And in conclusion ... the answer to these security problems is ... multi-factor authentication
I have updated this article, as I have just read about a hack on the ICO (Initial Coin Offering) from Enigma, where the administrator accounts had no two-factor authentication on their accounts. Surely for a company trading in a financial market should have two-factor authentication on their admin accounts? But no!
So, with GDPR coming up, please can companies move to two-factor authentication on their systems?
Introduction
I have heard from so many speakers, in the conclusions to their talks, that the answer to many of the problems in computer security is the use multi-factor (MF) authentication. But it is still lacking on most systems, along with virtually no companies providing ways for users to actually choose the devices and methods that they trust.
With GDPR coming along next year, these areas will go to the top of the list for the design of any IT system. The major barriers are thus to build systems which have strong digital trust (rights and identities) along with human trust (useful services and strong governance). The best cryptography in the world won't help, if users do not actually understand how it increases the levels of trust that they can have with their interaction with on-line services.
So why is my password reset just based on knowledge?
So I ask a few simple questions:
Why does my email login still require a username and a password and have no device or biometric integration?
Why does the reset of my password on my email system still involve the answer to a question that everyone can find if they search on Google?
Why is the log-in to my bank only based on a secret password and a secret PIN number?
Why can't I log into my bank with my fingerprint?
Why don't I have control of the authentication methods and devices I want to use?
Why can I get an on-line betting app which allows me to log in with my fingerprint, but my finance system requires a password that I must change every three months?
Why do so many companies ... especially Google and Apple ... store all my passwords for me ... without me having any control over them?
So we are so privileged to be working with local company (Payfont) whose vision is to address many of the questions that I've posed above. Their systems are still in development just now, but I have the opportunity to play around with a few concepts (all of which we strongly believe will bridge the gap between human trust and digital trust):
Figure: Payfont’s IOMI (I Own My Own Identity) people-centric dynamic authentication
So, if I have a high-value transaction, such as confirming the sale of a home, I can put in-place many levels of authentication, but for a low-value one, I might apply simpler methods.
Conclusions
Just now we live in a world of a "one-size fits all" approach to identifying users, but our interaction with the Internet varies in different levels of risk, and for our most important transactions, especially those involving sensitive information, we need to put in-place methods which give high levels of assurance. We think systems need to be re-designed, and especially focused on the risks involved and putting the user at the centre of the design approach.
Digital Marketing consultant, Social Media Evangelist and Artificial Intelligence Technology public speaker.
7 年Payfont Limited looks like a hugely impressive tool
Head of Cybersecurity Engineering at Tesco. Start-Up & Investor Advisor. Mentor. GIAC GSTRT, MCIIS, CITP, MBCS, CISSP, CISM, CCSP, CASP.
7 年I agree with Bill. I use a Yubikey for much of my MFA needs which use's FIDO (Universal 2nd Factor protocol).