise to simplify user authentication. CMS can manage the certificate lifecycle and automatically enforce security.

At HID Global, we have technical experts on hand to walk you through our industry-leading secure identity solutions, and preview some newer solutions that are still under wraps. You can also find out how ActivID CMS can help you better support mobile devices with Derived Credentials and Virtual Smart Cards.

View our multi-factor authentication solutions portfolio for more information.

CSandness's picture

At HID Global, we take pride in powering the trusted identities of the world’s people, places, and things. While providing this trust in the products and solutions in our portfolio through processes such as “mutual authentication”, it is equally important to highlight the mutual trust between HID and our worldwide partners. While multiple products may validate one another to establish security and trust of the identity, HID and its global partners mutually trust each other to exceed in the marketplace. Our global channel has invested their businesses (and careers) in promoting HID to their markets. They trust HID to continue to innovate quality new products and solutions with relevance to their vertical and geographic markets, providing exceptional value to end customers. Meanwhile, HID trusts its global partners to integrate HID’s offering into unique solutions, to promote our portfolio into emerging markets, and to fulfilling end user demands with unsurpassed professional service and support. This mutual trust manifests itself in powerful partnerships. I am proud to highlight the decades-long trust that has built between HID Global and Color ID.

othiriondebriel's picture

The multi-factor authentication market is experiencing new dynamics. For the last 15 years, strong authentication was not a top of mind concern for organizations and was mainly based on hardware tokens generating one-time passwords (OTPs), a temporary 6 or 8 digit password. The user was required to first generate an OTP on his token and then copy/paste it into his online portal. It has been pretty much about two-factor authentication: “something you know” and “something you have.” Later on, in 2013, Apple released its first integrated mobile biometry solution: TouchID, adding a new factor to the authentication process related to “something you are.” As a result, the market started migrating toward multi-factor authentication (MFA) with an increased focus on user convenience by leveraging the mobile platform.

Today, we see a new market shift toward a new type of authentication driven by data intelligence. Multiple trends are pushing this forward:

Cyber-attacks are growing in number and in complexity

Moving to mobile has increased the attack surface. Mobile devices are less protected while being always connected. Also, the end-users are changing their habits and like to be mobile, extensively using Wi-Fi networks, which are often proved to be unsecure. Hackers are using advanced tools, such as artificial intelligence and machine learning, and are also attacking at different levels to get around the protection deployed by organizations. Therefore, making sure the user is the one he pretends to be (authenticating the user) is critical while making sure the user’s environment is safe.

Multi-factor authentication on its own is not sufficient anymore

There is no value of strong authentication on a device that is compromised or a communication channel used between the authentication device and the server, which is spied due to improper protection. So, in order to ensure genuine multi-factor authentication, organizations are expected to protect the full environment.

Some of the recent regulations requiring multi-factor authentication are now are adding new elements for transaction monitoring mechanisms such as threat and fraud detection services. For example, the Payment Service Directive 2 (PSD2) in Europe is asking for Strong Customer Authentication but also for transaction monitoring mechanism. (Learn more in our eBook on PSD2 implications.) In a similar way, the 3D Secure 2 protocol and the New-York state regulation for financial institutions (23 NYCRR 500) are talking about Risk-Based Authentication.

Traditional multi-factor authentication market is under a lot of pressure

New nimble companies are proposing authentication services easy to setup and easy to use for any organization willing to increase the security level of their end-users. The FIDO Alliance, which is pushed historically by Google and Paypal, is defining a new, simple-to-use authentication protocol. But also traditional IAM companies, providing adjacent functionalities (SSO, Identity Management), are now offering multi-factor authentication methods for almost no additional cost. Authentication in this context has become a commodity on a market where providing benefit will require offering new premium services with enhanced security and intuitive user experience based on data analytics, machine learning and AI.

Mobile biometry is rapidly adopted by the end-users

It creates a perception that no more password is required and it is safe. But very few know that mobile biometry is about convenience, not about security. Indeed, it’s easier to smile at a phone or to put a finger on the sensor than typing a password or even entering a PIN code. For user convenience, the threshold for validating the user on fingerprint mobile readers or face recognition mobile solutions is low, and it results in a negative impact on security. But the end-users love it. Consequently, it is increasingly adopted as a factor in the context of multi-factor authentication, which requires organizations to increase the security in the background making sure this will not affect the overall level of security of their authentication process.

Last, but not least, users are getting used to consumer centric services that are easy to use and very intuitive. Therefore, they are less and less accepting of cumbersome user experience when it comes to security.

Data intelligence advanced authentication