Response to Mark Diodati’s “Nothing is Bulletproof” post
Thanks to Mark Diodati for carrying on this discussion as I believe it is an important one and contrary to my apparent tone in my last post, I do think Mark knows what he is talking about. My frustration continues to be with the industry thought processes at large regarding secure authentication challenges as being too little, too weak and failing the customer.
I certainly agree that PKI is not a silver bullet for the authenticaion problem and that a multi-layered approach is necessary. I’ve addressed this at length in various posts covering: Fraud detection; Transaction authentication; Malware attack.
There are indeed a variety of attack surfaces at the client to compromise not only PKI (smartcard or not), but also biometrics. Once and for all, let’s all agree that we all agree there is no single hit, silver bullet solution. There are just a group of solutions that do different things along three primary axes: ease of use, cost and security. These three axes impact two primary communities: End-users and service / application providers. My main pain point is that not enough is being done to address the end-user’s security problems because of what I believe is a complete misperception and deeply held misperception and nearly religious industry tenet: users can’t / won’t deal with anything involving additional software download or hardware. This point is probably the only thing that Mark Diodati and I really disagree about on this entire topic.
We agree that:
- * There are no silver bullet solutions.
- * That “the only way to be totally protected against man-in-the-middle attacks is to use digital certificates or public key encryption” (Mark Diodati in referenced eWeek article).
- * Multi-layered approaches are necessary.
- * Smartcard deployments in the U.S. are dead on arrival for consumer adoption.
- * Traditional PKI is hard for users, IT departments, security practitioners and on top of that, very costly.
We mostly agree that:
- * U.S. FI’s are not yet prepared to deploy client or hardware solutions. I can’t completely agree with this as several have and continue to deploy several solutions that fall into this category, including TriCipher’s, but certainly the numbers are not overwhelming.
We don’t agree that:
- * “U.S. consumers don’t want” client or hardware solutions. Consumers have no problem downloading software that provides them value and do so by the thousands every day. While many will completely dismiss Javelin’s Consumer Online Banking Study because TriCipher helped sponsor it, even I was surprised that 62% of consumers said they would be likely to download software for improved security from their bank. I was thinking it might be say, 50%, but the findings were born out given that 69% of the study participants actually did download and use the software in conjunction with the web-study. How much higher would that number have been if it was offered by through their bank site? The number 1 and 2 most popular downloaded items at c/net’s download.com site are security related: anti-virus and anti-Spyware. It cannot be argued that users are not actively looking for and open to security solutions to use on their devices.
I merely agree with Mark that PKI is a solid, strong solution for authentication and beyond (signing, encryption, etc.). Consequently, PKI-based solutions should be more closely studied as part of the overall security solution space for authentication protecting against phishing, man-in-the-middle, man-in-the-browser and a wide variety of, but not all, malware. The main problem with PKI has always been in the implementation of getting keys to the user and managing them from there. “Pitch Alert”: This is what TriCipher has solved. Anyone that understands using an ATM card and a PIN without understanding Triple-DES, can get and use PKI properly architected and deployed in a practical manner. We even make it so that what the user wishes to use as their “ATM Card” is flexible and can even be left up to them, so they don’t have to be issued any purpose built hardware. Me, I use my MP3 player of choice as my 2nd factor. What would you use?
Time to move past mere “reassure the customer”, “feel good” solutions and move to something providing actual security and protections. I hope that clears things up a bit. Mark, we should put together a panel or roundtable on the topic of what consumers will and won’t put up with to get real security in their online lives.
October 25th, 2007 at 9:19 pm
Hi Tim,
Many thanks for your thoughtful, insightful, and articulate reply to my blog entry. I agree that this is an important topic and the discourse we are having is a positive thing. To that end, I am posting this comment on both the Burton Group Identity Blog and your blog.
The Javelin user acceptance study is encouraging. The security of consumer authentication would be raised materially if a client were in play. Clientless device identification – while valuable – is readily impersonated. With a client, there can be some cryptographic ‘meat on the bone’ to provider a stronger device ID. Obviously, the security quality of the consumer’s primary authentication would be improved as well.
While software acceptance by consumers is a good thing, I have residual concerns. Will customers tolerate multiple client packages, with the potential for software conflicts or performance issues? This issue is the software analogue of the OTP “token necklace†many of us like to talk about. This is a different use case than deploying a single anti-virus package. To be fair, the customer may get lucky because all of the customer’s FIs may use the same client. Also, as you point out, user acceptance is only one-half of the recipe. FIs must be willing to deploy and support client software, and probably for multiple operating systems (not just Windows).
I agree that we should continue this discourse on the challenges of consumer authentication. I am not sure of the best medium, but I commit to giving it some thought (and I am open to suggestions). Additionally, the Burton Group IdPS team is in the process of defining our 2008 focus areas, and it will certainly include consumer authentication. We’ll wrap-up our planning mid-November. Perhaps we can take the roundtable idea to the next Burton Group Catalyst conference, which will enable a healthy percentage of customers to interactively collaborate with us on the topic.
For the record, I think that TriCipher has some interesting and unique technology in its portfolio, and I have called this out in our research work. The split key technology and variable client footprint options provides good security and mobility features. I like the way that TriCipher does mobile PKI in conjunction with one-time password devices. The use of the private key is tightly coupled to the OTP authentication, more so than any other product I am aware of. It’s also nice that the product transparently supports a mix of vendor OTPs; this capability introduces cost-saving OTP migration options.
As always, I look forward to reading your blog, and I look forward to additional discussions.
Sincerely,
Mark