Event Recording

Security and Privacy Challenges of Authentication, Verification and Authorisation of Customers


Log in and watch the full video!

Sarb Sembhi, CISO, AirEye

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Yeah. So, so the angle I I'm taking on this topic is based on some of the work I've been doing recently, a paper I've been writing the colleague of mine, and it's looking at the role of trust in achieving happiness and wellbeing in smart cities. And the reason I took this particular approach and because the work I I've been doing on this is because going forward a lot of things that we are trying to do, and, and, and we're aiming to achieve within our lives involved. A lot of I OT and a lot of interconnection and connectedness and talking to a whole range of agencies and services in ways that we haven't done in the past, and that's going to become more of a norm. So I thought I'd look at it from a, a particular angle. I'm gonna go through some very simple things in terms of agenda for today.
What I'm focusing on three things. One is the building blocks, which I, I I'm assuming that attendees of this event know very well in terms of what authentication verification authorization, digital services means. Nextly, sorry, slide the service providers, the enterprise, and the user challenges related to security and privacy. Basically I'd started off looking and breaking those down, ended up with so many slides and so much information. So what you are going to see is a condensed version of that, and then finally, a, a, a version of, of, of responding to some of those challenges as well. So that's, that's what I'm aiming to try and do. And the first thing in terms of authentication, as I said, many, many of the attendees will be familiar with various definitions. Basically, we're talking about the process, which allows an individual to identify themselves and digital authentication first process where digital identity is presented electronically to an information system.
And the initial technical challenge in, in many cases is that authentication has to be undertaken remotely because whereas previously, when we traveled, we did things we could do things only ever in person. Now, as, as, as you know, electronic commerce has taken off in a much bigger way and electronic services and digital transformation has taken off in so many ways. Everything that we're trying to do is around being remote and, and, and really in terms of authentication, we know that that's based quite often, three categories or factors, what, you know, what you own, what you are. And, and there may be a single two or multifactor examples include user and password. What the user knows one time passwords, what the user owns and biometrics, fingerprint I, facial recognition is what the user is. And there's a combination O of those in, in multi deal and, and single factor authorization is post of giving an authenticated user permission to access a specific resource or function or action.
Whereas authentication is about actually verifying the credentials. Authorization is the, is about granting or denying the permissions verification. When we're talking, for example, as an identity, as an example, identities is who or what someone might be verification is to prove something. And ID identity verification is prove someone who they are, who they say they are. Passports were one example of the, and the most well known example of the use of ID identity verification. And, and since more and more businesses are concluding business remotely and using sort of tradit, the use of traditional passports for remote ID verification is not feasible in the same way it used to be because we are conducting business remotely and, and, and passports aren't necessarily used in the same way they used to be. And digital idea verification is used when human or physical verification cannot be undertaken or where there's a value added service.
So verification can be about identity, access to resources or rights to take action. And so on. Now I'm gonna move this on in terms of examples yet, we've got the, the, you know, checking documents that they are legal, one time password type verification. It might be using SMS. It might be email register an account. And basically we're talking about the, you know, the pointing time type thing being matched, and also biometric verification, checking that a photo taken on a mobile phone matches the one that's on file. And, and really in terms of those basic things that most people are familiar with, what I'm gonna do now is just talk about some of the things that we've brought up and, and things that have happened in the past. And, and, and, and really 20 plus years in security, we're in a position where I, I, I guess, you know, we are, we've got that many services that we connect to and that many types of services that they are growing phenomenally.
And the number of passwords, for example, that we need to have, has been growing for the number, according to the number of services. And I remember when I was astounded sort of preparing for an event once where at the event or for the presentation, I, I counted that the number of passwords and these are different passwords that I had at one time was about 30. And when I spoke at the event and I was telling people, I had 30 people are already trying to beat that and saying, well, I have 50, and this was going back a couple of years. Now, we're in an environment where we have between 50 and 150 different services, whether they range from banking to paying our, you know, mobile phone bills to paying the gas bills or whatever it might else, it might be as well as social networks and services.
So we've got lots and lots, and they are still growing. And, and basically that means that we've got lots and lots of passwords, cause every single one of those requires, you know, that we authenticate with them and we use completely different passwords. And I'm sure what everyone does, but on top of that, we have issues. And, and really some of those things are that, that the fact that, you know, we, we are told that, you know, we, we're not allowed to reuse our passwords. Our passwords need to be complex. And it's a challenge because some of these things that we are trying to do in trying to improve, especially around passwords is the fact that some of the passwords that we might be using, if we're not in security, is that we might be reusing passwords, even though we've been told not to, because it's easier to, we haven't got round to using password managers.
It's just that we might up up the numbers 1, 2, 3, 4 at the end and, and make minor changes like that. And the challenge there is, is, is, is that part of the password is already out there from previous breaches, from some of the services that we've, we've been using. And, and I guess one of the next sort of challenges that we've got, and again, a legacy from the past is the fact that, you know, when we are using different services, all the different vendors are using completely different guidance on passwords. And, and there's no standardization of what is good practice or bad practice when it comes to these passwords. From the vendors' perspective, everyone is using their own approach to the standardization of what their code could and should be using. And, and, you know, it's, it's whether password should be at least eight characters, or it should be at least 10, 12 characters, or what, how, what should be included, what shouldn't be included, the password checkers that come from the service vendors that we're using at the moment.
So really there's a whole mixture of these sorts of things. And even some of the good practices are lost. If all the accounts basically refer to a single email account, which constantly is being fished all the time through lots and lots of different ways. And if everything's, if all your passwords are tied to one email address, that is a challenge in itself as well. It's not good practice, and we're not helping ourselves in anything that we are doing there. And, and also on top of that, some of the other options we have on our mobile devices in terms of keeping everything tied up into one or two points of failure, is that the options like pins are not necessarily secure and, and they're available on mobile devices. And there are many, many options available in terms of authentication on mobile devices. And, and really, if you look at the services that we, we are talking about, there's many, many services, we're getting to a point where the mobile device that we have, which is being used for authentication is beginning to represent us.
And our mobile devices are, are, are, are covering everything in our lives that, that we never realized that, that they were going to represent. And not all the sort of technologies that are going into mobile device are necessarily secure. So we're in a position where everything that goes into mobile phone isn't secure necessarily from the operating system through to the different services that are part of the operating system, all our networking technologies, all the encryption technologies, all the browsers that we're using, all the applications that we're using. So there's so many different bits and pieces that go into all this, and then not necessarily secure utilizing existing, you know, existing vendors technologies, whether it's using Google, GitHub, Twitter, many of these vendors are, are out there, and they're not geared towards being fair, either on privacy to us, or necessarily competition friendly because they're all trying to beat the others.
But at the same time, they don't want there to be more than the five or six that are already out there. And then what we've got coming up soon, if we look at some of the things on our mobile devices that we we've got, first of all, there's the possibilities of having more than one account of a single service, which we haven't had in the past. Then on top of that, we're probably going to be asked to create and set up an app or a service with every contact, communication, interaction response, which is gonna force an account and a relationship set up that we haven't had in the past, including government relationships and interactions, including local services with been social care housing. Each one of those will have because of the way local authorities work, a separate relationship or a separate service with, with, with yourself and then health on top of that, if you haven't started having health service and health interactions that is coming along, then we've got the local travel and we've got local, our, our security on our mobile devices, our home and security and surveillance services.
We've got device interactions. So every time we are interacting with devices around us, within our own homes, whether it's, you know, our electric kettle, whether it's our TV or anything else, we've got apps and we've got services where we, we are speaking and where we are interacting with them with apps, where we might have to verify who we are to them at different times, depending on what we're doing and how we're doing it. Then also on top of that, we've got open services that are out there, which might be printing. So you might go down to your local library and that printer is there, and it's a paid service. It's separate from the library maybe, and you've got commercial services, whether it's a vending machine or a printing machine, you're gonna have relationships with them. And on top of that, you're gonna have what we've already got, but it's gonna be far bigger.
And in far more depth than we've got at the moment, which is, you know, sort of vehicle controls, becoming more advanced and, and having to authenticate between the devices and so on. And that those, all of those things present lots of challenges in many respects. And we're talking about, you know, the, the long term will be whereby we've got lots and lots of insecure services on our mobile devices, on our lives and our connections, all of them being allowed to persist unabated already out there. And, and, and we need to reduce the, the vulnerabilities within these before we should be moving on. However, what we are doing is we're, we're adding so more without actually checking and, and, and reducing the vulnerabilities and those sorts of things. And the technology providers continuously try to confuse us with the security and the privacy as if they're the same thing.
What they're trying to tell us is that they, they take security seriously, but actually they don't take our privacy seriously. And they separate the two in a way of making sure that we, we, we, we trust them in reality. What they're doing is they're using smoke and mirrors and blatant lies quite often with ulterior motives to try and forget our privacy, which they may not necessarily care about. Then we've got, you know, secure user management of, of, of devices and authentication mechanisms. There's so many that we've, we are beginning to bring in, or that we're gonna need to bring in to make sure that everything is compartmentalized, that we haven't got single point of failure in the way that we're doing things. And you know, that perception of trust in our technology vendors, in keeping the credentials that we give them, whether it's our thumbprints, our biometrics and so on is, is, is being challenged and should be challenged.
And it is a challenge to secure going forward because they, at the moment, I think the way that things are working loss of passwords might be one thing, but loss of an identity is something completely different. And that hasn't been taken into account talking about trust that we have in vendors, because if we lose our identity, someone like an elderly person, they are going to be in a completely different position. And the impact on them is gonna be different from a breach of passwords. If this, this woman in this image is no longer able to claim and do the things that she does on a daily basis is different from this woman losing a password to single service. The identity that we have in our biometrics is not being taken into consideration in the same way that, that, that we would like them to built in security processes in, in, in devices, if, if we've lose our device or it's taken over, or our biometrics is taken over, is not taken into consideration in the way that needs to be taken.
And that is a very, very big challenge. Now, as I said earlier on, I tried to shorten this presentation. So I'm gonna rush through a lot of these because I'm running out of time. So some of the other challenges that we've got government services that, that, that are out there being used to enable should be, you know, working to enable small businesses to take advantage of the technology and reduce some of the complexity that's out there. That's some, a challenge that I think, you know, government should be looking at right now. How can it make eCommerce easier in terms of authentication than working and identifying citizens so that small businesses can take advantage as well. Some of the standards that are out there, this is this standard I've included. This one I could easily have chosen the NCSE one from the UK and the two standards, you know, and advice that that's being given right now is conflicting.
And that is conflicting. That's a challenge in itself because we are not getting that right. And if 2, 2, 2 bodies in two different countries are getting it wrong, what chance have the vendors got from getting that right? You know, that is a massive challenge that has to be dealt with and, you know, can vendors select from a set of standard approaches out there for passwords so that we're not, they're not allowing fishing in the way that has been allowed to, to, to persist in the past. How can vendors work their way through the various scenarios that we've seen, that they don't make it easier for attackers to be able to find their way in terms of using messaging for fishing and, and the sort of losses that that we've seen in the past, you know, have always been looked at from a perspective of the vendor and the loss to them and the risk management practices that we've had so far have all been around vendors, protecting their brands that haven't been around protecting end users and, you know, allowing end users to, to, to, to move away from just looking at what the vendor cares about.
It should be from what the end user cares about because their identity that's being stolen or missing, or that's being shared on the dark net is far more important to them is gonna impact their lives in, in a way that the, the vendor themselves should actually be caring about. And the last thing here really is that authentication services are gonna have to work far better than they do currently to allow remote authentication in the last few minutes, in terms of some of the responses or, or, or, or that we need to be looking at industry needs to be looking at passwords. I can't believe, and I say this so often at events, I can't believe 20 plus years in, in industry, the insecurity, we're still talking about passwords. Why is it that we haven't got passwords sorted? That is absolutely ridiculous. We need to get this sorted.
We need to get it sorted. At least, you know, looking at what's robust between missed and all the other various organizations out there. They need to be getting that right. Governments need to be making sure that they agree on password standards and avoid the confusion. And we need to get away from being forced to give our biometric information on services and on devices in ways that, you know, we're not, we're not being forced to give them so that the vendor is actually running services, moving from one biometric type of collection data collection to another type of data collection. So we've moved from, in some devices, from fingerprint recognition to facial recognition or to Iris recognition or variety of those. We shouldn't be giving those things and forced to be able to give them from one to the other, without understanding what they've learned and, and how they're gonna use that to improve our lives.
What they've done is they've, they've basically learned, I, I believe in terms of the way that vendors have worked and, and started to improve other services and sold those services and used the data collection in a variety of different ways. We haven't actually got beyond even in facial recognition, the fact that it doesn't work and the ethics of those things not working and still not working. And then moving on from using one biometric service to another biometric service in ways that, that, that, that just doesn't work for anyone at all, industry approaches need to, you know, make sure that they are moving on for, from what is good for them as a service to what's good for a wider perspective for the long term trust in the way that users will find is useful and actually works for them them. And really, if you look at some of the trust issues, because that's the key thing, I think that we need to focus on this particular slide, I've chosen it because this gives an idea of the trust that we have at the moment in the UK.
We, in, in a variety of different service providers, where trust is the most and where trust is the least. And yet some of the authentication services that are out there rely on social media organizations. As our authentication mechanisms, trading trust, I believe will become the imperative going forward. You know, governments and tech companies have shown that they can fall from how quickly they can fall from grace. And the absence of distrust does not necessarily equal trust. Equally. The absence of trust doesn't necessarily equal distrust. And, and these services are able to simplify. We need to look at services that can simplify users management of their own life services. And those that are able to do that would be the actual winners going forward. And the functionality of trust in itself will only go so far. Those services that can simplify niche life services, to an extent through trust will be the bigger winners I believe going forward. That is my last slide apart from this one for questions, but I've realized I've hit my time point limit. So back to you, Paul.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00