Comments for Identity Musings

Comment on “Meeting an Immovable Object” – The Economics of Consumer Identity Providers by Todd

Todd — Fri, 22 Mar 2013 23:12:43 +0000

Google, Paypal, and others have been following the transactional, risk-based model the banks started building out in reaction to the FFIEC guidance on risk-based authentication for electronic transactions. What the FFIEC and backers of the guidance didn’t realize, but experts in banking (and elsewhere) have come to realize is that the devices we use can’t be trusted. That means the whole concept of identity assurance levels may be broken for IDPs, certainly the model of door step authentication needs to be updated to reflect today’s reality.

Zeus and other malware have shown they can be patient, waiting for the legitimate user to log on, then hijacking a session and committing transactions on a user’s behalf. Banks had to quickly adapt to this world by looking at transactional risk – does Todd normally use a cyrillic keyboard? does Todd often move large sums of money in the middle of the night? Is Todd really logging in from Kuala Lumpur 20 minutes after logging out in Baltimore?

NIST’s models haven’t kept up with this change in risk management requirements. We can’t authenticate Todd at the front door and let him roam freely. Instead we need to think about Todd’s transactions and activities – is this behavior normal for Todd? Is it normal for other people like Todd? Is this transaction abnormal for Todd? The answers to these and other questions will feed risk decisions for every transaction – including some very high-value transactions perhaps un-imagined in the traditional model, but completely in line with today’s online reality.

Comment on “Meeting an Immovable Object” – The Economics of Consumer Identity Providers by winemaker

winemaker — Fri, 22 Mar 2013 02:35:42 +0000

I agree about the front door authentication point Nat – continuous evaluation of identity credential verification or at least defined points in a transaction stream where re-evaluation or or step-up evaluation can be made allows for the context of the transaction (final cost, risk analysis of transaction content etc) to be included in the decision process

Comment on “Meeting an Immovable Object” – The Economics of Consumer Identity Providers by Nat Sakimura

Nat Sakimura — Fri, 22 Mar 2013 01:01:50 +0000

I suppose it is time to redefine them based on the real world experience.

Also, IMHO, door step authentication is not the only method for the risk mitigation.
It is fine as long as the risk is mitigated / accounted for in some manner.
It is perfectly fine to compliment the weakness of the technical measure with
operational or financial controls, sometime somewhere during the course of transaction.

Comment on “Meeting an Immovable Object” – The Economics of Consumer Identity Providers by Jim Fenton

Jim Fenton — Thu, 21 Mar 2013 19:20:48 +0000

However, the “assurance” required for in practice for most commercial transactions barely equates to a NIST Level of Assurance (LOA) 2 Identity. It's really a lot worse than that. Even level 1 requires that re-authentication cookies be only valid for 12 hours, and some authentication still doesn't use TLS. In my experience, most commercial transactions happen somewhere below LOA 1.

Comment on The Identity Information Ecosystem is ready for Startups by Mike Jones: self-issued » My congratulations to Andrew Nash

Mike Jones: self-issued » My congratulations to Andrew Nash — Wed, 18 Jul 2012 21:39:34 +0000

[...] congratulations to Andrew Nash on his new position as CTO of Trulioo. Have fun playing on the swings and the monkey [...]

Comment on The Identity Information Ecosystem is ready for Startups by Mike Jones

Mike Jones — Wed, 18 Jul 2012 21:17:31 +0000

Have fun playing on the swings and the monkey bars!