2.5FA

[Dave Birch] 2FA is clearly important. But what kind of 2FA? At the moment, the "something you know" plus "something you have" version is in vogue, and a great many organisations have been rolling out tokens of one form or another. In the U.K., Barclays (to name but one) have already rolled-out 2FA to the mass market:

 

Gemalto announced it has passed the 1 million mark for Barclays customers using PINsentry, its cryptographic smart card reader. The bank started deploying its authentication program in July 2007 and since then not one PINsentry online customer has suffered fraud.

[From 1 million Barclays customer using smart card reader : SecureID News]

As I've said before, I'm a happy PINsentry customer, even though I know it doesn't provide total security. But it's a bit limited. I can't use it to log in to anything else: I'd much rather that Barclays offered a 2FA OpenID login using the PINsentry and then I could use my Barclays OpenID to log in not only to the bank but to any other sites that needed that kind of security (eg, the government). Simon Willison's excellent OpenID blogged alerted me to the fact that other people are already thinking in that direction.

 

Microsoft are accepting OpenID for their new HealthVault site, but with a catch: you can only use OpenIDs from two providers: Trustbearer (who offer two-factor authentication using a hardware token) and Verisign.

[From Simon Willison’s Weblog]

So OpenID/2FA is not only feasible, it's a good idea. But we don't want to end up with a 2FA necklace -- with the tokens from half-a-dozen banks plus eBay plus our corporate networks plus plus plus -- that we have to carry with us at all times and this could happen if banks and other service providers don't accept each other's OpenIDs in a rich enough way.

Out of band, out of mind

[Dave Birch] Using SMS to provide an out-of-band 2FA scheme for access to online services sounds like a reasonable idea. But it depends on customers to do the right thing, and this is generally a bad idea in security terms. One study of a scheme that required customers to copy a pass code from their phone to a web page (to confirm online transactions) found that customers did not notice when the message included incorrect details. My guess is that this is a general result: once you train customers to perform some simple action in order to obtain security, they won't do any of the other cross-checks and because they think (for no reason) that SMS is somehow secure, then SMS-based approaches may be even more exposed. This is a shame, because it may hinder the development of mobile services, such a banking. People are increasingly comfortable with using their mobiles for banking, we all know that. According to TowerGroup, 90% of those who tried mobile banking at Bank of America have remained active with 99% checking balances, 87% looking at transaction history, 10% making funds transfers, and 5% paying a bill. But if they begin to read in the newspapers about mobile security being subverted, those numbers will fall.

NFC, privacy and identity infrastructure

[Dave Birch] I've had a few e-mails from people about this paper by Colin Mulliner. This paper describes vulnerabilities in NFC implementations using "smart posters". It's the nature of the attacks, rather than exposure levels, that are worth looking at since, as Colin says,

 

The attacks demonstrated are trivial due to the manufacturer time to market (TTM) obsession, thereby shipping devices with trivial vulnerabilities, in Mulliner’s research they orbit around passive tags which are mostly abused as vectors for the any of the attacks demonstrated.

[From Attacks on NFC mobile phones demonstrated | Zero Day | ZDNet.com]

The attacks fall, broadly, into two categories. There are attacks on the implementation of the NFC tag standard in a current handset -- these remind us of a useful lesson about implementing new standards, but are not that significant in the long run -- and attacks on the way that tags work in the current NFC standards. The problem that Colin has focussed on here is that there is no way of knowing whether a tag is "real" or not: you wave your phone at a Royal Bank of Scotland advert at the train station, but the tag has been tampered with (shielded by a bogus tag, for example) so that your phone is redirected to a web site in the Ukraine which looks like RBS but is just going to use your entered username/password to log in to your account for nefarious purposes. Unfortunately, that's the way tags work: there is no way of preventing this and Colin is right to highlight both modifying original tags and replacing them with malicious tags as interesting security questions.

These questions relate to the better understood issue of product vs. provenance in the RFID world and, as we know, one way to solve that problem is by using digital identity: it's just that it's the identity of stuff in question, not the identity of people.

Next generation platform

[Dave Birch] With the U.K. newspapers focussing on ID cards again, now that the shortlist of the only suppliers who wanted to be on a shortlist has been announced, I wonder if it isn't time to abandon even talking about ID cards, when the practical implementation of identity for the foreseeable future is going to be centred on mobile phones. Since mobile phones can do a great many things that cards cannot, they provide an obvious means to deliver some useful identity services to both individuals and to organisations. Examples might be simple, secure authentication for online services.

 

Forrester Research analyst Bill Nagel claimed that mobile authentication has taken hold in many countries, and that mobile signatures are a "logical extension... Nearly all of the banks and operators we spoke to said that the technology operates flawlessly and that the experiences of customers who use the system are very good," he said.

[From Mobile signatures given the thumbs up - WhatPC?]

This is an attractive vision. The idea of making the Internet more secure sounds promising at first, but it has many negatives as well. If we make the Internet more difficult to connect to and harder to use, we lose the creative dynamic around it. Therefore, it kind of makes sense to leave the Internet cheap, flexible and insecure and kick the security layer off the end of the Internet and into the phones. Phones start off from a more secure base, because they already have tamper-resistant hardware (ie, the SIM) in place and since this hardware is a general-purpose computer, there is plenty more it can do. This idea fits rather well with the identity-as-utility view that we have been putting forward for some time. The mobile phones works perfectly as the "identity gadget", the universal faucet that we will all use to turn identity on and off (emergency stop: bad analogy detected). We're hardly the only people working along this line of thought.

 

From Marco, a great HP paper on Identity-Aware Devices, describing some PoC work HP did with Intel around the Liberty Alliance's Advanced Client specifications.

[From ConnectID: Identity-Aware Devices]

In the HP paper, they talk about "identity-aware devices", which I rather like as a way of thinking about practical solutions. They point out that in order to function in a sophisticated environment (in this case, a federated identity environment) the identity-aware device needs some kind of trusted module that can function as an identity provider. This is exactly how I see the SIM: there's no need to invent anything new, just use find a way to get the mobile operators and others to co-operate to implement the kind of ideas that we can all already see are the way forward.

Biometrics forge ahead

[Dave Birch] I've said before that the introduction of biometrics into the mass market is more about convenience than security, but it seems as if the current U.K. approach is more about inconvenience (not that that's necessarily bad)...

Members of industry body UKinbound say they are continuing to report "severe" drops in demand from travel to Britain from China, India and Russia in particular due to the time and cost of travel to visa centres. Reporting a 2.5% decline in overseas arrivals in December, the organisation said long haul travel to the UK was worst affected, with the new method of visa data collection introduced from last October being of "particular concern".

[From Biometric entry visas hitting tourism to UK-18 February, 2008]

Now, like any other stout English yeoman, I don't really care about foreigners being inconvenienced, but I do care about U.K. plc, which is why the connection between the introduction of biometrics and the fall in visitors caught my eye. What's worse, though, is that the government's approach appears to be to inconvenience stout English yeoman as well. I'm not the only person that has noticed that the biometric iris-scanning system at U.K. airports doesn't seem to work as well as might have been imagined when the plans were being forged in the white heat of new technology:

There were about 40 people waiting to show passports and three people in the iris queue. I was iris-enabled and my colleague was not, so we decided to see who got through faster. No contest - I had not even got into the iris machine before he was waiting on the other side. Iris recognition is a clever idea, but the execution is hopeless.

[From Heathrow iris-scan queues are slower - Times Online]

I lack commitment, so I gave up using the system after it refused to let me into the country (perhaps it can read blog feeds) and therefore I can't say whether it's got better or worse over the last few months, but my guess would be worse because the poor performance might well be related to the size of the database as well as poor implementation.

biometrics, mobile, security

Of course, the camera adds 110lbs

Unbelievable but true: I've been to London Fashion Week. And to prove it, here's a video I took at the actual fashion show...

identity, management, nfc

Gerhard Romen, Nokia

[Dave Birch] Gerhard Romen is Head of Near Field Communication Market Development for Nokia Emerging Business Unit, and is responsible for business development. He is also a representative of Nokia at NFC Forum and the Vice-Chairman of the NFC Forum. In this week's podcast, Gerhard tells how NFC is evolving from a Nokia perspective and we discuss the potential role of the NFC handset as an identity management device.

Technorati Tags: identity, mobile, nfc, podcast

Paul Miller, Symantec

[Dave Birch] Paul Miller is the Director of Mobile and Wireless at Symantec and heads the company's mobile client security strategy and delivery as well as the company's overall vision for mobile and wireless. Miller's background in the mobile and security industries spans close to 15 years. Prior to joining Symantec, Miller spent five years at Gemplus leading the identity strategy using mobile infrastructure to combat identity fraud, particularly for the enterprise and financial markets. Miller also spent two years with GTE Cybertrust working on PKI-based identity and mobile commerce and five years with Rainbow Technologies handling the copy protection, license management, and Digital Rights Management product lines. He has served as a Radicchio founding board member, co-chair of Liberty Alliance's mobile business group, chair of Liberty's strong authentication effort and a board member for Global Chipcard Alliance. If mobile phones are going to be central to the digital identity world, as I'm sure they will be, then the security of mobiles is of great importance. In this week's podcast, Paul discusses the state of mobile security and the likely threats.

Technorati Tags: identity, mobile, podcast

Building the utility

[Dave Birch] In his presentation to EEMA, my colleague Neil McEvoy calls for the creation of an identity utility, to be used by government, business and individuals alike. Neil mentions that the NFC-equipped mobile phone could be the critical device to make this a reality, because the mobile phone can act as both the identity provider and the identity consumer. So will there be enough mobile phones, and will enough of them have NFC, to make this a realistic vision? Well, in many countries (eg, the U.K), mobile penetration is already over 100%. Nokia alone sold 348 million handsets last year. There are nearly half a billion mobile phone users in China. 49 million handsets were shipped in Japan last year. ABI Research forecasts that by 2012, some 292 million handsets (more than 20% of the global mobile handset market) will ship with built-in near-field-communications capabilities.

Technorati Tags: business, government, identity, management

Building blocks for the identity utility

[Dave Birch] In his presentation to EEMA, my colleague Neil McEvoy calls for the creation of an identity utility, to be used by government, business and individuals alike. Neil mentions that the NFC-equipped mobile phone could be the critical device to make this a reality, because the mobile phone can act as both the identity provider and the identity consumer. So will there be enough mobile phones, and will enough of them have NFC, to make this a realistic vision? Well, in many countries (eg, the U.K), mobile penetration is already over 100%. Nokia alone sold 348 million handsets last year. There are nearly half a billion mobile phone users in China. 49 million handsets were shipped in Japan last year. ABI Research forecasts that by 2012, some 292 mln handsets (more than 20% of the global mobile handset market) will ship with built-in near-field-communications capabilities.

Technorati Tags: business, government, identity, management

Opening authentication

[Dave Birch] A discussion that I was in earlier today reminded about a point made earlier in the year. I was discussing the idea of using software in mobile phones instead of bank-provided "tokens". It's superficially very attractive, but it needs the operators to get on board. And then service providers, such as banks, may not want to use it because they don't want someone else in between them and their customers. While the mobile phone with a SIM is an excellent repository for phishing-resistant credentials, the fact the mobile operators control access to the SIM (and often severely restrict that access) turns many people off. On the other hand, if the mobile phone were to be used as part of a standard open authentication scheme -- so if the operator doesn't play ball, banks (or whoever) had plenty of choice of alternative tokens -- then that's not so much of a barrier. With the continued progress of OATH (who we've spoken to before) in making interoperable authentication practical, this scenario isn't particular far-fetched if there's a convenient way of implementing OATH in the phone.

Technorati Tags: identity, mobile

The key biometric?

[Dave Birch] When Nick Ogden, the CEO of Voice Pay, said that the use of voice biometric technology will improve security and consumer confidence making it far safer for shoppers to buy goods and services he's very probably right. The synergy between the the next generation of security (biometrics) and the next generation of cards (phones) is just too overwhelming and, as I've consistently maintained, requires relatively small advances in the technology to deliver significant benefits. The technology applies across both local and remote channels: Voice Pay helps consumers to buy using their mobile phone from a TV or print advertisement instantly or pay for goods in a shop. To use it, buyers simply call the national Voice Pay number and authorize payments over the phone using their voiceprint as a signature. The Voice Pay schemes also offers buyer and retailer additional safeguards such as integrated anti-phishing technology, which "ensures total confidence in the stores that process payments with Voice Pay". Now, the last time a vendor showed one of our clients a system like this, I was genuinely surprised by how good it was: I was initially skeptical whether it would work at all over a mobile phone, but it worked very well. I shouldn't really think of it as a future payment technology at all: ABN AMRO (or ABN Barclays or RBS AMRO or whatever it is by the time you read this blog) is already rolling the technology out to 4 million customers in the Netherlands this year.

Technorati Tags: biometrics, identity, mobile

They like a challenge

[Dave Birch] It's a tenuous link to identity, but I thought readers might be curious about an initiative launched by the British government last week. Apparently we have a Minister for Crime Reduction and said minister (Mr. Vernon Coaker) has begun "new moves to break the link between mobile phones and crime" with a workshop where key players from the mobile phone industry -- such as manufacturers, networks, academics and law enforcement -- were challenged to imagine how the multi-functional handsets of the future can be redesigned to be less tempting and less useful to thieves and criminals. Amongst other objectives, the minister wants to know "what can be done to prevent criminals using phones to facilitate crime". There's nothing like aiming high.

My idea (patent pending) is that when you want to make a phone call, you have to punch in your national identity number first. Then, the phone company will check with the government to see if you are a criminal, and if you're not then an IVR will ask you to clearly state whether the call you are going to make is for criminal purposes. If you say "no", you'll get a dial tone. If you say "yes", then you will be sent a text message asking you to proceed to your nearest police station -- during office hours only -- and turn yourself in.

Technorati Tags: fraud, mobile, security

Dreaming spires, etc

[Dave Birch] I was thinking about my day out at the Forum Oxford conference on Future Technologies, in Oxford. I won't go over all of the presentations since you can go via Forum Oxford to pick them up (and get involved in the discussion) but they did provide food for thought and I appreciate Ajit and Tomi's efforts to create a novel kind of cross-media "watering hole" for those of us kindly referred to as "opinon formers" in their introduction.

Technorati Tags: identity, mobile

We don't need no stinking NFC phones

[Dave Birch] Over on the Digital Money blog, one of the topics we're obsessed with is the collision between mobile phones and contactless technologies in the form of Near Field Communication (NFC).  But in the long run, the use of NFC phones to manage digital identities will probably be more important.  I think this is pretty clear to see given the rolling standardisation of the mobile/NFC space and the shape that is taking.  This isn't just the standardisation of the NFC interface, but also the mobile environment around it such as the SIM, where the addition of NFC support and a high-speed USB connection to the phone will transform the use of handsets.  As I've said before, though, the addition of the the NFC interface together with access to that interface through standard interfaces within the phone is genuinely revolutionary.  It integrates the handset into its local environment, making the mobile phone a link or pivot between the local and the global.  It therefore will have big role to play in the use of digital identity in the future.  The current projections (these change all the time) are that 20%  of mobile handsets worldwide will include Near Field Communication (NFC) technology by 2012, according to New York-based ABI Research and in the digital money world many players are already preparing for that market.  Visa, to pick just one example, believes there is a great opportunity to migrate some of the purchases being made by consumers today to the mobile phone.  A Visa survey showed 67% of American males between the age of 18 and 39 would be interested in buying an NFC-enabled phone, while 57% said they would be willing to pay more for an NFC phone than a regular model.  If the phone is going to become the average person's wallet, then surely it can function as passport, driving licence and home banking log in device as well.

Technorati Tags: ID cards, mobile, nfc, passport, PKI, security

Daniel Appelquist, Vodafone

[Dave Birch] This week's podcast is with Dan Appelquist, a senior technology strategies at Vodafone talking about digital identity and mobile.

Technorati Tags: identity, mobile, nfc

The national identity phone

[Dave Birch]  There was an interesting discussion about biometrics at the Digital Identity Forum and there were some idea floating around about how biometrics could be used as part of an identity infrastructure in the mass market.  Meanwhile, in Japan, DoCoMo's new handsets include the 903i series which come preinstalled with the software required to use DoCoMo's DCMX™ mobile credit card on DoCoMo's iD™ platform (contactless payments), a GPS service that enables a misplaced handset to be located with a PC, biometric authentication (based on fingerprint, face or voice), the Omakase Lock and Data Security Service that enables users who lose their phone to call a 24/7 number and have the phone's smart card and personal data locked immediately, Original Certificate which enables user identification certificates issued by service providers such as banks to be downloaded and stored in the handset and used as digital signatures for SSL client authentication.  They also come with the ANSHIN-KEY, a special IC-card key carried in a wallet or handbag to automatically lock/unlock the phone depending on the proximity of the key and the phone.  My new UK phone came with... well, nothing really.  But it has got a much better camera than my old one.

Technorati Tags: biometrics, contactless, e-purse, identity, mobile, security