Tuesday, July 6, 2010

Authenticating people: Arent' there any better way out?

Do you ever have one of those weeks when everything just seems twice as hard as it should be? I don’t know about you but I dread having to call my bank for whatever reason, having gone through all the automated, please enter your account number rig morale, we eventually get to a human being and then it gets worse.

Please can you tell me what transaction you did on the 16th day of last month? It goes on and eventually you get so confused and flustered you begin to wonder if it’s actually your account let alone bank and who exactly is the customer here. I don’t know if this has ever happened to you but then sometimes you are told, not always politely, that you have failed security and they are unable to help you, good bye!

There has to be a better way, authenticating people has just become too difficult. The first problem is that each organisation has a slightly different approach to how they authenticate you, there may be passwords or PINs involved a check on recent transactions or perhaps a check on previously shared personal information. Don’t we need a standard way of authenticating people?

Then there are those PINs and passwords, sometimes they are numeric, sometimes they are alpha based, sometimes there must be a number, sometimes at least 9 digits, oh and successive digits in a sequence are not allowed. I could go on and on but what a ridiculous state to be in. We can debate whether it is advisable to have a common password but dear friends tell me who can remember 10 different passwords unless they are used everyday, so then we have to write them down, is that safe? Any way all these different systems prohibit a common password by their weird and wonderful rules of acceptability. Has anybody ever examined the reaction of users to all these different systems?

Well I can hear you thinking what is the solution then? So let’s gently wander through the garden to see what might be acceptable to both the prover and the verifier (don’t worry this is just about the extent of my technical knowledge). In everyday use we need to prove our identity in both the physical and virtual worlds. In the former case a photo identity card like a driving license is widely accepted, now I have no problem with this but how about those people who don’t have a driving license? Well why don’t they just go and get one! So I guess the thing here is that we have a common document that does involve a registration process. Now here is the test, if I went to the bank and on presentation of the photo ID I (previously registered with the bank) was allowed to empty my bank account would that be OK? Well who would be on risk here in the event of fraud? What is the probability that someone could counterfeit my photo ID and look sufficiently like me to be accepted by the bank teller? Doesn’t this just make you feel a little nervous?

It all sounds a bit like single factor authentication so we just need something else. Now I can speak with authority here, the other part of the family has spent at least 30 years trying to persuade people to carry widgets not too different to the gizmos the banks are currently providing to be used in conjunction with your debit or credit card for on-line banking. However in this case, you don’t need to carry them around at all because normally you would be doing the banking at home in the evening.

There is light at the end of the tunnel, everybody these days does carry a widget around with them, usually in the disguise of a mobile phone. So what I need the teller to do is to authenticate the phone in my purse as the one belonging to me and previously registered with the bank. They could send some code by SMS which I just replay to them, probably wouldn’t take more than 10 seconds. Still remembering minutes or what seemed like hours of previous exasperation it would be pretty good for me and would also do the business in the online world although we would also need a virtual driving license or something to get back the two factor authentication!

This may seem like a rant but is it really that difficult to authenticate people?


1 comment:

  1. Patsy,

    Yes, most of what today is being advertised and suggested as multi-factor authentication is really multiple instances of the same factor. Our Web Service The Voice Signature Service enables the implementation of very strong authentication by providing the out-of-band call you described for proving "What You Have" and adding Voice Biometric confirmation in an interaction taking 9 seconds proving "Who You Are".

    More info at TradeHarbor.com

    Thanks Paul