BayPay Forum Event: Authentication and Identity Track - Setting the Stage

Picture From BayPay Forum Events Page:  The 'Authentication and Identity Wars' are well underway, but everything is still to be defined.  This is the perfect moment to get fully engaged and involved in the industry, and what better way to do it than with your BayPay Forum colleagues!

We are thrilled to invite you to the first event of the Authentication and Identity Track, a series of panels around authentication, security and identity management as they apply to payments, commerce, banking and beyond. 

This first event will allow us to set the stage and review some of the leading solutions and ongoing initiatives.  It will be the starting point for future, more in-depth, conversations with key ecosystem players - merchants, processors, banks, MNOs - covering their most pressing challenges and biggest opportunities in the U.S. and world-wide.  Continued.

 

Picture Trish's Comment:  I am very excited about BayPay Forum's next event on October 15th.  It will be the first event of the new Authentication and Identity Track, which I am chairing.  This first event will allow us to set the stage and review some of the leading solutions and on-going initiatives. We will talk about the risks associated with today’s authentication solutions, key industry-wide initiatives, the role of government, privacy, and an array of other subjects such as digital signatures, credential management, identity assurance and biometrics.We have worked hard to make sure we have a great line-up of companies with different perspectives, and maybe even diverging, views on the industry and how best to solve the authentication and identity challenge.  Below I have included the list of participating companies (in alphabetical order) along with a short description of each of them:  HID Global:  Their vision is true, multi-factor authentication providing transparent and convenient protection for online financial services.  Multi-factor actually translates to five layers - user, device, channel, transaction and app - that can be implemented in a variety of ways.Iovation:  The company gathers information from a myriad of partners to associate each device with its transactional history and provide a 'device reputation score'.  
At the risk of over-simplifying, the two main scenarios are:
 1. If a consumer tries to transact using a device with no fraud in its history, the
     transaction is deemed low risk and the consumer can proceed with the transaction.  
 2. If the device has fraud in its history, other anti-fraud mechanisms (such as KBA) can be
     used prior to authorizing the transaction.Natural Security:   The company has developed a user authentication mechanism that enables online and in-person transactions by combining a mid-range contactless personal device (something a user has) and biometrics (something a user is).
The mid-range contactless technology means users do not have to handle the physical device, it can stay inside a purse or a pocket.  A user will just need to place their finger on a fingerprint reader.  Everything else happens in the background.
To avoid privacy concerns, biometric information is securely stored on the personal device and so it remains under the individual user's control at all times.  End-user information and communications are encrypted and also securely stored on the personal device (normally in a secure element).OneID:  The company's ultimate goal is to be the only single digital identity a person will ever need.  As it is described on their website:
'OneID uses cryptography to encrypt and lock your data locally at your computer. Your encrypted data is then sent up to the OneID cloud storage repository and remains safely encrypted until you ask for it from an authorized device. 
Your encrypted data is then sent back to your authorized device where it is decrypted and released to a website, login, form, etc., with your consent. All of that happens in a split second.
If for some reason, the OneID repository is hacked, that data is completely useless without the ‘key’ that is stored on your device that unlocks your data. Each OneID user has his/her own key – so any breach will result in zero information being revealed.'

Note:  Since OneID encompasses authentication, authorization and information sharing, I view the company as an implementation of a private cloud.  From my perspective, it goes beyond authentication and tries to provide a holistic 'data view' of the individual RSA Silver Tail:  The approach RSA Silver Tail is taking is quite different from the other companies discussed so far.  Their focus is behavioral analytics applied to web sessions.  
In layman terms:  Is the behavior of a user consistent with the the profile of good behavior we have previous defined for a specific website?  Is the behavior of a large set of users similar enough across all of them to suspect a botnet? 
These are all very different, and in some ways complementary, approaches to solving the authentication and identity equation.  I anticipate a very lively discussion and hope to see you all there!