Brad McGoran (Exponent), Sami Nassar (NXP and FIDO), Sebastien Taveau (Synaptics and FIDO), Don Malloy (DirectRM and Oath) and Roger Casals (Symantec) made it an extremely engaging and interesting evening. They made my job, as panel moderator, extremely easy and enjoyable.
Some of the discussion highlights that I took away from the evening are:
- Nassar explained that Authenticity (is this component, H/W or S/W, authorized in this environment / ecosystem?) and Authentication for Service are key in the Internet of Things.
- Malloy provided the following stat: US is 27% of the credit card volume in the world, but almost 50% of the fraud. He then went on to explain 'There are clear initiatives to protect the point-of-sale, which will immediately result in fraud moving online. With online and mobile payments showing continued year-over-year double-digit growth, we have to protect online transactions. Hackers aren't going anywhere'.
- Malloy listed the three key challenges that Oath addresses: Theft, usability to share data and lack of federated, single sign-on framework.
- There must be transparent opt-in / opt-out options that provide users with alternatives (i.e. Yes, I want to use the service but do not want to authenticate myself via fingerprint. What other option do I have?) that are in compliance with providers required level of assurance. 'At the end of the day is all about context and consent' concluded McGoran.
- Taveau: 'We are our own currency. Today we talk about the Internet of Things. Tomorrow we will talk about the Internet of Me'.
Note: In the same vein as Dave Birch's statement 'Identity is the new money'.
- Taveau showed a slide that depicted The Rule of 5 Ps for the Clouds: Personal, Public, Professional, Proprietary and Private explaining that we need to focus on avoiding data leakage between the clouds.
- Blueliv is a complete end-to-end Cloud-based Cyber Threat Intelligence Technology that protects organizations from credit card fraud, data and credentials theft and the latest malware trends. One way in which the company does this, is that it hacks hackers, learns from it and sells data / 'best practices' to financial services companies.
- Key attributes to balance when creating an authentication services? Security, convenience, ease of use, privacy, trust and cost.
Consumers will only use companies they trust and will assume solutions are secure. They do not care about cost (they are not normally charged, at least not directly). They always focus on convenience and ease of use; sometimes on privacy.
- Casals predicts that in 5 years, there will be strong privacy requirements dictated by governmental agencies, and strong companies with well-developed business models around them.
- Merchants and banks can greatly benefit from improved authentication.
Merchants: If they had access to strong authentication platforms, could they bypass the existing ecosystem and taken on transaction risk themselves?
Banks: In Japan, a 10x increase in fraud between 2012 and 2013 has moved the top 5 banks to heavily promote 2-factor authentication to their customers. In general, banks will favor tools that help them improve risk management.
- Target's servers were hacked because the credentials of an administrator were stolen and misused. Stronger authentication and authorization procedures may have avoided the issue.
- Centralized credential storage makes it easy for hackers, with high rewards for each breach. 'It is important to decentralize the credential to prevent having a valuable target for hackers' stated Nassar.
- There are non-public FIDO members, including banks and retailers. The same thing happens with Oath, many organizations certify and deploye Oath solutions without holding membership.
- Mobile carriers have missed the mobile payments window and are now working on mobile identity. They have a lot to offer around authentication and identity (secure element + customer knowledge), but they are very difficult to work with. As McGoran reminded us, 'He who enrolls, controls'.
Event trivia: Who is the proud owner of 'hacker-proof' Josephine La Deuche?