Direct assertion of identity based on a physical presence factor

Direct assertion of identity based on a physical presence factor

The Board of Governors of the Federal Reserve and the Federal Financial Institution Examination Council (FFIEC) has been recommending any factor in addition to data for “electric financial transactions”. (Authentication in an Electronic Banking Environment (2001 Guidance)) They were and are recommending Direct Assertion of Identity for secure online activity. To date, a solution has not been deployed.

“Today digital identification is based on an indirect assertion of Identity. Until a direct assertion [solution] is available it [identity] will just be an informed guess.” – Dr. Daniel R. Ford, CTO/CIO, 1st Source Bank.

Basing “secure” Internet activity on Indirect Assertion of Identity is an invitation to theft, $600 Billion in damage in 2017. The misuse of scientific terms has hidden the failure to follow the most basic security recommendations by the FFIEC and has compounded the problem. Two-Factor and Multi-Factor Authentication at the endpoint fails to meet these guidelines. These solutions arrive as “complex data” at a server and a digital match permits secure transactions to be executed. This is scientifically described as One-Factor Authentication! Until and unless there is a method deployed to provide Two-Factor or Multi-Factor Authentication at the server, authentication will continue to be based on guessing.

Today there is only one proven method to provide Two or Multi-Factor authentication at the Point-of-Authentication. The methodology uses a physical device that comes into contact with the Internet when secure activity is being performed and contact is removed when the secure activity is completed. The original thought behind the methodology can be traced back to 1935 when Albert Einstein, Boris Podolsky & Nathan Rosen theorized about ultra-secure communications as part of entanglement theories…Einstein later went on to call the theory “Spooky”. Nonetheless, the theory works.

The most simplified explanation of the theory is to have a node “wink” into existence, connect to another node, transact secure communication and then the node “winks” out of existence. The process creates a state-of-presence based on the existence of the node.

New Call-to-action

Applying this principle to Internet Access Management quite literally changes the way every other cybersecurity solution performs. Using a verifiable serialized node that requires a Presence-Based device to create and maintain the node provides for a second non-data factor at the point of authentication.

The only obstacle to a Direct Assertion of Identity solution is responsible action. The consumer/end user cannot deploy the solution and to date, the business community has looked at such a solution as “inconvenient, cumbersome and clunky”. These issues being invalid reasons for making security decisions but worse, they are not accurate…except the inconvenient aspect.

So, for the record all security, including cybersecurity, is supposed to be inconvenient. It is the inconvenience that provides protection. Until business leaders demand consumers carry an ID and present it for secure activity, cybersecurity will continue to fail resulting in increased damage. The breach rate is accelerating with over a 100% increase year over year.

The first step to any form of security is to separate secure and public activity, thus eliminating the success of phishing. If clicking on an email opens a page that looks exactly like a bank, people will be fooled. When the consumer understands that their uniquely serialized device is the only method to communicate with the secure environment, phishing fails.

The future IS here. The first commercial release of Direct Assertion of Identity is being scheduled for release. (Expect an announcement in the next few weeks.) Once a presence-factor is available, how long will guessing identity for secure activity continue?

There is a simple question every cybersecurity expert needs to ask: If a Direct Assertion of Identity solution is available and is not deployed, what will the resulting damage be called?

The future of cybersecurity has arrived, read more at: Physical Presence Technology – A Complete Explanation. a previous Linkedin article.


Article by channel:

Read more articles tagged: Cyber Security, Featured

Cyber Security