What We Learned at the K(NO)W Identity Conference: Part Two

B&B: Biometrics & Blockchain

We are back with more from the K(NO)W Conference and focusing on solutions that create trusted transactions. Digital identity is relatively new. Physical identity has been around for millions of years. We are really just starting to figure out how to build digital trust and what that means for different industries. There were certainly a fair share of buzzwords and solutions spoken of, but the B’s were front and center with Biometrics and Blockchain in the top slots (honorable mention to the Internet of Things).

 

Biometrics

Maxine Most, founding Principal of Acuity Market Intelligence, the definitive authority on global biometrics market development, stated that customer friction has resulted in 13 times more lost revenue than fraud. We are in a time when we can increase security and decrease friction, which should be the goal for every transaction.  Biometrics allows companies to solve both friction and fraud. Born out of tech and the coolness factor, biometrics has cooled over time into a solution-oriented approach, especially in government. For a long time biometrics was about surveillance. Biometrics today is more about security, and the evolution of mobile devices has played a key role.

The stats cited by Maxine on the number of mobile devices that enable biometrics and the number of transactions that will be on occurring on them in 2020 is staggering- truly game changing. The global smartphone install base is set to grow 50 percent in the next four years to 6 billion devices totaling $355 billion in revenues. We were asked to think about all of the ways we use our mobile devices today and how dramatically that has changed over the past few years. Think of how often you make a phone call vs. the many routine uses that are now second nature. A lot of these uses likely include biometric authentication such as a fingerprint. Touch ID was a tipping point for the industry.

Biometric authentication is very passive compared to other authentication options. There is no fumbling around to find and capture a credential, no remembering crazy passwords or answers to annoying questions. If companies make it hard for people to do the things they want to do- they won’t do it. With biometrics, you must also consider giving consumers a choice otherwise it can seem creepy. For example, today at airports in Canada, travelers can opt for a retina scan to expedite the security process, rather than going thru the slow line. If it was mandatory, it would likely feel like a violation rather than a benefit. Having options at the device level where consumers control the choice also makes biometrics more adoptable and less creepy.

While there is a much broader acceptance of biometrics today, there is still a false perception that when you authenticate yourself one time you are protected throughout the transaction and future transactions with that entity. This is not the case; real threats go beyond just the login or one-time action. Verification must be continuous to truly safeguard those involved in the transaction.  For example, patients in hospitals, customers banking and even sharing economy apps- verification for use cases here should not be considered a one-time thing. The idea of the fabric of an identity of authentication was conveyed. If the same person is not repeatedly represented in an authentication process, the whole thing is destroyed. It was stated that the only way we can do this repeatedly, consistently and unquestionably is with biometrics- as opposed to something you know which is not sufficient anymore (passwords, KBA’s, etc.). This is the opinion of some.

But we know there is no such thing as a perfect solution. Companies must consider what fraudsters are doing today and innovate as they authenticate. One issue is liveness detection for images. Stealing images and passing them off for facial recognition will work if there is not a liveness detection test in the solution. To further layer on top of innate biometrics that could be stolen, the case was made for behavioral biometrics to protect users and data when it comes to mobile device spoofing, being tricked into downloading malware on your device and simply having your device stolen. Behavioral biometrics measure and track uniquely identifying patterns in human activities and range from tracking keystrokes and navigation, to location and device login frequency. This offers another way for consumers to be protected by being passive.

 

Blockchain

The other B word that was highly mentioned in addressing the question of establishing a trusted digital identity was blockchain. Maybe you know blockchain and are a big fan, maybe you thought it was thing of the past. Let’s start with the definition according to wiki: blockchain is a digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly. The first blockchain was then conceptualized by Satoshi Nakamoto in 2008 and implemented the following year as a core component of the digital currency bitcoin, where it serves as the public ledger for all transactions. The bitcoin design has been the inspiration for other applications.

Essentially blockchain keeps a record of transactions that cannot be manipulated and establishes decentralized and distributed trust. Blockchain was spoken of as more of a movement than a technology. This is largely due to the fact that, as speaker David Birch of Consult Hyperion put it, we have gone from not being able to tell if you are a dog on the internet to not being able to tell if you are a fridge pretending to be a dog. Maybe a tad dramatic, but maybe also too true – hello, catfishing.

Fraud has dramatically increased in recent years, and it is his belief is that it’s going to get worse because of the movement to make everything frictionless in payments and financial transactions. He stated that this is a hacker’s paradise- to make everything easy. One example is the fact that we still use SMS messages for security even though we know this is not secure. And thanks to the internet of things, we live in a world where we have kettles that are connected to Wi-Fi so that we can remotely operate them, where we have Bluetooth socks and Fitbits for dogs (unclear why but they are both allegedly amazing and in high demand). The dark side of this to consider is that all of this connectivity leaves us vulnerable and more open to attacks. But, as David says…there’s blockchain. Bitcoin is a remarkable cryptographic achievement and the ability to create something not duplicable in the digital world has enormous value. TBD on the future of blockchain but it says something that almost every major financial institution in the world is doing blockchain research at the moment and 15% of banks are expected to be using blockchain in 2017.

 

Conclusion: Problems Aren’t Changing, They Just Look Different

When it comes to tech solutions for authentication, in a lot of ways we are still at step one. If institutions want to scale, it has to be easy – take the human out of the equation whenever possible, but we are not there yet. There is still too much room for human error and institutions and providers are figuring out how to adapt solutions for different environments.

In a room of hundreds of identity professionals, less than 10% confirmed using a crypto key to protect their personal email when we know we are at risk. Consumers will always choose the path of least resistance. Users have to clearly see the value. There are no silver bullets or absolutes. Institutions must consider the use case and the best solution, identifying a point where the authentication meets the level of trust required and addresses the level of risk associated.

 

Learn more about Acuant's special offer for K(NO)W 

What We Learned at the K(NO)W Identity Conference: Part One

 

Identity is the New Currency, Biometrics is the New Black, Blockchain is Bringing Sexy Back (Maybe) & Spoiler Alert – Edward Snowden is Still Not an NSA Fan

The first annual KNOW Identity Conference was well attended last week in the nation’s capitol, bringing together industry leaders, organizations and individuals that are shaping the new currency: Identity. Industry topics included Biometrics, Blockchain, Machine Learning & Artificial Intelligence, Fraud Prevention and Verification with a central theme on growing security and privacy concerns (enter Ed Snowden). Dissenting viewpoints were heard, predictions made and concerns shared. One thing was clear – we all need to pay more attention to how we transact in the burgeoning digital economy, minding who we do business with and who we entrust with this precious commodity – our identity.

Part One: Edward Snowden

So what was Ed doing there (via video conference from Russia on the clearest bridge our team has ever seen), what did he have to say and how did he look you ask?

As you see from the photo Ed is holding up well, seeming not to age a bit and keeping his signature look. Whether you view him as a hero or convict, Snowden was a prime choice to speak on the topic of identity at K(NO)W. His thoughts in a nutshell: Identity is broken, there are no easy answers and we need to be concerned about privacy, acknowledging that as we address solutions for identity- we will have to address how privilege and access (rather lack thereof) to things like a smart phone play a role in shaping the future.

Snowden stated that what matters most for computer/digital networks is your name which is acknowledged via token, credential, or password. There is a critical point of knowing “this is me” in order to gain access & have a voice that everyone wanting to transact must satisfy. He said in our society, your identity is the token we have given you; all of your other identifiers must be granted from this token. For example, this token may be a government issued ID or social security number. Ed argued that even though this is our reality, popular and lawful are not the same as moral. He went on to state that we have a lot of top down laws- but should we? His view is that it does not have to be this way.

Snowden asked and answered: if identity did not exist, how would you do your business? We can survive in that world according to him. If we rewind 100 years this was the reality. His view is that we should be moving towards this instead of creating a world that is less free & less fair because fewer people are able to transact. He believes most transactions are legitimate and should not be restricted to the privileged and capable as this is a negative thing for free & open society.

Regarding privacy, Ed spoke about the infamous U.S. government phone surveillance program stating that an independent study found it to be illegal and stated it should end. The study found that there was no instance where knowledge of a threat found through this method of surveillance made a difference to the outcome, nor contributed to the outcome. It was found that anything positive could have been done via traditional means according to Snowden. His view: when surveillance increases, security decreases. Not obvious, he noted, but true. In a borderless network and economy, we need to be focused on preventative measures, not offensive, otherwise we leave ourselves open for exploitation.

Snowden acknowledged that some censoring is justified- i.e. Facebook censoring videos. He stated that you need some level of knowledge but you don’t need precise knowledge when it comes to verification. For example, certain industries may need to know you are old enough but not your exact age, or someone known to you vouches for an unknown identity and this happens again and again- this was the idea of a web of trust. The web of trust didn’t take off but the idea was that this is good enough to establish trust.

The idea of good enough has and is changing and requires a different consideration level to address the level of risk associated with transactions. It used to be that if someone was issued a passport by a government that was a sufficient level met for travel. We know today this doesn’t work and have watch lists and various other methods to screen travelers. Snowden is a fan of tech solutions that don’t make you present a bucket of verification when it’s not needed. For example, if you are online shopping, the digital economy should be like the cash economy he believes- with less friction – the verification standard should be good enough, allowing more access for people who may not have government issued identity documents. He feels you should not have to have this in order to interact with digital economy. Further, Ed argued that dumb criminals & terrorists get weeded out of the system very quickly, so relying on Know Your Customer (KYC) laws is not enough nor can government mandates safeguard us. He cautioned we should beware of what you truly need to collect for data because someone with access will abuse this at some point; it’s simply too tempting.

And let’s not forget the biggest headline of late (that does not include President Trump) – Snowden called it the greatest cyber security crisis in history. He was of course referring to the Wannacry virus and noted that this is the first time that the media is naming the NSA directly. His viewpoint is that hackers now have inertia and are using tools stolen from the NSA. The stockpiling of data that the NSA allows with vulnerability is happening around the world and creating ripe targets for hackers and organized criminal groups. He informed us that NSA cyber security spending is 90% dedicated to offensive operations and that this is a big mistake and a massive problem. He believes the attack could have been curbed if the U.S. government acted years ago– punctuating that sentiment saying “It’s hard being right.”  He went on the say the NSA has done a lot of harm to U.S.- but stated no one doubts their intention and good people often do bad things.  Interesting choice of words Ed.

While there may have been a lot of bleak talk at K(NO)W, there was also the ever-present message of hope and news of exciting new tech solutions in the works by many, including Acuant of course. Stay tuned for coverage of more hot topics from the conference!

 

Learn more about Acuant's special offer for K(NO)W