“Identity and Multi-Factor Authentication in a Cloud Based World”
By Paul S. Heirendt, President/CEO, TradeHarbor
Many of the identity and authentication schemes that are employed today to add security to applications and services are actually exposing our private information.
The basic idea that a secret is something that is exposed to as few people as possible, is violated every day. The idea that “shared secrets” is a viable method to strongly authenticate someone’s identity seems to be considered as the best practice method for multi-factor authentication. When in reality a “shared secret” is an oxymoron – once you share something it is no longer a secret, and if it is a fact from a publicly available database it was not a secret to begin with.
If I call my wireless provider and the CSR asks my mother’s maiden name, I have exposed that “secret”. When I use my phone banking application and they ask my mother’s maiden name, I begin to realize that there are a lot of people who could successfully answer that question and supposedly be “authenticated”. Anyone in my family (which is very large – more than 50 people) and a lot of people who simply know my family, would succeed in that challenge. My mother grew up in a small town but that is at least another 200-300 people. This illustrates the problem with any knowledge factor – If I can’t remember it, I will fail – if someone else knows it, they will succeed.
What is multi-factor authentication? There are three different factors that can be used for authentication: Knowledge Factor - What You Know; Token Factor - What You Have; and Biometric Factor - What You Are. What You Know can be your username, password, PIN, mother’s maiden name, the make of your first car, etc.; What You Have can be your credit card, passport, laptop, mobile device, etc.; What You Are is a Biometric such as fingerprint, voice, face geometry, hand geometry, iris scan, etc. True multi-factor authentication is at minimum the use of two different factors. Many of today’s applications use a password and a “shared secret” – which is really multiple instances of one factor Knowledge – not true multi-factor authentication.
True multi-factor authentication requires the use of at least two, if not three factors. This sounds like a difficult proposition that would add a lot of friction to consumer interactions. However, there are approaches that can be employed that are easy and convenient for the user and easy for the organization to implement as a Web Service. The use of all three factors in combination makes for a very secure interaction to establish a trusted interaction.
How can that be implemented? With today’s mobile devices (iOS, [iPhone, iPad & iPod Touch] and Android Windows 7 Mobile), which all can play and record audio, the user can be strongly authenticated by providing their password, then provide their Voice Signature in an Application on the mobile device. The Password is the Knowledge Factor, the device is the Token Factor, and the Voice Signature is the Biometric Factor.
With the use of Voice Signature, cable operators can now not only provide secure authentication but authorization to the individual rather than just to the household. This paradigm change opens up a plethora of potential new revenue streams for the operator, including delivery of premium content for TV Everywhere applications.
Voice is the most practical Biometric Factor because it does not require a specialized device; it is always with you, it can be dynamic, and it allows for portability across consumer touchpoints that don’t exist with the other biometrics. With fingerprints, you have 10 chances for re-enrollment if the enrollment is compromised; with Iris Scan you have 2 chances; with hand geometry you have 2 chances, etc. With voice, you can continuously enhance the dynamic model and re-enroll if necessary.
