Session at the Consumer Identity World 2017 APAC in Singapore
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the Consumer Identity World 2017 APAC in Singapore
Session at the Consumer Identity World 2017 APAC in Singapore
There we go. Okay. So let's talk about passwords for a little bit. Passwords is a nice, very emotionally related issue.
80%, 81% of all data reaches according to a Verizon business study that was done earlier this year. Okay. They involve the exploitation of solar password. Now just put that sink in for a minute 81%. Right?
So, so I mean, if there's anything broken about security, maybe it's this right with the data breaching epidemic, continuing the way it's doing. And, and in 2016, according to the same study, 3 billion passwords are still a various databases. So just to give you an idea of the magnitude of the problems that's going on here now, ever since at least 2004, but probably before that, a lot of very smart people in the industry been saying that passwords are dead. Uncle bill. Yep. He said that famously in 2004, Microsoft fast forward 10 years, am I allowed to put a garden Analyst on a Kuppinger?
No, just out, this is a, who's an expert in the much better looking. What's that much better looking than a Kuppinger called you need to hire. But Aviva also says, she said passwords were dead a few years ago. Now they're more than dead.
So, so there's this meme going on now? The passwords are dead right now. Are they? How many of you hear things that passwords are dead? Just from show hands? How many of you would say that passwords are dead? Wow. I'm not one. We use them every day. This is an astute crew. This is right. Would you say, start, we use them every day. We use them every day. So exactly right, right. And this is how many we use 90 billion, right? Every day. And by 2020, this is all from the same Verizon study projected to be 300 billion passwords. Right.
So, I mean, when we go to conferences, we, we hear about all of the great biometrics, adapt, authentication, all of great new stuff. That's out there in reality. That's only a very small piece of what's being used today.
I mean, we're seeing adopted a mobile devices more than anything else, but I can tell you for a fact that most of the IOT devices that are being built right now, most of the vast, vast majority of them are being built with username and password and, and, and paying attention to number of the best practices that I'm gonna talk to here. Right? So we're moving into ther we're all our number of devices are exploding and, and still, still with password.
So yeah, they're not dead. They're not dead yet. And who is, who is the science fiction offer that said that the future's already here, it's not evenly distributed. You don't remember who said that, but the future is already here is not evenly distributed. We have biometrics, we have all of these things, but it's, it's gonna be a while. We're gonna be living in a multilayer type of situation for a good while to come. Seven years is not unrealistic. So let's talk about passwords for what what's making passwords continue to cling on.
So, so, so passwords, I think, have been around forever. The first password was used in MIT system in 1961. Right? So passwords are just part of the Laura of it present.
Sorry, William G. William Gibson. Thank you. That's the one I'm looking for. William Gibson said that yeah, the future is already here is just not even passwords are present in early hundreds of millions of systems.
And, and soon to be billions, as we've seen migrating, you know, passwords are sort of dug in to, to most enterprise it platforms. So migrating new controls, it's not an easy exercise, right? You've gotta worry about what you're gonna do with the user credentials and how you're gonna migrate them securely or, or you require people to reregister. There's a lot of issues around that. And then as I said, with the IOT, most of the IOT is being built out. So consumer IOT devices, industrial IOT devices are being built out with, with, with really, without any kind of adequate security at all.
It's not just limited to username and password. There's no security with most of these things, just full stuff. So we have a lot of fun to look forward to the next few years. The new generation controls up that I'll talk about. We've talked about in this conference, haven't stood the test of time yet they're still in. And finally people resist change.
So I still read security, train journals, dark reading, and things like that, where there will be articles every once in a while about password best practices and how to, you know, be sure to change your password, use complex characters, do all those types of things. So passwords are still the dominant, dominant paradigm that we have now in talking about how we evolve to, to next generation. It's helpful to look at history a little bit. And I've been working with authentication for roughly 20 years and mostly on the consumer facing side of things.
So as I mentioned in 1961, sort of at the gone upon, right, that was the first use of passwords that, that was known in the world. And then if you fast forward to the late eighties, when we start out to see PC banking, and then we started out in the late 1990s, when the internet kind, we saw internet banking come along, you know what, nothing really happens. Security wise, nothing, nothing significant really happened during this whole period. Right.
And, and maybe it was because it didn't have critical mass yet. Maybe there wasn't enough money being moved, but, but, but you didn't really start to see major hacking attacks against banking applications. It's around 2002, 2003. And then you started, by the way, this coincided with the, the start of the identity epidemic 2000 2003 is when we started really hearing about it, really having to pay attention to it. And this is when we started get fishing in a big way.
I mean, it's always been around in a big way and we started to get, you all know what a key is. Yeah.
So, so, so this is, this is sort of got us to the data breaches that were caused by this brought us to the regulators stepping in, in the us. It was the F F I C. And a lot of other countries forwarded after that and basically said that least for banking applications, which is kind of my focus here is banking and financial services, multifactor authentications, mandatory. Didn't say anything about how to do the multifactor type that was mandatory. So looking at the security strengths and weaknesses of passwords, and this, this is rather high level, it's just simply cause we Don depth about it.
Every, every area authentication form as it's on strengths and weaknesses and, and with passwords, it's clear that they're widely used. And this is my own opinion just as, as a cybersecurity guy, passwords are actually pretty good when they're used well, right.
But, but that, the trick is that they're not used well, most of the time, right. Passwords are complex and they contain a variety of characters or their changed dolphin and things like that. Passwords actually worked pretty well. But the problem is, is the users and it's, it's all of us, right?
I mean, and I'm as guilty as anyone else. I hate having to change my password and, and having to try and remember about it. I use a password manager, anyone here use a password manager and yeah, good. This is a great audience. If you one to two, cause I've had talks where nobody raised for that.
So, I mean, if you use a password manager, it's reasonably okay. But of course, password are reason to steal so many different attacks and password is arguably for user experience.
Very, very high level of evaluation. Anyone using these still today? Yes.
Singapore, if you look in Singapore, you use it for your bank, don't you? Yeah. I keep think, keep hearing, they're gonna be phased out.
They, they should be phased out. But basically obviously at this point we used a lot. What about this? What about the SMS? Right?
Singapore, you get data. Well, right. It's pretty commonplace. I'd say those are the standard things that you're gonna see in mobile and online messaging around the world with subception that right. Either the SMS based or the, or the token based now.
So, so those are making use of one time passwords or simple dynamic passwords where the security improvement of that is, is, is just that if you steal my password, it's gonna expire in a few minutes. And so you not have to continually steal my password in order to, to make it valuable to you as a hacker, you want break into my system.
Now, these, I wanna say are pretty widely available and accepted the standard. And there's, there's other kind of, most of the security enhancement has been around passwords, right? So until we got to biometric, most of the multi, the additional multifactor and different features have been really trying to make passwords stronger. So the variability is, is a security strength effect that it changes every few minutes. And then they, you have a band aspect. If it's being sent over SMS, for example, is arguably a security strength, even though missed has said, basically, it's, it's not anymore.
SMS passwords, pretty, pretty much all types of one time passwords, a good compromise in general. Now all types of different attacks.
There's a, a secure idea attack. There's a, there's a thing called a SIM slot. Raise your hand if you'd like me to explain them. Cause cause they all, there's a bit of detail about all of them, even hackers getting into the telcos SS seven networks. These are the, these are the switching networks that the mobile telecommunication operators use hacking into those. There's no real defense against fishing with passwords is there, right? I mean the password is only good if I'm keeping it secret, arguably a very poor user experience as well.
And the hardware token is one of the reasons they're being things out. It's just cuz there are they're hardware, right? They're inventory. So if you're a bank you're issuing a token to all your customers, you've gotta worry about them getting lost damage stolen, replacing them, doing all that very securely it's it's quite an overhead to happen. Do that.
So let's, let's move on in our sort of historical March here after we started to get two factor authentication kicked in and the hackers got list of that and they started finding ways to, to beat the two factor authentication that was out there. So, you know, around a two set, two seven timeframe, we started to see fishing man in the middle of attacks, your key loggers, your screen grabbers, things of that nature. And you know, around the late two thousands, mobile banking started to be a mainstream thing. It wasn't novelty anymore. And so we had a second round around 20 10, 20 11.
We had a second round of regulatory times starting with the us. And this is where the us regulator, the F I C said that for banking applications, you need to use out of band. In addition to multifactor use as well. The F I C is sort of a bell wither for the rest of the world's regulators.
I, you see a lot of things starting there in adopted later on. Then we started to see attacks against the out ofAnd SMS, authentications, where people see stealing Sims. There was a link Euro and hitting some of the Swiss banks and around 2012, where, where basically the hacker was able to intercept one time password and it became its security value was very diminished. After that in 2013, the iPhone flag came out with a touch first. It's not the very first smartphone with biometrics. The first was a modern Mo alarm. I forget the name of the model, but it was around 2010.
It was quite early difficult biometric that, but, but apple really with the iPhone was the one that popularized use of biometrics on devices. All the other vendors had followed since 10.
But again, we really up until here, we're really thinking about password enhancements still, right? This is, this is the first time we're seeing some alternative to password coming in. And of course then there's this, okay? We all have this right? As anybody doesn't have this as a backup, it's usually a backup to the password. Now this is a real problem that has a backup to the password because what's the hacker hackers always look for the point of least resistance, the power of least resistance.
Now, if they can't break the password, they can always call the call, center a bank and see if they can get a password reset. And you know, who's your best friend? What city? Your mother? What was your dog's name? What's your teacher's name? Ums. Very easy to discover this kind of a thing from social media today. So if you want to start surveilling a person buying on them, you, you make yourself a friend with them on Facebook and lots and lots and lots of people still today.
You know, even after all that, when hear about privacy and being careful online, they still will put this stuff up publicly, especially kids, kids, kids. Talk to remember it yourself. It's remember that exactly right. I have no friends.
Yeah, exactly. And then here I show this.
So, so you got questions, really? The PROMIS questions is what they're not secret. They're not secret. And because they tend to be the backup for a, for a password reset, the hack will go straight to that. They'll put in a password four times so that it Schutze out the account. Then they get on the line to the call center. They know your dog's in. So we'll get a new password sent.
And, and by the way, could you send it to the hackers email address instead of mine too? Right? So this is basically for anything apart from very, very weak security as due, but it's really out there a lot, especially when you're dealing with call centers, right? This is kind of the standard way that things are. So with the introduction of apple and iPhones, we start seeing some early use cases of biometric, right?
So from, from men on bot metrics have been adopted by, you know, pretty much most of the smartphone vendors by now. And they start to be they've, they've had good acceptance by the public in general and they start to diversify, but you still have fishing in man in middle attacks.
Oh, wait a minute, repeat this slide. Okay. You seen that slide already. So let's just go. This there's all these different biometric modalities, right? That Joan was talking about in this presentation.
Some, some of them are, are, are going to be more viable than others. And, and the security part is just one piece because the other part is, is the UX and how user friendly they are to use because something could be as secure as for Knox, but it's not user friendly. People will reject it. So the red ones here, the ones that are kind of emerging or leading edge, and we have here biometrics. Now I don't see being adopted mainstream, but one of the vendors came out with it will read your, if you hold your phone up to your ear, it will read the unique pattern that your ear creates.
It looks like voice is, is seeing some, some good adoption, even though it's it's from security standpoint, not all that great. As John said it, pardon me? This is with the watches and the wearables that are actually doing continuous authentication. So that means as long as you're wearing an apple watch, it's authenticating you by a cardiac patents. And it's actually quite good. It seems to work quite well because that's, it's very unique. It's very hard to replicate and it's on you, right? So it's very, very hard for someone to get in between that and intercepted.
So now we even see research with, with the use of DNA for authentication. I think that's, that has a lot of privacy issues and it's quite far away, but I want to put it there just to see that things are really progressing. And so some of the emergent things that are out there, we have all the different kind facial recognition, the iPhone ache, the iPhone 10 obviously has that on a sodas that you've seen a lot of rollout in China with the Ali Alipay are starting to use facial lab metrics in a big way. The Chinese government is starting to use it in a big way, just to do regular surveillance.
I'd like you to read about just a little around here. So voice and you know, with voice, a lot of people thought that this Amazon Alexas it, you all know Amazon likes, I know, hear from mistakes from Australia. You do. Cause we only just got Amazon and Singapore earlier this year, anyone who's not seen one of these things before, you all know what this is, right? So it's interesting that they don't use voice plan metrics. Do you know what they use? Anyone Tesla, anyone here, what have they use to authenticate your challenge, your account, right? There's a pin. You can put a pin on it, right?
No, there's not. There's not even pin, but it doesn't use voice prime metrics is my main point here, right? Yeah. Yet it might.
It might, but they're holding off on that. Cuz clearly they're not seeing the crossover error being, being adequate And they use a coat as well.
When you, once they use a code. So if I want to buy something by right Alexa, they ask me, okay, I have this account, Jennifer. I don't know. And then she asked you, give me the code. It's a number of five or Something like that. Right? So it's more of old school authentication room. Even with this, this user interface that's looks like it might take a big chunk out other things. We have this cardiac biometrics. Now this is what it looks like a visualization. This is the watch hunts about that. As long as you're wearing it, it's it's monitoring your heart rate. It was Theon them.
And what happened? Well just to continue so many different types of biometric that are being explored right now and, and even know without putting the facial recognition into the content, it's still, I think it's still in a very experimental phase, right? People are putting things out there. Companies are putting things out there and seeing what sticks and whether they work and if they're secure or not. When we talk about biometrics and security of biometrics at a very high level.
So not at a level that that John was talking about with the, with the comparative evaluation, but just biometrics in general have certain security problems. The fact that you only have one fingerprint, if your fingerprint, your ICA, whatever gets compromised, that's compromised forever. You can't reset it. You can't right. So you have to go to the next finger and most people have 10. So that can be a problem with things that you only have one of like or two of like your ear, then that can be more a problem. If it gets said, the other thing with biometrics is that it can be stolen.
Your biometric value can be stolen and it can be replayed. Right, right. Because it it's used to log in, right? They take your volume, your fingerprint value. They take it to log in.
Well, if I am a hacker and I still yours from you, I can take your fingerprint value and I can use it along with other, other authentication means that they're using. And go ahead and log in with that too. What's well, okay. So a fingerprint that, that you scan is converted to, and now if, if that digital value is stored in the database and the database gets hacked, so it's just like hacking a password database, right.
That, that gets hacked. Now I have your fingerprints, right? Fingerprints. You have the, there's actually a hash value of there. Yeah. Is what its my finger. I don't have your finger.
No, no. But if you're not using liveness detection, it doesn't matter if you're using liveness detection, that's gonna help. But if I'm using an app require me to put my finger on the fact that you've got the template, my fingerprint is you still need my finger.
Ah, so, so a few years back there were some students, I think it was the university of Tokyo that took fingerprints off of wine glass. And they were able to use that. That were perfectly well to log in that, that pricing. And we've seen similar experiments going on with voiced biometrics. The HSSBC in the UK rolled out voice biometrics and, and some guy got on BBC and he had an identical twin and he used the identical twins voice and it worked, got him in. Right.
So, so the only point being is that these things are not by any means. Perfect. And really, if you are relying a hundred percent flight metrics, I always say, don't even, that's not enough. It's not enough for you.
You need, you need to do a layered security architecture. Right. And you need to have other controls that are compensating for what the weaknesses are on line metrics or you think we're gonna get our slides back or are not. Shouldn't just completely lost a second. I'm just gonna keep you up in here. So well we're, we're kind of up at, are we up time anyway? Okay. Yeah. I want address, some of Graham said, then I'll let you, so, so let me do some questions.
No, I was just gonna say, well, that's, that's the difference in the final model. If you're, if you're authenticating or verifying your runtime signature against something stored on the phone, it's not going to a central database. That's one of the security advantages of that model. True. And there's a lot of compensating things like we, we talked about S right.
So I think you have, let's see future metrics I look at where is ahead ask biometric, being used for foundation rather than for authentication, which seems to me to be a logical way to use it because throughout biometrics, we, we, we're gonna get close to a hundred percent, but we're never gonna get through a hundred percent correct. Being able to recognize a given thing from that now breaks. And so if we limit set of what we find validating yet you much higher chance success rate it. Right. Which also involves your issue of, and intentionally irrevocable, unintentionally remark. Right.
Which is a real trial. It's a real problem. Right. So if the validation of the initial onboarding is done with biometrics, then biometrics become stronger as an authentication. Right. We're separating validation from, from authentication here. Right? How are we actually doing for time? Are we up we're over time. So I'm gonna go ahead and wrap up. Cause I have have a few more slides, but let, just I'm this quicker. Yeah. Maybe Chris, I'll send you the slides though. Anyway.
So, so that you have them because I end up say stop. Yeah, stop.
So, so, so here, like just let, just, if I could have one minute more, right. As a way to think about designing securities, this clicker is gone. This is finished. Okay. Let's leave you. Maybe you are waiting for yeah. I gotta have on president Kennedy, right? Yeah. There he is. Okay.
So, so here's just a suggestion. If you're, if you're designing a biometric authentication system, but if you're designing any, any security layers is don't.
I, I hear this all the time. I I'll describe some system and I'll go, is this secure now the wrong question to ask, do not ask it if it's secure, but ask, is it secure enough is a bit for purpose. That's a much better question to ask. Right? Right. Because let's take a lock on the door, right. Lock on the door is secure against a three year old, right. That's not secured against a tank, isn't it? Right.
So, so security is relative. It's saying it's secure enough. Doesn't really matter.
And maybe, you know, Fort Knox is here is, is fairly secure against the tank, but it's not, it's not secure against a, you know, dropping ICBM on it. So, so just a better way to think of it is that, you know, is, is it fit for purpose? And does it offer a kick as UX? You want a great UX with it. Those are the requirements of the right.
And so I, this is what you don't want. You don't want angry customers anymore. So maybe I'll just go.