Predicting the Future of Identity
As we think about the future of banking, we’ve collected a few favorite quotes about predicting the future – Yogi Berra notes “It’s tough to make predictions, especially about the future.”. And we all know of wildly inaccurate predictions. Which makes Peter Steiner’s New Yorker cartoon (with the dog talking about how “On the Internet no one knows you’re a dog”) so amazing.
In July 1993 when Peter published the cartoon, Mosaic was only about 6 months old. Never heard of Mosaic? It was the first browser. This was about a year before Netscape was created in 1994. And before Microsoft introduced the first version of Internet Explorer. So in mid-1993 Peter recognized the issue of identity on the Internet and created a timeless and prescient cartoon. Its nearly 2009, and even today on the Internet, no one really know who you are.
How do we think about the future of banking without having a sense of who you are? Consider – today when our dog visits a site the best systems ask a series of questions: Who are you? Where do you live? Where else have you lived? How much is your mortgage? Through the best of these questions we separate the real dog from a pretend dog, and we verify an identity for Rover. For that instant, and perhaps for the remainder of a session, the site has verified Rover. To make it easier to return, we create a User ID (or identifier) for Rover and give him a password.
A week later when Rover comes back to the site, Rover authenticates himself with the User ID and Password. But our sense that Rover is really Rover starts to diminish. Is someone else using Rover’s computer? Does Rover have a roommate, child or significant other who knows or can guess Rover’s ID and Password? If so, the site may think Rover is visiting when someone else is pretending to be Rover.
Worse, even that initial verification of Rover’s identity is now becoming suspect. More and more about Rover is becoming widely known and readily available from the Internet. In this light, how does the banking industry manage identity in the future? Identity and its relatives: Trust, Privacy, and Security will be ongoing topics of our research and this blog.
Consider Identity, and comment on your best experiences with identity, verification and authentication – what kinds of systems do you like? Do you have ideas for better identification in the future? Would you have predicted 15 years ago that we’d still be using IDs and Passwords today? Will we still be using them 15 years from now?
| Comments | Print |
Share | |
| Add comment | RSS |
March 1st, 2009 at 3:09 pm
I think the part of the problem is that banks have never seen authentication as a line of business, only as a cost of business. If banks were to implement an effective digital identity management strategy — perhaps using some kind of two-factor authentication in the context of standard protocols (eg, OpenID) — then surely other companies would want to use the same scheme rather than implement their own piecemeal solutions. I’d be happy using a bank card to log in to, say, eBay or whatever.
March 2nd, 2009 at 6:00 pm
[...] The Future Banking Blog predicts the Future of Identity. [...]
March 4th, 2009 at 2:43 pm
Come Join the Party.
The PC industry has taken the first step and now it is time for the banks to join the party.
The foundation of any identity is strong Authentication. Strong Authentication requires strong protection of a SECRET so that when we want to prove we are the person who was enrolled we can demonstrate we are in control of the secret. To secure the secret the best practice is to keep it in a hardware SAFE so the secret can only be used when we want it used. A SmartCard or a USB token is a good example of this type of security for authentication. The problem of course is how do we get hardware in everyone’s hands. This is where the PC industry comes in. Through the work of the Trusted Computing Group, an industry Standards body, 325 MILLION Trusted Platform Modules have been deployed world wide.
This is a hardware security chip that is on the motherboard of all business PCs and it is starting to appear in some consumer PC models as well. This chip is designed to store KEYs that are used for authentication to any and all services. As a user I can have one ID or many. The keys are held in tamper resistant hardware on the motherboard and can not be stolen by Software, Users, Viruses…. A key on a TPM can be made specific to a single user by adding a password to the TPM. This is not a password that goes over the network but is a password that will only work on that specific PC for a specific key. The password is checked by the TPM’s internal logic so that there are no risks introduced by the operating system. If the password matches then the KEY will be allowed to be used by the TPM to authenticate a USER to the service.
Most professional users or Power users that have laptops provided by their business have a TPM. This is now getting to be a big installed base even for BofA. The bank should make it possible to enroll the TPM with the existing BofA applications. This will dramatically reduce the authentication risks. BofA should use this TPM authentication in partnership with Visa 3D secure to eliminate credit card fraud for transactions that are done from the users own PC. BofA should allow federation of this credential to enable users to have secure authentication to other services as well. Finally BofA should use this Identity to enable electronic signing that will make for faster transactions with the bank and others.
The TPM does bind the user to their PC but a user can have keys on multiple computers and the user can carry device that will interoperate with the TPM technology. The point is that a single modification to the authentication systems at BofA can be compatible with hardware that 325 million users already own.
With 325 million TPMs deployed worldwide there is an opportunity to enable a worldwide brand and franchise for multifactor authentication that is a once in a market opportunity. Banks have a unique opportunity because of their bricks and mortar but it will not last for long. With myspac, facebook and google are interested in identity BofA would have to wake up and execute.
For Many TPMs are a new technology and their impact it’s not yet well understood. My company Wave Systems Corp has shipped more than 45 million copies of software to enable the TPM. It is a powerful piece of the identity puzzle and it is a global standard. As the applications take advantage of it perhaps we will be able to put the concept of a User ID and Password into the Science museum next to the floppy disk both cool technologies that are part of the history books.
Steven Sprague
CEO
Wave Systems Corp.
ssprague@wavesys.com
P.s. All internal computers at BofA have TPMs including all of their recently acquired banks as well. They will secure your VPN, Wireless, Core Network, Branch Banks……
March 4th, 2009 at 2:44 pm
Great article!
May 3rd, 2009 at 5:19 am
[...] Predicting the Future of Identity Leave a comment [...]
July 14th, 2009 at 2:25 pm
One system that has failed to work for me is the “security question” - especially ones that do not allow you to create your own question. These questions are not “secure” at all, unless the user is clever enough to put down a “wrong” answer to a common question that others know the “right” answer to. In this case the user might even forget the “wrong” answer they chose, thereby defeating the whole purpose of such a question to identify forgotten passwords!
September 21st, 2009 at 6:25 am
Hi Todd,
I take a quick look at inside work as often as I can. I enjoyed your “Predicting the Future” very much and was pleased to find that it came from you.
I am reassured that old visions are still effective in this new world of young visionaries. There is, as I am sure you know, a common opinion floating around that most of the old visions or rules of performance and conduct are not applicable anymore. I was beginning to buy that until your post this month.
Thank you for reminding a greying guy to feel confident that what he has learned and beleived is still relevant.