Would you say fraud is the main catalyst behind authentication innovation?
While many people still lose money to traditional fraud scenarios, such as the massive Ponzi scheme perpetrated by Bernard Madoff, increasingly sophisticated on-line scenarios continue to emerge. Early online attacks, orchestrated largely by “script kiddies” intent on have evolved into sophisticated malware attacks orchestrated by organized crime rings. For the first half of 2010 the Anti-Phishing Working Group (APWG) reported that there were 48,244 phishing attacks occurring across 28,646 unique domain names. At the root of most of these attacks is the use of Social Engineering. Criminals are using very persuasive and often personalized tactics to entice users to take specific actions that will result in the attackers ability to in some way misdirect or take over a users session—or their entire machine!
But fraud is a very broad term that is used to refer to anything from the theft of personal information to the interception of financial transactions. At the end of the day, people who are taking advantage of the Internet want to feel protected from all of these threats online – and a big part of that is having the confidence that their identity is protected. Authentication is an important means of ensuring that a person online is who they say they are – and the means to ensure this is to provide reliable, trusted strong authentication. But for users to adopt stronger authentication it needs to be easy to use so it does not interrupt the typical way in which they interact - it must be flexible, and it must be easily deployed.
Even within organizations the adoption of strong authentication is challenging – while a recent Forrester report indicated that 65% of firms in North America and Europe had adopted strong authentication, it had been rolled out to fewer than 10% to 20% of the employee base.
The desire to provide this broader protection against online threats is certainly an important motivator in to the development of new authentication technologies. As an example, mobile devices, are becoming ubiquitous among online users, and being able to leverage these devices would offer an easy to use, affordable method of authentication that could be easily rolled out to a broad population base. Similarly, authentication methods such as grid cards offers an affordable and easily adopted alternative to traditionally complicated methods such as one time passwords – in turn making stronger authentication accessible to a broad base of users. And to offer these approaches on a single platform, provides organizations with flexibility so they can apply the appropriate authentication method to the type of user, matching their online behavior. All of these innovations have been spurred on by the desire to extend greater protection to the online user.
Nowadays most users have a hard time managing their online identity across multiple websites and services. This comes mainly from a lack of understanding of security risks. Would an official unified identity document like a passport solve the problem or just bring more controversy to the issue?
One of the challenges in the digital world is that individuals receive identities from many different sites, so their digital identity is actually a collection of unique identities, all of which must be managed and protected individually. While a lack of knowledge about security risks certainly makes the user’s experience more difficult, the larger issue is the lack of trust among the issuing authorities – the fact that each agency or site is compelled to issue their own branded identity – and that there is little to no trust of identities issued by different organizations.