A question of verification and authentication
Malware hits the Mac but is it worth worrying about?
It is now over a year since the Jericho Forum announced its commandments around identity management and how identity and access management technology should work.
The concept was that people should be in control of their identity, rather than companies controlling access and determining logins. Jericho Forum claimed that its commandments "represent a set of open and interoperable principles that IT professionals can use to build a user-centric security framework within their organisations". They were as follows:
1. All core identities must be protected to ensure their secrecy and integrity
2. Identifiers must be able to be trusted
3. The authoritative source of identity will be the unique identifier or credentials offered by the persona representing that entity
4. An entity can have multiple separate persona (identities) and related unique identifiers
5. Persona must, in specific use cases, be able to be seen as the same
6. The attribute owner is responsible for the protection and appropriate disclosure of the attribute
7. Connecting attributes to persona must be simple and verifiable
8. The source of the attribute should be as close to the authoritative source as possible
9. A resource owner must define entitlement
10. Access decisions must be relevant, valid and bi-directional
11. Users of an entity's attributes are accountable for protecting the attributes
12. Principals can delegate authority to another to act on behalf of a persona
13. Authorised principals may acquire access to (seize) another entity's persona
14. A persona may represent, or be represented by, more than one entity
Last year, Paul Simmonds, former CISO of AstraZeneca and board member of the Jericho Forum, told SC Magazine that with identity and access management (IAM), the main challenge is containing identities within the perimeter as business communications fragment.
The issue was later addressed by Sir Tim Berners-Lee, who said at RSA Conference Europe 2011 that users should be able to control their information and store it as they wish and complained that personal data is often not controlled by the ‘owner', and when it is given to a third party it is often hard to know who it is ultimately shared with, calling it ‘dysfunctional'.
I recently spoke with Richard Law, CEO of GB Group, whose verification technology is used as a third-party solution to verify users by retailers, banks and gambling websites. He said that proving your identity was and remains an issue. The system it built in 2004 verifies 13 million people a year and its vision is to verify anyone anywhere in the world at any time and to be a true enabler of online business.
I ran the concept of the user ‘owning' their identity past him and he said that Microsoft had tried to do it with Passport and Google tried to do it with Google +, but he didn't see it happening, as it relies too much on collaboration.
“I think that people networking depends on deploying identity into a single place. Identity is a point of contact and everything will need to be password protected going forward,” he said.
“Verifying anyone anywhere at any time is not a pie in the sky idea. If you can verify people then there is a chance with tokens and that requires a management system, but who do you trust to do it with? We did a survey and there was not much traction for social networks, there was some with credit card providers but most was government, but it was the best of all evils! Verification is fundamental to the process of knowing who a person is.”
Speaking about the Jericho Forum commandments, Law said that if an instance were to arise where GB Group became the trusted issuer, it would have to convince everyone to give them their data and it would issue a token that would be verifiable to them.
He said: “We would have to go to all organisations and say ‘trust us to verify the individual'. What Microsoft tried to do in 1998 was a very efficient model, but with Google + it wanted to verify everyone to be a trusted issuer of identity in an online world, but not everyone wants to give Google their personal details and don't want them to have the power. It can be massively efficient and effective, but who does it?”
The recent instance with Dropbox being hacked due to shared passwords being used by its users demonstrated the potential security benefits if a user ‘owned' their identity and the website/application authenticated them.
Law admitted that this is an ongoing issue and the only way to eliminate the problem of hacking passwords is to verify the user at the point of contact, and he said that his view was that personal data should remain with the individual.
Password and identity software is a tricky area. Should we all be using two-factor authentication tokens? Yes, but who deploys them? Should we all be using strong passwords? Yes, but who can remember multiple complex passwords and if you create one and use it everywhere, well you may as well use ‘password1234' everywhere.
A recent survey by mSeven Software revealed that 70 per cent of users rely on their brain power to retain all the passwords they must use, while almost 50 per cent of respondents admitted that they use fewer than four passwords to gain access to all of their protected websites.
This situation has to be fixed in our lifetime because at the moment, it is hard to see a light at the end of the tunnel.