About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Codpiece | Main | Footprints in the silicon »

The future is another (virtual) country

By Dave Birch posted Oct 14 2008 at 5:55 AM
[Dave Birch] In many countries the banks have begun to issue 2FA tokens of one form or another. In some places, such as Singapore, 2FA is already mandatory for home banking, and everyone is used to carrying around their token. In many companies, people use 2FA tokens of one form or another for intranet and VPN access. Authentication is improved tremendously, hurrah. But the "necklace problem" looms. The necklace problem is that if you need half-a-dozen different tokens to log in to your different bank accounts and corporate systems, not to mention government services, then you will have to carry them around your neck or risk not having the right one by your side when you need to do something. Oddly, despite the existence of (for sake of argument) SAML or OpenID, none of the tokens that I have in my possession are in the least bit interoperable. My Barclays token doesn't even help me log in to another U.K. bank, let alone the U.K. government or a corporate site.

There is a problem here, though, and that is that the bank 2FA schemes and devices are not open in any way. This is bad thing, and not in the sense that I think they will be subject to the hacking of proprietary algorithms (see, for example, MiFare) but because no-one else can use them, even if they wanted to. Since I work for a company that banks with Barclays, surely they could sell us a service whereby we could use Barclays PINsentry devices to log in to our corporate network (for applications that don't need particularly high levels of security). If banks have to spend money fixing the authentication problem for themselves then, as I have droned on about endlessly, why don't they switch authentication from being a cost centre to a profit centre? Make it a service that other people will buy.
When I made the offhand prediction that people would begin to use 2FA in virtual worlds before they use it for actual banking, it was because of the observation that if hackers steal my money then Barclays will give it back to me but if hackers steal my +5 Vorpal Sword ("The Equalizer") Blizzard won't. Therefore, logically, it makes more sense for me to invest time and effort in 2FA log in for World of Warcraft than for World of Barclays. All of this goes to say why I was so interested to see the announcement from Blizzard that they will begin offering 2FA for World of Warcraft using a $6.50 device called the Blizzard Authenticator...

The Blizzard Authenticator is an optional tool that offers World of Warcraft players an additional layer of security to help prevent unauthorized account access. The Authenticator itself is a physical “token” device that fits easily on a keyring.

[From Blizzard Support]

I've no idea whether this particular product will succeed -- speaking personally, I would much rather use a token like this for 2FA OpenID authentication rather than "silo" 2FA authentication, so that I can use the same token to log in to all sorts of places -- but it's worth studying. Incidentally, in these modern times it seems a little odd to be issuing custom security hardware to people who already have a mobile phone, so I would expect to see the next generation 2FA vanish into mobile phones as well as using something like OpenID. Oh, wait a minute...

JanRain and Positive Networks have developed a phone-based, two-factor authentication solution specifically designed to support users of myOpenID.

[From JanRain » Blog Archive » Phone-based Two-Factor Authentication Now Available for OpenID]

You can see how this might work in the future. I go to log in to my bank / local council / VPN and I'm presented with an OpenID screen. I enter my mobile phone number, which is my operator-based OpenID. A message pops up on my phone, I authenticate with a password and off we go. No necklace, no proprietary devices, no new protocols to use. Most people wouldn't even be aware that their mobile phone number is actually being used as an OpenID in this scenario, so there'd be no need to explain it to them. Another benefit!

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8341c4fd753ef0105357f99f5970b

Listed below are links to weblogs that reference The future is another (virtual) country:

Comments

Are you aware of VeriSign's Identity Protection service (VIP) which uses a shared authentication network so that 2FA tokens can be shared across many websites and online services. I use my token I got from PayPal, also at eBay, also at my OpenID providers site, Plaxo, etc. There are also a number of financial institutions that use VIP.
See http://www.verisign.com.au/authentication/consumer-authentication/

Must put my cards on the table here and say that I am a VeriSign employee. The last post is right in that our VIP network does do what you are suggesting Dave and for those reading this in the UK, the first two customers (a financial orgainisation and an ecommerce site) will be live in November of this year.

The "Shared Authentication network" is already live across 32 companies around the world, but it really is a country by country rollout so I would expect to see shortly other companies come on board in the UK in a similar fashion that we have seen in other countries where the network is established.

Thanks

Mike

[Dave Birch] Thanks for that Mike.

One of the most famous friendship network. “www.frompo.com”. You can find more exciting things find here.
frompo.com

The comments to this entry are closed.