Comments on: Predicting the Future of Identity

By: scart kabel

scart kabel — Mon, 21 Sep 2009 11:25:16 +0000

Hi Todd,
I take a quick look at inside work as often as I can. I enjoyed your “Predicting the Future” very much and was pleased to find that it came from you.
I am reassured that old visions are still effective in this new world of young visionaries. There is, as I am sure you know, a common opinion floating around that most of the old visions or rules of performance and conduct are not applicable anymore. I was beginning to buy that until your post this month.
Thank you for reminding a greying guy to feel confident that what he has learned and beleived is still relevant.

By: KarenLP2009

KarenLP2009 — Tue, 14 Jul 2009 19:25:20 +0000

One system that has failed to work for me is the “security question” - especially ones that do not allow you to create your own question. These questions are not “secure” at all, unless the user is clever enough to put down a “wrong” answer to a common question that others know the “right” answer to. In this case the user might even forget the “wrong” answer they chose, thereby defeating the whole purpose of such a question to identify forgotten passwords!

By: Refinancing Today » Predicting the Future of Identity

Refinancing Today » Predicting the Future of Identity — Sun, 03 May 2009 10:19:45 +0000

[...] Predicting the Future of Identity Leave a comment [...]

By: John

John — Wed, 04 Mar 2009 19:44:26 +0000

Great article!

By: steven sprague

steven sprague — Wed, 04 Mar 2009 19:43:32 +0000

Come Join the Party.
The PC industry has taken the first step and now it is time for the banks to join the party.
The foundation of any identity is strong Authentication. Strong Authentication requires strong protection of a SECRET so that when we want to prove we are the person who was enrolled we can demonstrate we are in control of the secret. To secure the secret the best practice is to keep it in a hardware SAFE so the secret can only be used when we want it used. A SmartCard or a USB token is a good example of this type of security for authentication. The problem of course is how do we get hardware in everyone’s hands. This is where the PC industry comes in. Through the work of the Trusted Computing Group, an industry Standards body, 325 MILLION Trusted Platform Modules have been deployed world wide.
This is a hardware security chip that is on the motherboard of all business PCs and it is starting to appear in some consumer PC models as well. This chip is designed to store KEYs that are used for authentication to any and all services. As a user I can have one ID or many. The keys are held in tamper resistant hardware on the motherboard and can not be stolen by Software, Users, Viruses…. A key on a TPM can be made specific to a single user by adding a password to the TPM. This is not a password that goes over the network but is a password that will only work on that specific PC for a specific key. The password is checked by the TPM’s internal logic so that there are no risks introduced by the operating system. If the password matches then the KEY will be allowed to be used by the TPM to authenticate a USER to the service.
Most professional users or Power users that have laptops provided by their business have a TPM. This is now getting to be a big installed base even for BofA. The bank should make it possible to enroll the TPM with the existing BofA applications. This will dramatically reduce the authentication risks. BofA should use this TPM authentication in partnership with Visa 3D secure to eliminate credit card fraud for transactions that are done from the users own PC. BofA should allow federation of this credential to enable users to have secure authentication to other services as well. Finally BofA should use this Identity to enable electronic signing that will make for faster transactions with the bank and others.
The TPM does bind the user to their PC but a user can have keys on multiple computers and the user can carry device that will interoperate with the TPM technology. The point is that a single modification to the authentication systems at BofA can be compatible with hardware that 325 million users already own.
With 325 million TPMs deployed worldwide there is an opportunity to enable a worldwide brand and franchise for multifactor authentication that is a once in a market opportunity. Banks have a unique opportunity because of their bricks and mortar but it will not last for long. With myspac, facebook and google are interested in identity BofA would have to wake up and execute.
For Many TPMs are a new technology and their impact it’s not yet well understood. My company Wave Systems Corp has shipped more than 45 million copies of software to enable the TPM. It is a powerful piece of the identity puzzle and it is a global standard. As the applications take advantage of it perhaps we will be able to put the concept of a User ID and Password into the Science museum next to the floppy disk both cool technologies that are part of the history books.

Steven Sprague
CEO
Wave Systems Corp.
ssprague@wavesys.com
P.s. All internal computers at BofA have TPMs including all of their recently acquired banks as well. They will secure your VPN, Wireless, Core Network, Branch Banks……

By: Links for 3/2/2009 « Steve Grossman

Links for 3/2/2009 « Steve Grossman — Mon, 02 Mar 2009 23:00:30 +0000

[...] The Future Banking Blog predicts the Future of Identity. [...]

By: Dave Birch

Dave Birch — Sun, 01 Mar 2009 20:09:49 +0000

I think the part of the problem is that banks have never seen authentication as a line of business, only as a cost of business. If banks were to implement an effective digital identity management strategy — perhaps using some kind of two-factor authentication in the context of standard protocols (eg, OpenID) — then surely other companies would want to use the same scheme rather than implement their own piecemeal solutions. I’d be happy using a bank card to log in to, say, eBay or whatever.