Fingerprint sensors found on iPhone 5S and Galaxy S5 may become instrumental for trusted identities assertion, if and only if, the sensors are accurate enough to insure a required security level and user acceptance.
"Smartphones equipped with fingerprint scanners are definitely useful." said Jon White, Visa's Head of Marketing, Mobile Strategic Alliances (Gerald Lynch, GIZMODO UK, MONEY, Feb. 25 2014).
Useful but, insufficient!
Surprisingly enough, PayPal embraces the Samsung S5 biometrics for m-payment authentication. "The PayPal fingerprint authentication feature will go live on the Samsung Galaxy S5 in 26 markets this April." Said Eden Zoller, principal analyst at Ovum (MENAFN, Feb. 25 2014). Let us hope that fingerprint authentication is not the only mechanism PayPal puts its bet on. Better add another authentication factor to it, such as a password, or better yet, one-time-password. It is also reasonable to assume that PayPal’s still performing anti-fraud checks behind the scenes. A purchase in California minutes after one in New York, is still a red alert.
Research shows that fingerprint readers have a plethora of issues that make them inappropriate for standalone authentication. Look at your fingers after a bath or a swim. What happens when hands are sweaty or very dry or oily/waxy (as sweat liquids, salt and sebum are normally produced by our body)? Does your profession or hobby involve fingers' skin stress? When was the last time you cleaned the sensor (deposits magnify sensor accuracy deterioration)? Temperature and humidity have their toll, too.
High failure to enroll and high failure to access will deter users from activating such technology on their mobile device. Likewise, high rate of false acceptance deters chief information security officers from adopting it. Fingerprint sensors are susceptible to phishing and replay attacks. “Fingerprints are not private, you leave them lying around everywhere, and if someone has enough incentive – and the resources available to them – they may try to defeat any security system that you trust your fingerprint to unlock,” warns computer security blogger Graham Cluley. Even liveliness check may be fooled as presented in my previous blog post about the Touch ID flaws.
What is the state of the art identity authentication means?
It is well known that a static target is much easier to attack than a moving one. Moving target defense (MTD) can be employed to defend identities, too. One time password is a kind of MTD mechanism. It was invented to combat phishing and replay attacks.
It's time for one-time identity.
One-time-identity sounds like an oxymoron, however in reality, it is a dynamic trusted identity manifested by dynamic features that may identify a person and authenticate him or her accurately enough, to satisfy risk management policies. Those dynamic features involve multiple biometric traits, behavior analysis and one's knowledge checks. Dynamic trusted identities are probabilistic and thus, have to be context aware and adaptive to risk management orchestration.
Context awareness takes into account location awareness. Location may be physical, e.g. I am in a specific bank branch; I am withdrawing cash at an ATM machine; I am at my home, next to my desktop computer or at the office, within a hot-spot circle. Location may also be virtual, e.g. I am at an online store; corporate remote access log-in page; Google apps portal.
Risk management policies define the level of assurance required of the authentication process. It is one thing to allow access to my picture album and another, to allow access the corporate intellectual property documentation or to one's funds transfer portal of a bank account.
In summary, look for up and coming risk based, context aware, dynamic (MTD) trusted identity assertion.
Keep monitoring us @voisafe.
Dror Bukai,
www.voisafe.com
No comments:
Post a Comment