Know 2019 Vegas

Well, Know 2019 in Las Vegas was great. Having attended the One World Identity (OWI) “KnowID” Washington events, it was exciting to see them grow and relocate to Las Vegas!

The event began with an “Education Day” on the Sunday preceding the main event. Consult Hyperion ran a couple of the sessions and we were taken aback at the turnout – standing room only in the session discussing the digital identity of people, companies and things that we presented with Mastercard and PaymentWorks (the hotel staff had to bring in three stacks of chairs during the talk!) and while we’d like to think that this is solely a reflection of Consult Hyperion’s leading position in the industry, we took it as a reflection of the increasing importance of digital identity across corporate strategies in a range of sectors.

As most of our clients are in the financial services sector, we naturally paid most attention to the presentations and discussions around digital identity in banking and finance. Mastercard chose the event to drive a stake into the ground around digital identity, with the launch of their paper on the topic, “Restoring Trust in a Digital World”. This presented a framework of how digital identity will work, putting the individual at the heart of every digital interaction. Mastercard’s commitment to the sector reinforced many peoples’ view that digital identity has gone up the priority list to become a matter of immediate concern for financial institutions, regulators and customers. The scale of identity theft and fraud on the one hand and the costs of patchwork digitised identity solutions on the other hand may not the pressure for real change is growing.

Outside the financial sector, I particularly enjoyed the keynote on the third day from Colleen Manaher from the US Customs and Border Control. She was talking about the use of biometrics and spent some of the time talking about the specific use of biometrics in airports as an interesting example of how to use biometric technologies for security but at the same time deliver convenience into the mass market.

The point of her talk, was partnerships around identity. In this case, she was talking about quite complex public-private partnerships in travel. The investments made in biometrics to allow paperless travel have obvious benefits in terms of security but, as we have found in our other work about the cross-sector exploitation of digital identity, intelligent use of these new capabilities can also transform the customer experience. The same biometric system that scans your passport picture on entry to the airport and then checks you in for your flight can also be used to direct you through the airport and implement smart departure boards that as you approach them switch from displaying a list of all flights to displaying your flight only.

The use of digital identity, as a means to provide what looks like convenience to the man in the street but under the hood provides much higher levels of security than are currently obtained through the use of physical documents and manual checking opens up new possibilities and set me thinking about how to replicate this dynamic, in other sectors. An obvious example of this back in financial services is for the kind of digital ID called for by Mark Carney, the governor of the Bank of England, which would result in significant cost savings around the K YC and AML for the banks but should at the same time mean that customers can connect securely and quickly to their financial services providers.

We were sad to leave Las Vegas after such a great event but I can assure you that we’ll be back there again next year for Know2020.

Loosely-coupled MaaS payments

I was a panellist discussing the barriers to mobility as a service (MaaS) at the Transport Ticketing Global (TTG19) conference in London in January. In fact, many of the presentations over the two-day conference were about MaaS and reasons why it is proving very hard to deliver. Perhaps one of the most mature MaaS offerings is the one from MaaS Global branded as ‘Whim’ which launched in the UK in the West Midlands but, by their own admission, has struggled to gain a foothold.

Until recently, MaaS providers have avoided London. We have seen some excellent journey planning apps exploiting Transport for London’s (TfL)  open APIs, but nobody was going that extra mile and actually proving a complete MaaS solution in a single app that allow both planning journeys together with payment and ticketing (i.e. proving authority to travel when entering the transit network). TfL has been very clear that they will not provide any cut of the fares to MaaS providers, so they will have to find other ways to make a profit.

So, the announcement from CityMapper that they are about to launch a MaaS solution in London surely doesn’t make any sense? Given the above barriers to MaaS and the high complexity of London’s public transport network, why on earth would you start there?

The answer is payments and identity, two of our favourite topics. These are services needed in order to offer account-based ticketing (ABT) and ABT is a corner-stone of MaaS. Passengers need to identify themselves to their customer account so that their journey charges can be calculated. Payment for the journeys needs to be handled in a way that is suitable to the particular customer.

One of the barriers I suggested on the TTG19 panel is that payment and identity are too ‘closely coupled’ in modern account-based ticketing offerings. I am old enough to remember the emergence of service oriented architectures in the ‘noughties’. The idea was that by ensuring services are ‘loosely coupled’, they can freely evolve without affecting consumers or implementations. I argued that if everyone rushes to implement the open-loop payment models with the payment networks like TfL has done, then we will be left with fare collection services that are highly dependent on the payment schemes and constrained from evolution. The identifier the passenger uses at the gate is their bank card (or its emulation on mobile or wearable devices). This identifies them to their ABT travel account but it also identifies their means of payment. Some would say this is convenient, I am suggesting it is too closely coupled and will stifle innovation.

Open banking APIs are a subject close to our hearts at the moment. The APIs are very new and they seem not to be thinking about transit payments at this stage. However, one could imagine that there could be future open banking APIs that would allow passengers to consent to transit payments from their bank to their MaaS provider without the need for the payment networks in between. I expect this will be subject of future blogs or white papers from Chyp.

The reason CityMapper is launching in London is that all the public transport modes accept open-loop payments and the CityMapper solution to payments and identity is to provide their MaaS customers with a Mastercard-branded prepaid card, ‘Pass’. CityMapper will offer a subscription model at a discount on TfL prices and any travel on TfL modes outside of this will simply use the prepaid bank card like any other.

This works for all London public transport modes, but there are very few other cities that have committed so totally to the open-loop models. It will be interesting to see whether CityMapper can make a profit and if they do, whether they can replicate it outside of London. Right now, it looks like they are using investment funding and planning on taking a loss to start with since they are offering to undercut the TfL fares and as stated above TfL has said they will not offer discounts to Maas providers. Or perhaps city mapper is planning on selling advertising space or plans to sell anonymised travel data to make up the shortfall? Only time will tell.

Meanwhile, may all your transit tokens be loosely coupled and your payment instruments plentiful.

 

Why can’t I use Apple Pay for everything online?

Pottering around on Twitter, I noticed an interesting question:

Why can’t I use Apple Pay for everything online? Shouldn’t there be some way for me to hold my phone up to the screen when I get to an order page online and scan a QR code and hold my thumbprint or something? — Joe Weisenthal (@TheStalwart) January 2, 2019

Joe has a point. Apple Pay is far more secure, and far more convenient, than messing around typing card numbers in to web pages as we did back in 1998. And globally, merchants lose some $20-$30 billion per annum in card-not-present fraud, so why aren’t we using our (secure) mobile payment systems to pay for things we buy on the (insecure) web already?

Well, first of all you can use Apple Pay to pay for things on the web but only if you are using Safari and only if the merchant has implemented Apple Pay. The merchants, however, don’t want to implement a solution that only works for a small proportion of their customers (ie, people who use iPhone, Safari on the web and have Apple Pay configured correctly). Merchants would prefer a more universal solution such as W3C or SRC.

Change, however, may be just around the corner.

Barclays Equity Research put out an interesting note on payments in November. Called “Sleepwalking into 3DS2.0 and PSD2”, it kicks off by saying that “the mandated 3-D Secure 2.0 and the requirement for two-factor Secure Customer Authentication (SCA) are around the corner, but the industry does not seem ready for this major change in transaction processing protocols”.

Well, quite. I’m glad to see they agree with our decision to make SCA the highest priority of our “Live 5” areas for our clients to focus on in the coming year.

In this note, Barclays say that an unintended consequence of PSD2 will be a better e-commerce experience on mobile, where biometrics are a convenience technology, rather than the desktop, and this should benefit digital wallets (again as we note in our Live 5). In the store too, mobile may have the advantage. Contactless payments will require a PIN entry every five transactions or €150 (depending which the issuer mandates), unless an online transaction in the interim authenticates the card and restarts the counter.

However, an Apple Pay or Google Pay mobile transaction would be authenticated every time and because of CDCVM, can ignore the contactless limit (currently £30 in the UK). While a card is arguably marginally easier than mobile wallets today for contactless, this may be enough to shift the advantage to mobile. 

Thus, the future of secure retail transactions will converge on the smartphone, irrespective of whether those transactions are physical or virtual.

Consult Hyperion’s Live 5 for 2019

It’s that time of year again. I’ve had a chat with my colleagues at Consult Hyperion, gone back over my notes from the year’s events, taken a look at our most interesting projects around the world and brought together our “live five” for 2019.  Now, as in previous years, I don’t expect you to pay any attention to our prognostications without first reviewing our previous attempts, otherwise you won’t have any basis for taking us seriously! So, let’s begin by looking back over the past year and then we’ll take a shot at the future.

Goodbye 2018

As we start to wind down 2018, let’s see how we did…

  1. 1. Open Banking. Well, it was hardly a tough call and we were bang on with this one. We’ve been working on open banking projects in the UK, on the continent and beyond. What seems to be an obviously European issue, is of course a global one and we’ve been helping the global payment brands understand the opportunities. Helping existing market participants and new market entrants to develop and implement responses to open banking has turned out to be intellectually challenging and complex, and we continue to build our expertise in the field. Planning for the unintended consequences of open banking and the potentially un-level playing field that’s been created by the asymmetry of data, was not the obvious angle of opportunity for traditional tier one banks.

  2. 2. Conversational Transactions. Yes, we were spot on with this one and not only in financial services. Many organisations are shifting to messaging channels for customer support and for transactions, in both the banking and retail sectors. The opportunity for this continues with the advancements of new messaging enablers, such as the GSMA backed RCS. But as new channels for support and service are introduced to the customer experience, so are new points of vulnerability.

  3. 3. The Internet of Cars. This is evolving although the security concerns that we spoke about before, continue to add friction to the development of new products and services in this area. Vulnerabilities to card payments or building entry systems are security threats, vulnerabilities to connected or autonomous vehicles are potentially public safety threats.

  4. 4. Artificial Intelligence. Again, this was an easy prediction because many of our clients were already active. Where we did add to thinking this past year, it was about the interactive landscape of the future (i.e. bots interacting with bots) and how the identity infrastructure needs to evolve to support this.

  5. 5. Tokens/ICOs. Well, we were right to highlight the importance of “tokens” (the basis of Initial Coin Offerings, or ICOs) and our prediction that once the craziness is out of the way, then regulated token markets will become significant looks to be borne out by mainstream commentary. At Money2020 Asia in Singapore, I had the privilege of interviewing Jonathan Larsen, Corporate Venture Capital Manager at Ping An and CEO of their Global Voyager Fund (which has a $billion or so under management). When I put to him that the tokenisation of assets will be a revolution, he said that “tokenisation is a really massive trend… a much bigger story than cryptocurrencies, initial coin offerings (ICOs), and even blockchain”.

As we said, 2018 has seen disruption because the shift to open banking, starting in the UK,has meant the reshaping of financial services while at the same time the advance of AI into the transaction flow (transactions of all types, from buying a train ticket to selling corporate bonds) begins to reshape the way we do business.

Hello 2019

This year we are organising our “live five” in a slightly different way, listing them by priority to our clients rather than as a simple list. So here are the four key technologies that we think will be hot throughout the coming year together with the new technology that we are looking at out of the corner of our eyes, so to speak. The mainstream technologies are authentication,cross-sector digital identity, digital wallets for ticketing and secure IoT in the insurance sector. The one coming up on the outside is post-quantum cryptography.


So here we go…


  1. 1. With our financial services customers we are moving from developing strategies about open banking to developing implementation plans and supporting the development of new systems and services. The most important technology at the customer interface from the secure transactions perspective is going to be the technology of Strong Customer Authentication (SCA). Understanding the rules around which transactions need SCA or not is complicated enough, and that’s before you even start working out which technologies have the right balance of security and convenience for the relevant customer journeys. Luckily, we know how to help on both counts!

As it happens, better authentication technology is going to make life easier for clients in a number of ways, not only because of PSD2. We are already planning 3D Secure v2 (3DSv2) and Secure Remote Commerce (SRC) implementations for customers. Preventing “authentication friction” (using e.g. FIDO) is central to the new customer journeys.

  1. 2. Forward thinking jurisdictions such as Canada and Australia have already started to deliver cross-sector digital identity (where in both cases we’ve been advising stakeholders). New technologies such as machine learning, shared ledgers and self-sovereign identity, if implemented correctly, will start to address the real issues and improvements in know your customer (KYC), anti-money laundering (AML), counter-terrorist financing (CTF) and the management of a politically-exposed person (PEP).  The skewed cost-benefit around regtech and the friction that flawed digitised identity systems cause, mean that there is considerable pressure to shift the balance and in the coming year I think more organisations around the world will look at models adopted and take action.

  1. 3. In our work on ticketing around the world, we see a renewed focus on the deployment of real digital wallets. Transit and other forms of ticketing (such as for sporting events) are the effective anchor tenants of the digital wallet, not payments. In the UK and in some other countries there has been little traction for the smartphone digital wallet because of the effectiveness of the deployment and use of contactless cards. If you look in your real wallets, most of what your find isn’t really about payments. In our markets, payments alone do not drive consumers to digital wallets, but take-up might be about to accelerate. It’s one thing to have xPay put cards into a digital wallet but putting your train tickets, your sports rights and your concert passes into a digital wallet makes all the difference to take-up and means serious traction. Our expertise in using the digital wallets for applications beyond payments will give our clients confidence in setting their strategies.

  2. 4. In the insurance world we see the business cases building around the Internet of Things (IoT). The recent landmark decision of John Hancock, one of the oldest and largest North American life insurers, to stop selling traditional life insurance and instead sell only “interactive” policies that track fitness and health data through wearable devices and smartphones is a significant step both in terms of business model and security infrastructure. We think more organisations in the insurance sector will develop similar new services.  Securing IoT systems becomes a priority. Fortunately, our very structured risk analysis for IoT and considerable experience in the practical assessment of countermeasures, deliver a cost-effective approach.

  3. 5. In our core field of security, we think it’s time to start taking post-quantum cryptography (PQC) seriously not as a research topic but as a strategic imperative around the development and deployment of new transaction systems. As many of you will know, Consult Hyperion’s reputation has been founded on the mass-market deployments of new transactions systems and services and this means we understand the long-term planning of secure platforms. We’re proud to say that we have helped to develop the security infrastructure for services ranging from the Hong Kong smart identity card, to the Euroclear settlement system and from contactless payments to open loop ticketing in major cities. Systems going into service now may well find themselves overlapping with the first practical quantum computer systems that render certain kinds of cryptography worthless, so it’s time to add PQC to strategies for the mass market.

And there you have it! Consult Hyperion’s Live 5 for 2019. Brexit does not mean the end of SCA in the UK (since PSD2 has already been transcribed into UK law) and SCA means that secure digital identities can support transactions conducted from digital wallets, and those digital wallets will contain things other than payment instruments. They might also start to store transit tickets or your right to travel, health and fitness data for your insurance company. Oh, and all of that data will end up in the public sphere unless the organisations charged with protecting it start thinking about post-quantum cryptography or,as Adi Shamir (one of the inventors of public key cryptography) said five years ago, post-cryptographysecurity.

Cyber Monday is here – and SRC is on its way

With estimates of the sales over the Black Friday weekend in excess of £7bn in the UK and $90bn in the USA, retailers are currently focused on getting shoppers into their stores and through their checkouts as seamlessly as possible. As was apparent at last week’s US Payments Forum, the last part of that process, payment, is probably the one area that the retailer believes it has the least control over. Online the problem is even greater; consumers have a variety of ways to authenticate themselves to their bank and to their retailer, many of which leave something to be desired.

75% of sales on Black Friday are online and Cyber Monday is set to be the biggest yet. Many of these online sales depend on consumers having to manually enter card details, or log-in using dimly remembered passwords. Those who are not blessed with the memory of an elephant may have to undergo password reset processes that can involve checking rarely used email addresses or having to remember the incorrect spelling of their answers to a wide variety of questions about their past history. Having apparently completed the process, the percentage of remote transactions that are then declined by the Issuer is around 10 times greater than those completed in the store. Not all these declines will be valid, with legitimate customers being turned away in the name of fraud prevention. Even so  millions of pounds of the approved transactions in the UK alone will still turn out to be fraudulent, further undermining the trust of the merchant and consumer alike.

Isn’t it strange that we live in a world where there is significant growth in online sales, but the mechanisms used to pay for those purchases are more cumbersome, less secure and less reliable than those used to buy on the high street? The good news is that the Payment Brands think that this is strange too and have a plan to fix it!

Earlier this month they published a draft version of their Secure Remote Commerce specification, which outlines an approach to promote security and interoperability within the card payment experience in a remote payment environment. The specification is currently out for public consultation. The Payment Brands are looking for feedback from those organizations which will deliver, interact with or use such solutions. (I know a few people who have read them and can help you to shape your reply if you are interested.) We may not see commercial solutions deployed in time for next year’s Black Friday event – these things take time. However they do offer the potential for interoperable payment solutions, with common authentication processes and levels of data security similar to those currently experienced on the high street.

In the short term, I really need to update the TV. So, in preparation for a flurry of holiday season internet shopping, I have cleared funds on my payment cards, cleaned the fingerprint readers on my tablets, found my long paper list of passwords and a similar list of answers to security questions. However, I can’t remember; was my first dog called Fido or Fenton?

Securing Payments in a Post-EMV Chip World

Now that the US has (finally) migrated from magnetic stripe to chip payments, and signature will soon be going too, the time has come to think about where the fraud will go next. This was the topic of a great discussion at Money 20/20 involving amongst others EMVCo, Capital One and USAA.

Obviously the first place fraud will jump to will be card-not-present transactions such as e-commerce. This is well understood by those of us who went through the EMV chip migration over a decade ago. Brian Byrne outlined the various initiatives in EMVCo to secure these transactions – Tokenisation, 3DS 2.0 (with live solutions being imminent) and SRC (which is open for public comment).

Increasingly though it’s an identity problem. Identity theft and synthetic identities are being used to attack payments in a number of ways.

Because EMV chip cards are much harder to counterfeit than magnetic stripe cards, fraudsters instead will try to get their hands on genuine cards. This could be through opening a fraudulent account or by taking over an account and ordering a replacement card.

Identity fraud will be a big issue in faster payments too, with a need for good authentication on both ends of the transaction.

Synthetic identities are a particular challenge. Detecting them is tough, spotting the subtle clues that indicate that an identity record which looks legitimate has actually be cultivated over time by a fraudster. And this is big business, with criminals using the latest machine learning and ready access to data (thanks to all of those breaches) to launch well organised attacks at scale.

In the following session, Professor Pedro Domingos (author of “The Master Algorithm”) gave the great quote “if you try to fight machine learning with code you are doomed”. But it is not simply a case of implementing machine learning. As the Prof explained, the characteristics of fraud are constantly changing so any machine learning system will need to be constantly tuned and re-trained to keep up.

Definitely a case of whack-a-mole.

Money 20/20 – Digital Identity Day

 

Where better to spend a day talking about digital identity than the Venetian in Vegas with its rather synthetic identity.

In giving the topic a full day track, the Money 20/20 organisers have recognised the increasing importance of the topic. However it is a topic that is not straightforward. Andrew Nash from Capital One was right when he said everyone has a different definition of identity. It’s a bit ironic – identity doesn’t have an identity. Here are three questions to summarise what we heard:

Is digital identity just about KYC or the broader sharing of personal data?

There is clearly still a lot of pain with KYC. Idemia explained how in the US, with its fragmented environment, doing basic things creating digital drivers licences that can be used across the country is hard.

But there is shift of focus from the narrow KYC problem towards the broader issue helping people to make their personal data portable in a way that removes friction – the “F” word of Identity, as Neil Chapman from Forgerock put it. 

Filip Verley from Airbnb made a useful bridge between these two aspects. It is no surprise that reputation is fundamental to the Airbnb platform. Reputation is the where the value is – Airbnb users don’t care what the name of a renter is but they do want to know they are reputable. But for that to work well that reputation needs to be anchored to the real identity that Airbnb has checked – i.e. their KYC.

Who is digital identity for – the person or the organisation?

Quite rightly there is now widespread acceptance that digital identity needs to be person centric. As well as the privacy point, there are practical reasons why it makes sense to put the person at the centre. For example, the person is in the best place to say which of the residential addresses associated with them is the one where they are actually living.

This is not the same as saying people own their identity. The organisations that provide services to people also have a stake in digital identity too. That’s why in Canada, as Joni Brennan explained, stakeholders across the economy are collaborating through the DIACC to address a need that is bigger than any one of them.

(Bianca Lopes, Joni Brennan and I talking about Digital Identity in Canada)

What will enable interoperable digital identities?

Unsurprisingly there was good representation from the DLT / blockchain crowd including Civic and Shyft. Heather Vescent gave a great overview of the standardisation work around Decentralised Identifiers (DIDs) and the desire of that community to create a new identity layer on the internet – perhaps an 8th “user” layer on top of the OSI 7-layered model of old. Whilst this work is being done through W3C it is still early days.

In contrast, FIDO2 is now a candidate recommendation in W3C and is already supported by Chrome 70 for Android (released last week) meaning that ubiquitous strong device based authentication (which includes biometrics) should not be far off. It’s great to see an initiative that, after a lot of hard work, looks like its about to become mainstream providing a real step forwards towards a more secure digital world.

 

 

What is the Impact of Digital Identity on a National Economy?

According to research just published by the Digital ID & Authentication Council of Canada (DIACC) with Consult Hyperion’s support, the potential value of trusted digital identity to the Canadian economy is at least 1% of Canada’s GDP, or CAD $15 billion.
 
Those of us who have recently been asked to provide copies of our passport and gas bill when opening a new bank account or taking out a new mobile phone contract, understand the lengths that organizations go through to incorporate old world identity processes into their new digital services. DIACC’s research paper highlights how the savings delivered by a robust digital identity ecosystem arises through reducing friction and increasing trust for governments, businesses and citizens alike.
 
One of the DIACC’s objectives is to drive the development of a digital identification and authentication trust framework to enable Canada’s full and secure participation in the global digital economy. When published, this framework will provide a common lexicon and guidelines for all the stakeholders within the digital identity community in Canada. It will allow each party to understand the roles and responsibilities of all parties in the ecosystem, while also allowing buyers of those systems to understand where a vendor’s solution competes with or complements, another.
 
In a market as dynamic and collaborative as Canada this is important.
 
Once a robust digital identity ecosystem is enabled and new solutions are introduced to the market by service providers, how will that impact the economy? DIACC’s research indicates, it will drive the adoption and use of digital services as it will make it easier for consumers to sign up for and access online services, provide the ability to obtain informed consent, and streamline the processes across a variety of industries such as government, healthcare, financial services, and eCommerce.
 
The research Consult Hyperion undertook with DIACC has shown the direct correlation between robust digital identity and economic benefit. Delivering a nation-wide solution will require both creativity and stamina. Lead applications must prove the benefits of digital identity. Service providers need to identify and root out inefficiencies in existing services. New digital business models will need digital identity to create fully digital user journeys. Everyone needs to work together to accelerate adoption and drive critical mass.
 
There will also be cost of doing nothing – marginalised parts of society continue to struggle to access important services, small businesses will face continued bureaucracy in an increasing digital world and criminals will continue to exploit the systemic gaps that exist in many digital services today.
 
Working with the Canadian community to explore the benefits of digital identity in numerous places across the economy has been fascinating. As payments and identity technology people, we know that tools and technology already exist to deliver wide scale digital identity.
 
The collaboration already evident in Canada is striking and something Consult Hyperion, are excited to be part of. Chat with us further at the IdentityNorth event taking place June 19-20, in Toronto.
 
http://www.identitynorth.ca/

Password security

The publication by NIST of an updated version of its digital identity guidelines marks a significant change in its approach to identity management. It highlights the importance of implementing digital identity in context, with three different elements replacing the previously monolithic Level of Assurance. These Levels are the Identity Assurance Level for identity proofing, the Authenticator Assurance Level for authentication and the Federation Assurance Level for use in a federated environment. Criteria for each Assurance type run from Level 1 to Level 3. This is intended to provide greater flexibility in implementation, for example combining pseudonymity with strong authentication for privacy purposes. Although optional, federation is positively encouraged for reasons of user experience, cost and privacy.

Risk management features prominently in the guidelines, with risk assessments used to determine appropriate identity choices according to system requirements. Although the requirements are technology agnostic, they are prescriptive regarding the assurance levels required for particular purposes. One area in which the guidelines are particularly refreshing is in their approach to passwords. Drawing on research into passwords exposed during data breaches, the use of unwieldy complexity rules is discouraged. Instead, it is suggested that users should be allowed to make passwords as long as they wish, encouraging the use of pass phrases and excluding very short passwords.

Faced with restrictive rules, many users will select predictable passwords which just meet the system requirements but are easily guessed. It is suggested that passwords should be checked against a blacklist of obvious choices and known compromised passwords, to filter these out. Randomly-generated secrets are therefore preferred to user-generated secrets.

The guidelines also highlight the importance of usability, supporting the use of password managers and only requiring passwords to be changed when there is evidence of compromise. There is some flexibility regarding displaying passwords on screen, depending on the context. In order to maintain an adequate level of security, a mechanism for limiting the number of possible failed authentication attempts is required.

This new, more person-centric approach from NIST follows on from UK government guidance published by GCHQ in 2016, advising ‘dramatic simplification’ of password management policies. This guidance also focused on achieving security by implementing processes which are easier for people to follow and therefore less susceptible to being undermined by users attempting to take short cuts through the system.

CHYP’s involvement in research has highlighted for us the difference between the way people say they behave and how they actually behave online. This kind of performativity may take the form of people describing how careful they are online (perhaps repeating recent official advice), while doing something conflicting on screen even as they are speaking. A similar effect can be seen when comparing figures produced from a user survey by the Gambling Commission, to usage statistics reported by gambling companies. The companies are able to draw statistics directly from their systems, while the survey figures are composed of gamblers’ reporting of their own behaviour. These discrepancies highlight the importance of observation when developing policies based on user behaviour.

It is encouraging to see a more effective approach to combination of privacy, security and usability in Identity Management being promoted at the highest levels. Even in local hospitals, it is now common to see screens showing simply ‘tap your pass or enter your passphrase’, where previously unpredictable processes were in place. Organisations such as FIDO have done a great deal to promote standardisation.

For a standalone organisation to adopt the new NIST rules would seem both positive and achieveable. They are in any case intended to be used within the US government. However, where organisations are already working in partnership and have existing legacy agreements regarding security requirements, it may be necessary to revisit these and agree a new set of password rules to replace existing, outdated approaches. Standardisation and education can go a long way towards supporting this process, although for larger organisations and those with multiple partners, it may take longer.

Publications such as ‘Why Johnny can’t encrypt’ and ‘Users are not the enemy’ have long been recognised for highlighting enduring issues with implementing security software. While education is important, attempts to fundamentally change people will inevitably fail, resulting in escalating support costs and unpredictable security risks. People are simply not equipped to adjust that quickly. In comparison, machines are generally designed by people and comparatively easily modified. Even with the advent of AI, machines are likely to remain reasonably malleable.

Where most user interaction involves people and machines, security tends also to involve mathematics. The NIST guidelines prescribe the use of appropriate cryptography at every stage. This is essential to securing the system but does not of itself guarantee that the system will remain secure. Appropriate system design and implementation are crucial to ensuring secure operations. This is exemplified by the recent flaw discovered in the WPA2 WiFi protocol. A mathematical proof is available for the security of the protocol but there is a vulnerability in the key management, which is not covered by the proof.

As in any system, a mathematical proof has to be ‘situated’ to be useful. Effective risk modelling will take into account the wider context of the system, focusing in on the most critical areas for greater attention. This process may have to be revisited over time, as the surrounding environment evolves. The increasing interconnectedness of the Internet of Things will require greater attention to disconnection technologies to preserve system integrity over time.

Identity in Vegas

Identity, authentication and authorisation are amongst the hottest of hot topics in our world right now. Even if we put Apple and it’s new face recognition technology to one side, there’s no shortage of excitement at the intersection of biometrics and electronic transactions. Remember this from earlier in the year?

A UK supermarket has become the first in the world to let shoppers pay for groceries using just the veins in their fingertips.

From British supermarket offers ‘finger vein’ payment in worldwide first

As I wrote at the time, this came only a few weeks after people forwarded me a link from to Time Out, calling attention to a new payment mechanism using a new biometric identification technology to effect retail payments in a new way. The system, called Fingopay, uses a scanner at POS to recognise customers in pubs and bars by the pattern of veins in their finger and then charges a linked payment account. I did remark on the overuse of “new”, as the first time that Consult Hyperion blogged about this technology was more than a decade ago,  talking about mass market uses of biometrics and looking in the particular case study of Japanese banking, and it wasn’t new then! The technology has reappeared as a “new” solution to these same problems a great many times since then. It seems like every couple of years or so some stories about this new technology and new way to pay reappear. For example…

The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications.

From We’ll be giving Barclays the finger next year | Consult Hyperion

The truth is that the idea of using fingers instead of cards goes back a long way (I can remember Piggly Wiggly exploring it in 2004) and reappears with regularity. So what’s different this time? Well, for one thing, we now have open banking. With strong customer authentication (SCA), risk-based authentication at POS and standard APIs for third-party access to accounts, retailers and other will soon be able to process payments themselves by obtaining payment institution (PI) licences and obtaining consumer consent for access to their bank accounts. Thus, putting your finger on a reader in store and having the retailer instruct an immediate instant payment transfer from your account to the retailer account looks like a more promising model this time around.

It’s the combination of technology (convenient biometric authentication), business (non-bank third party services) and regulation (open access) that means that the payments world is going to see more change in this space in the next year than in the previous ten. Almost every payment conference in that decade has highlighted the “identity problem” yet no-one was going anything about it. Now we have mass market solutions just around the corner.

Anyway, all of this is a roundabout way of saying how excited I am to be chairing the Money2020 workshop “Identity is Fundamental” in Las Vegas next week. We’re going to be talking about the latest trends in identification technology, authentication in the mass market and much more. And we have a detailed case study from Canada, as we have Toronto Dominion and SecureKey talking about the Canadian banks’ ambitious project to fix the identity problem with, amongst other things, the blockchain. You’d be mad to miss it, so look forward to seeing you in the Titian Room on Level 2 of the Venetian next Wednesday at 8.30am. Oh, and if you want to say hi to me or any of the Consult Hyperion team in Las Vegas next week, just email, tweet or message me on LinkedIn.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.