Identity and authorisation
31 views | +0 today
Follow
Your new post is loading...
Your new post is loading...
Scooped by Pierce Buckley
Scoop.it!

How to Devise Passwords That Drive Hackers Away

How to Devise Passwords That Drive Hackers Away | Identity and authorisation | Scoop.it

From the article: "It’s a good idea to be a little paranoid about password theft, and there are several ways to strengthen your defenses."

Pierce Buckley's insight:

 

The suggestions in this article to protect yourself from online identity thiefs and other threats are, as these things go, pretty sensible. But the fact that we have to recommend to people to take such extraordinary precautions just shows how broken our authentication processes are.

 

We simply have to do better than this!

more...
No comment yet.
Scooped by Pierce Buckley
Scoop.it!

German privacy regulator orders Facebook to end its real name policy

German privacy regulator orders Facebook to end its real name policy | Identity and authorisation | Scoop.it
A German privacy regulator ordered Facebook to stop enforcing its real name policy because it violates a German law that gives users the right to use nicknames online.
Pierce Buckley's insight:

Go Germany! Facebook does not need anyone's name to allow sharing of content and interaction.

 

The idea that the name is somehow relevant to security is well known to be ridiculous. Indeed, Facebook and other companies demanding that you give and verify your name are just increasing the risk of significant damage due to identity theft. 

 

more...
No comment yet.
Scooped by Pierce Buckley
Scoop.it!

Mobile Security Specialist adds Voice Biometric-based Authentication, Responding to Demand from Financial Services Co.s | Opus Research

Mobile Security Specialist adds Voice Biometric-based Authentication, Responding to Demand from Financial Services Co.s | Opus Research | Identity and authorisation | Scoop.it
Momentum toward making voice biometrics a routine part of mobile authentication is accelerating, as mobile security specialist InAuth adds a Voice Biometrics Authentication Module to its mobile SDK.
more...
No comment yet.
Scooped by Pierce Buckley
Scoop.it!

New FIDO Alliance pushing 'fast-identity' strong authentication protocol

New FIDO Alliance pushing 'fast-identity' strong authentication protocol | Identity and authorisation | Scoop.it
Client/server Online Security Transaction Protocol intended for flexible multi-factor authentication
Pierce Buckley's insight:

The FIDO alliance is young and has a pretty significant aim: to standardise how authentication mechanisms (knowledge-based challenges like passwords, device information and biometrics) can be used for Fast IDentification Online. Ultimately this could remove the need for separate password-based mechanisms for each online service that you use.

 

Notable founding and early members are Paypal, Lenovo and infineon.

 

According to the website: "The FIDO Alliance is a California Mutual Benefit Non-Profit corporation".

 

The approach to producing the standard is a bit curious:

"The FIDO Alliance will refine the protocol, and monitor the extensions required to meet market needs and to make the protocol robust and mature. Implementation will not be undertaken by the FIDO Alliance. The mature protocol will be presented to the IETF, W3C or similar body after which it will be open to all industry players to implement."

 

It remains to be seen, what exactly this means. One to watch.

more...
No comment yet.
Scooped by Pierce Buckley
Scoop.it!

The end of the password: why the password is all but dead.

The end of the password: why the password is all but dead. | Identity and authorisation | Scoop.it

Mat Honan in Wired.com outlines the consequences for user authentication after the trauma of his own identity having been stolen earlier this year.

 

He argues that passwords cannot remain the primary challenge to a user to access an account. The reasons are simple enough and have been known to identity verification folks for years:

 

1. passwords have to be reset - the reset process is the weakest link. This is sometimes known as the "ground truth" problem. How do you re-establish a solid basis for the right of the user to access the information.
2. since users now routinely acquire 200 relationships with organisations over their lifetime - the notion of getting users to have unique and strong passwords that are retained in their impossibly stretched memory is simply ridiculous. The result is that user's attempts to deal with this introduce security weaknesses. This is referred to as the "cognitive load" problem.

 

It is good that Honan is spreading the word. It is high time to take action to prevent the further rise of identity theft and fraud.

 

He also suggests that the solution must necessarily re-define how the trade off is made between privacy and security. And again he is right here. You can't repeatably establish "ground truth" without the user divulging information. The notion that only tokens are shared is only valid if some system or someone has obtained data on the person.
He also points out that, ultimately, there might also need to be a rebalancing of the other key trade off: convenience vs. security. We, as users, may need to be prepared to go through more detailed registration and reset processes for accounts that have any kind of personal information.

 

One other important point that is made clear from his own experience: there are very few account types that are low risk. If criminals break into something relatively minor like your netflix account it appears they can only order extra films and that the economic impact is low. But in fact, they can use the information learned about you there to try to hack another account.

 

Mat Honan is careful not to claim to know exactly what will come. The path from here to a generally acceptable improved authentication process is not an easy one to map out. It could have aspects that are more centralised or indeed more decentralised than now. It could rely on data stored by social networks or on a standard that evolves to exchange data. There are myriad possibilities and for sometime to come there will be a myriad of options - only one thing is sure: we will not be accessing accounts using the current password approach for long more.

more...
No comment yet.
Scooped by Pierce Buckley
Scoop.it!

Do businesses need to know WHO you are?

 

What does an organisation need to know to transact with you? One thing that is almost never needed is your name - indeed as Dave Birch argues in this video, a preoccupation with using information like your name, date of birth, etc for identification is often just plain wrong.

 

Dave argues that for any transaction only the absolutely necessary data should be made available: your photo and that you are over 18 is enough to buy alcohol and nothing else (not a card with name, address, date of birth, etc.). To pay for something you just need the PIN expected by the chip on the card - everything else printed on the card including your name is just a fraud risk.

 

About the speaker: David Birch is a digital money and ID consultant paving the way for a 21st-century identity. He is a director of Consult Hyperion, an IT management consultancy that specialises in electronic transactions.

more...
No comment yet.