BayPay Forum Event: Authentication and Identity Track - Setting the Stage Summary

I attended, and really enjoyed, the first event of the BayPay Forum Authentication and Identity Track on October 15th.  Below I have included a few of the my key takeaways from the session.

1) If you are sending your password to some central authority, you already lost the battle

  Third parties that hold information, including username / password, for thousands or millions of accounts, are high-priority targets for fraudsters and criminals.  Keeping your information protected in your device can be much safer.

2)  Fraud through malware is a big challenge facing the authentication community

Man-in-the-middle, man-in-the-browser, clickjacking, backdoor...  These are all different types of attacks performed by malware that can affect, even totally eliminate, the effectiveness of an authentication system.

These attacks can take place during log-in or at any time during a session, which highlights the importance of continuous behavioral analysis that will allow to step up authentication as necessary.

3)  A solution need not be universally accepted to be relevant and successful

A sentence was said that caught my attention, it was something like:  Even if we create a solution that is 1,000 times more secure, and 1,000 times more convenient, still not everybody would be behind it.  Any time you have a change in technology, there is a natural fear and doubt that kicks in.  

Gaining acceptance takes time, even with a great solution.  Gaining universal acceptance may not be realistic, or even desirable, since different situations will require different solutions - for example, logging into your account when using your laptop, your smart phone or your Google Glass.

4)  There is no standard 'acceptable margin of error'. It depends on the application

The acceptable margin of error is in the eyes of the user and the relying party and will be in-line with the consequences of a false positive or false negative.  The acceptable margin of error changes greatly for an anti-spam program, access to Facebook and a $10,000 transfer.

5)  The MNOs can bring a lot of value to the authentication process

MNOs have many capabilities that can greatly enrich the authentication process, such as recognition/reputation of the device, geolocation, geofencing, tenure of the relationship with the user...  

The main barrier to using all these capabilities is the speed at which the authentication needs to take place versus the time it takes the MNOs to provide the information.

6)  The question of who is liable for the authentication remains an unanswered

There are a number of business and legal structures that can be applied to determine liability, but in general, the entity that holds the business relationship with the end-party will also be liable for breaches.  

All the companies in the panel (OneID, Iovation, HID Global and Natural Security) are technology providers to the companies that have the business relation with the end-customer - be it a consumer or another company.  In general, they will hot be held legally liable.

Ref:  Additional information on this event can be found at 
http://www.baypayforum.com/events/monthly-calendar-of-events/eventdetail/934/