Comments on: Response to Mark Diodati’s “Nothing is Bulletproof” post http://eyedentityonline.com/archives/20 Thu, 28 Aug 2008 19:20:08 +0000 http://wordpress.org/?v=2.3.1 By: Mark Diodati http://eyedentityonline.com/archives/20#comment-224 Mark Diodati Thu, 25 Oct 2007 21:19:43 +0000 http://eyedentityonline.com/archives/20#comment-224 Hi Tim, Many thanks for your thoughtful, insightful, and articulate reply to my blog entry. I agree that this is an important topic and the discourse we are having is a positive thing. To that end, I am posting this comment on both the Burton Group Identity Blog and your blog. The Javelin user acceptance study is encouraging. The security of consumer authentication would be raised materially if a client were in play. Clientless device identification – while valuable – is readily impersonated. With a client, there can be some cryptographic ‘meat on the bone’ to provider a stronger device ID. Obviously, the security quality of the consumer’s primary authentication would be improved as well. While software acceptance by consumers is a good thing, I have residual concerns. Will customers tolerate multiple client packages, with the potential for software conflicts or performance issues? This issue is the software analogue of the OTP “token necklace” many of us like to talk about. This is a different use case than deploying a single anti-virus package. To be fair, the customer may get lucky because all of the customer’s FIs may use the same client. Also, as you point out, user acceptance is only one-half of the recipe. FIs must be willing to deploy and support client software, and probably for multiple operating systems (not just Windows). I agree that we should continue this discourse on the challenges of consumer authentication. I am not sure of the best medium, but I commit to giving it some thought (and I am open to suggestions). Additionally, the Burton Group IdPS team is in the process of defining our 2008 focus areas, and it will certainly include consumer authentication. We’ll wrap-up our planning mid-November. Perhaps we can take the roundtable idea to the next Burton Group Catalyst conference, which will enable a healthy percentage of customers to interactively collaborate with us on the topic. For the record, I think that TriCipher has some interesting and unique technology in its portfolio, and I have called this out in our research work. The split key technology and variable client footprint options provides good security and mobility features. I like the way that TriCipher does mobile PKI in conjunction with one-time password devices. The use of the private key is tightly coupled to the OTP authentication, more so than any other product I am aware of. It’s also nice that the product transparently supports a mix of vendor OTPs; this capability introduces cost-saving OTP migration options. As always, I look forward to reading your blog, and I look forward to additional discussions. Sincerely, Mark Hi Tim,

Many thanks for your thoughtful, insightful, and articulate reply to my blog entry. I agree that this is an important topic and the discourse we are having is a positive thing. To that end, I am posting this comment on both the Burton Group Identity Blog and your blog.

The Javelin user acceptance study is encouraging. The security of consumer authentication would be raised materially if a client were in play. Clientless device identification – while valuable – is readily impersonated. With a client, there can be some cryptographic ‘meat on the bone’ to provider a stronger device ID. Obviously, the security quality of the consumer’s primary authentication would be improved as well.

While software acceptance by consumers is a good thing, I have residual concerns. Will customers tolerate multiple client packages, with the potential for software conflicts or performance issues? This issue is the software analogue of the OTP “token necklace” many of us like to talk about. This is a different use case than deploying a single anti-virus package. To be fair, the customer may get lucky because all of the customer’s FIs may use the same client. Also, as you point out, user acceptance is only one-half of the recipe. FIs must be willing to deploy and support client software, and probably for multiple operating systems (not just Windows).

I agree that we should continue this discourse on the challenges of consumer authentication. I am not sure of the best medium, but I commit to giving it some thought (and I am open to suggestions). Additionally, the Burton Group IdPS team is in the process of defining our 2008 focus areas, and it will certainly include consumer authentication. We’ll wrap-up our planning mid-November. Perhaps we can take the roundtable idea to the next Burton Group Catalyst conference, which will enable a healthy percentage of customers to interactively collaborate with us on the topic.

For the record, I think that TriCipher has some interesting and unique technology in its portfolio, and I have called this out in our research work. The split key technology and variable client footprint options provides good security and mobility features. I like the way that TriCipher does mobile PKI in conjunction with one-time password devices. The use of the private key is tightly coupled to the OTP authentication, more so than any other product I am aware of. It’s also nice that the product transparently supports a mix of vendor OTPs; this capability introduces cost-saving OTP migration options.

As always, I look forward to reading your blog, and I look forward to additional discussions.

Sincerely,

Mark

]]>