Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

The Authentication Continuum

by John Madelin on 1/5/2006

A single identity or a single form factor is an impossible aspiration and will not solve the bigger problem of transaction, application and service enablement...

To start this blog I would like to remind ourselves of the wide range of fundamental changes occurring that place us all on the edge of an abyss of great change:

  • Device proliferation -- phones, PDAs, set-top boxes, laptops, Blackberries, web terminals, game consoles etc.
  • Ubiquitous connectivity and network availability -- wireless, broadband, 3G, etc.
  • Service availability -- wireless service providers, ASP's, retailers, online banking, digital TV and radio, FMCG, etc.
  • Web and information richness -- information creates intelligence, and constitutes a change in perceptions of value. Real value is now digital rather than physical in nature, and frictionless
  • Growing familiarity of technology and application interfaces to mainstream users; technology becomes easier and friendlier
  • Horizontal integration of vertical markets -- banks becoming insurers, retailers becoming banks, telco's becoming ISP's, ISP's becoming retailers etc. And, all aggressively available "on-line"
  • Connections -- one thing leads to another...

In a previous blog entry I talked about the Continuum of Authentication, to include not just the vital component of strong authentication as a foundation-stone of identity, but also recognising the practical imperative for securing closure on any transaction or service, or establishing device identity in non-human high-volume automation (for example). This is a continuum that supports the real world reflected by the dynamics bulleted above.

Authentication Continuum

In other words -- providing a means to go about our day-to-day lives unobtrusively, allowing us to conveniently pay for a wide range of services (from buying petrol, goods online, train travel, events and leisure, make calls, view information) and so on, does require an appropriate form of securing closure, in most cases without requiring full "Identity".

In fact, as we saw, digital cash (at the bottom end of the continuum) benefits by its nature (from the user perspective) from complete anonymity (unlike the Manchester City Football Club card shown below!)

Neither users nor providers have a vested interest in allowing this semantic web of transactions and services to evolve with a massive proliferation of mechanisms for authenticating.

Users already suffer from too many passwords, too many PINs and too many payment cards. The growth in connected and ubiquitous devices, the maturity of smart cards, the proliferation of federated payment mechanisms (Oyster travel cards in the UK) and the evolution of U3 standards in the USB world are all examples of how the future holds more proliferation and greater complexity. These ignore the accelerating growth of service-specific authentication and payment mechanisms such as the MCFC card illustrated:

RFID Ticket
Figure 1 -- In the UK, Manchester City Football Club has issued more than a million RFID tickets to date, and these can be used in the club shop as well as at the turnstiles. (RFID Payments Delivering security and privacy in a global commercial context -- David G.W. Birch)

We have moved from a debate as to what "The" definitive authentication mechanism will be (most popular candidates? Smart cards vs. biometrics) to a growing acknowledgement that there will be multiple mechanisms, from chip and pin, to mobile phones, to RFID-embedded payment cards, and so on. This has partly been the result of meeting the pressing and immediate needs reflected by the business landscape -- which currently represents closing a very high volume of low-value transactions in a frictionless digital context. The shift in emphasis has also been accompanied by an equally strong appetite to:

  • Reduce as far as possible the proliferation of mechanisms, or "form factors", wherever possible using existing mechanisms (smart cards/phones)
  • Reduce as far as possible the need for human intervention in authentication (for example, pattern recognition and risk-based authentication)
  • Drive standards (for example, X509, EMV, CAP, 3DSecure or VBV, OTPS, etc.)
  • Recognise that the table stakes in meeting authentication requirements will be -- wherever possible -- to keep it simple, accommodate massive scale, and ensure low latency.
  • If possible, combine the underlying business intelligence supporting authentication, as a continuum.

Authentication mechanisms (described from this point on as "form factors") themselves are a hot subject, and one that is often confused with the whole question of authentication as wider solution-set. Form factors are simply a means to enable authentication, and are the final link in the bigger subject of balanced risk in closing online information and value exchanges.

Underneath and around the form factors are a wide range of process, people, and technology architectures -- and approaches that between them represent the real value in authentication.

Furthermore, the form factors most widely referred to in mainstream conversations around authentication normally represent just "second-factor" (something you have) authentication, but there are many other factors to consider. One of my colleagues, Brian Gladstein, considers "higher level authentication" to include the following: Examples of Mechanisms, or "Form Factors":

  • Possessive Factors (something you have) (token, smart card etc.)
  • Knowledge Factors (something you know) (password, PIN, or other knowledge)
  • Personal Factors (something you are) (biometric)
  • Deployed Factors (something you install)
  • Delivered Factors (something you get)
  • Analytic Factors (something you do)
Services:
  • Validation (multi-factor validation)
  • Administration (adaptation policies, identity & access management integration)
  • Auditing (archive, analyze, assess, audit)
  • Community Services (federation, threat analysis and response)
(Brian Gladstein -- RSA Security)

To close (for today!), we can overlay some of these form factors onto the continuum and consider their respective appropriateness (either individually or in combination) for different levels on our volume/value continuum:

Authentication Continuum

As we can see, the role of authentication as a foundation stone for identity (as expressed in previous blogs) is profoundly important, but today the pressing issue is that of business common sense and pragmatic risk: return trade-off in fulfilling the requirement for authentication at the bottom end of the continuum.

Next week I will extend the concept and ask "what does it all mean?"

Comments

No comments for this blog entry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication