EYEdentityOnline.com

If you haven’t had a chance to read the Harvard / MIT study on user’s lack of attentiveness to various visual clues, including the ludicrous “pick a picture” scheme popularized by Passmark, you should go give it a look.  It is aptly titled “The Emperor’s New Security Indicators“.

Louie Gasparini, co-CTO of the consumer division of RSA, the security division of EMC stuck selling the Passmark site-to-user authentication technology was given a chance to respond to this study over at the Wall Street & Technology blog.  My response to his response is the first comment on that page or for your reading pleasure, as follows:

I find it interesting that Mr. Gasparini would use the door lock analogy given that he’s arguing for a security system that is completely reliant on the equivalent of motion detectors alone in a physical security system. Fraud detection techniques, the invisible authentication he aludes to, is a perfectly reasonable approach in a layered approach, but not as the only layer. The Harvard / MIT study and Mr. Gasaparini’s own response point to the fact that the entire, supposed 2-way, 2-factor picture mechanic is nothing more than a “reassuring” device and of no security value at all. So where are the layers?

How many motion detectors, pressure pads, video surveillance cameras would you need to have in your house or business before you would feel comfortable to remove all the doors and windows? Yet, this is what consumers are being asked to put up with from those that want their online business, but aren’t willing to exert anything but the bare minimum to protect themselves and nothing to protect the consumer. Bank risk mitigation? Yes. Consumers though, feel good with your pictures, manage your own risk and good luck out there.

Until we security professionals can impress upon our business application colleagues / customers that we need to do something from the client side and not just the server side, customers remain on their own. “Caveat emptor” should be changed to “caveat surfer”.

I want to build on this in following posts.  in the meantime, ponder who is to blame for the sad state of affairs that exists with regard to how chintzy and half-hearted efforts are to secure consumers, instead forcing them to be their own security experts when they can’t or won’t even follow the seemingly simplest instructions.  Also, why do financial institutions fear customers actually calling them for a little security support more than they can envision the revenue upside of more customers actually using a more secure online channel confidently?  When will online entities move to use true, strong security features as a competitive driver similar to when automakers embraced safety features as differentiating components?

Welcome. Let’s get right to it. Why are we here? You, I don’t know. Hopefully you are looking for the content we will build together here. Me, I’m here to blather about my thoughts on a wide variety of online identity, privacy and general online or digital life issues. Hopefully, this will very much be a two-way discussion where we kick around ideas started here or in other sites covering the same topics, so chime in.

Since this is my kick-off post, it seems there are a couple launch items we should get out of the way:

1. Who the heck is Tim Renshaw?
2. What is the affiliation with TriCipher, Inc. my employer?
3. What is going to be discussed here?

You can check out my bio here on the TriCipher, Inc. web site.  I am a married guy, no kids, two dogs, who has worked in the e-commerce space certainly since joining CheckFree back in 1998. My two main hobbies are electronic gaming of all kinds and on all platforms and fishing, you know for actual fish like bass, not phishing. We’ll get to that in due course :-). I have been involved in IT matters and technology as part of my career since the late 80s when PCs and networks exploded throughout the Bank enterprises where I worked.  As a result, I got sucked into technology and found it appealled to me much more than the actual banking business did.  A lot of hands-on hours later mucking around in the guts of PCs, networks and servers I ended up working in the audit department of Banc One, now part of JPMC, where I was exposed to not only being audited but what a good auditor and audit process accomplishes.

Needless to say, all along the way security has been a day to day concern, both for the user communities I served, and as everything increasingly came online to the larger world, concern for my own servers and systems.  Authorization and authentication issues were part of daily, real world management and implementation.  Walking the line of enforcing security and audit policy while trying to keep my support calls and general user unhappiness from escalating has been part of my daily thought process for years.  Additionally, while at CheckFree working on various bill presentment and payment products, the clear linkage between user authentication, account authentication and fraud relationships made a distinct impression.

Which brings me to my current employment / affiliation at TriCipher, Inc.  I joined the company, then called SingleSignOn.Net in 2001 after being introduced to their novel digital credential technology developed into a deployable product. I’m still with the company, now TriCipher, after 6 years because what I saw then as an effective and workable answer to the issues of strong authentication, reliable identity, federated identity, digital signing, personal data controls and privacy / anonymity issues are unfortunately, only now being seriously addressed in the internet e-commerce and emerging inter-social-blogo-web2.0-mobile-multidevice world.  All that being said, this is not going to be an ad site for TriCipher, however, I am also not going to try and mask the fact that I am a huge advocate for our technology or that I come from a pro-TriCipher technology point of view.  I don’t believe anyone can be completely objective about things they truly believe in and I believe in strong, easy to use, digital credentials and I believe TriCipher Armored Credentials are all that and a bag of chips.  The items posted here will be mine alone and by no means are to be taken as official TriCipher statements, policy or (insert your own typical legal CYA-speak here).  So there, that’s out of the way.

Last on my “first post list” is what are we going to be disccussing here?  Well if it hasn’t become clear at this point I’m going to be posting about issues loosely around: strong authentication, reliable identity, federated identity, digital signing, personal data controls and privacy / anonymity issues as well as how these relate to the things we like to do online:  shop, chat, game, blog, consume and interact with various digital media.  Roughly stated, I’m going to speak my mind on items relating to our ever emerging online life and the issues that matter to those of us that consider online as an important part of what comprises our overall lives.  Where it goes from there is up to you, the readers and hopefully posters.