Healthcare: Getting serious about multifactor authentication

The Time Has Come for Two-Factor Authentication in Health Care (iHealthBeat)

William Braithwaite — a health information privacy and security consultant and chair of the Healthcare Information and Management Systems Society’s identity management task force — noted that, no matter how long or complex passwords are, they’re still vulnerable to theft. “The real problem is that passwords are being stolen, not that they’re being broken,” he said.

True cybersecurity requires a conceptual shift

The user knows nothing: Rethinking cybersecurity

This position — that the adversary knows your system as well as you do, if not better, as soon as it is stood up — while extreme, led to the creation of large number factorization, the basis for all modern encryption, from PGP to RSA tokens. Under these encryption schemes, as long as the key is kept private, someone can know everything about how the security system works and still not be able to crack it.

To get to a place of true cybersecurity, another stark innovation in thinking is needed. What is needed is an Inverse Shannon’s Maxim: the user knows nothing.

Coincidentally, our CTO and I were having a conversation along these lines just yesterday. It’s a thrill a minute at SecurLinx!

France: Banking group looks toward multifactor authentication

France’s national interbank network, Groupement des Cartes Bancaires CB, is currently evaluating the use of biometry in payment transactions (TMCnet)

The first CB approval will involve the association of biometry and a chip integrated into a keyfob. Integration of the chip into a micro-SD card of a mobile phone is also being studied. Highly convenient, the user keeps the keyfob or telephone on his or her person, for example in a pocket or handbag, without needing to present it physically to pay or withdraw cash.

Market forecast: Multi-Factor authentication

Via MARKETS AND MARKETS: The global multi-factor authentication (MFA) market which includes different types of authentication and applications is expected to reach $5.45 billion by 2017 at an estimated CAGR of 17.3% from 2012 to 2017. Two-factor authentication is most widely used MFA model in the world with smartcard with PIN and one time password (OTP) are the most popular technique. Biometric based MFA models are growing at a fast rate. North America and Europe covers most of the market, whereas APAC has the fastest growing region.

Biometrics for mobile ID gaining acceptance among telecoms

Mobile biometrics gaining traction, ‘common’ by 2015 (ZDNet)

Tracy Hulver, chief identity strategist at Verizon enterprise solutions, said: “Biometrics, without a doubt, will become more prevalent as a component or add-on to mobile devices in the coming years.”

Proving people are who they say they are has been a challenge for digital security since computers have been in use, according to Hulver. Biometrics, he added, provided a “multifactor” authentication scheme: pairing “something you know” such as a user ID and password combination, with “something you are”.

She ought to know what she’s talking about.

Hardware & ID Security: PC vs Mobile

Mobile banking to hit 1 billion users by 2017

Fortunately for the consumer, mobile devices often contain technologies such as GPS that track the user’s location, front-facing cameras that can be used for face-recognition, and other biometric tools such as voice recognition technology and in some cases fingerprint technology. In December, Ben Knieff, head of fraud at financial crime and technology specialist NICE Actimize told Banking Technology that mobile banking could eventually become safer than online banking.

“While consumers didn’t like biometrics ten or even five years ago, rising usage of the technology on sites like Facebook has made it more acceptable,” he said. “Consumer sentiment is changing, and I believe there could actually be an opportunity to use some of these technologies to make mobile banking even safer than internet banking is today.”

The whole article is worth reading but two points in the second paragraph quoted above are especially thought-provoking.

That’s the first time I’ve seen the Facebook face recognition issue turned on its head like that. Stories of outrage at the Facebook facial recognition app are easy to find. Whether this has more to do with Facebook’s User Agreement policies or biometric technology is a subject for another day, but is it possible that as suggested above, by putting people into contact with the technology the Facebook face rec kerfuffle has made biometrics more acceptable to the networked public?

Another fascinating item in the second paragraph is the notion that mobile banking can be inherently safer than online banking conducted through desktop or laptop computers. We discussed some of the reasons for this in Mobile Devices and Biometric Modalities, but the reasons why authentication via mobile devices may be more rigorous than that using other hardware go beyond biometrics. Mobile devices are quite simply capable of covering all of the factors listed below. In a multifactor authentication model, the more factors that can be determined simultaneously, the higher the confidence in the authentication transaction.
Here they are.

Something you have (tokens: key, prox card, mobile phone, etc.)
Something you know (passwords, PINS, codes, high school mascot, etc.)
Something you are (biometrics: eye, voice, face, fingerprint)
Where you are (location: IP address, cellular signal, GPS, in the bank branch)
When you are (time)

Mobile hardware supports all the factors above and, in the factors with bold face, mobile platform security exceeds the security attributes of PC hardware. Mobiles make better tokens because they aren’t often shared, they have blue tooth, near filed communication (NFC), wi-fi capabilities for external signaling and, of course, they’re mobile. They support passwords (OK, maybe not quite as conveniently as PC’s). Two biometric sensors, the camera and microphone, come stock on all mobiles. They know where you are at all times.

The what time it is question is a draw in the current discussion. Both technologies in question (mobile vs. PC) are equally ignored here because the question of time is answered on the server side; i.e. you can’t avoid late fees by setting the clock back on your PC when you make last month’s payment online. Payees have their own clocks. I just included it because it’s a real factor and there are ID/security applications where an individual is treated differently at different times of the day. Time also comes up in combination with location. Credit cards run fifteen minutes apart in gas stations separated by 1,000 miles raise suspicion.

That’s the theory anyway. In theory, mobile hardware can facilitate higher confidence ID authentication. In practice the security vulnerabilities of the PC world are better understood. There are several household names offering services that maintain PC hardware as a virus/trojan/worm free environment. Uptake of similar technologies has yet to take off with mobile hardware. That will change, though, if more people use mobile hardware to handle their finances.