Last century standards were presented to prevent cybercrime…but there was minimal theft and standards were rejected because they were “inconvenient”. Today’s cyber crisis began with the choice to reject these standards. A choice was between indirect or direct Assertion of Identity. This binary decision is at the heart of the cyber crisis. Indirect assertion of identity has contributed to every cybersecurity breach, without acceptance!
Then to compound this mistake; indirect assertion of identity became the standard for all online identification. Indirect Assertion of Identity is simply gathering user provided “complex data” to match stored “complex data”. If there is a match, access is granted regardless of who or what provided the “complex data”.
No matter how you spin it all online activity will continue to be based on guessing until Indirect Assertion of Identity stops. Yet EVERY Government, Business and Financial Institutions use a guess of identity to authenticate and grant access to secure online services.
Hardening endpoints, communications and servers will never address this core failure. Patches, upgrades and advancements in existing security are all undermined by Indirect Assertion of Identity.
Last century both the Board of Governors for the Federal Reserve and FFIEC recommend 2 or more Factor Authentication for “all online financial transactions…both commercial and retail.” The publication went on to state: “Existing authentication methodologies involve three basic “factors”:
- something the user knows (e.g., password, PIN);
- something the user possesses (e.g., ATM card, smart card); and
- something the user is (e.g., biometric characteristic, such as a fingerprint or retinal pattern).” FFIEC – Authentication in an Electronic Banking environment – August 8, 2001
At ATMs these factors were valid. Not any more, a text to a phone…provide a Data-Only authentication process at ATMs. What happened to the 2001 Standards?
When properly deployed, the “something the user possesses” (debit or credit card) is placed into an ATM creating a serialized “presence-factor” related to the user. A PIN, “something the user knows” provide two unique factors. When the debit or credit card, “something the user possesses”, is returned at the end of a session, the state-of-presence at the ATM ends. This methodology worked at ATMs, but it fails to translate to the Internet.
The misapplication of the “Factor” guidance is the misunderstanding causing the cyber crisis. The “knows”, “possesses” and “is” Factors are only applied at the endpoint, not at the point-of-authentication. This means that only data is present at the -point-of-authentication. This model fails to meet the basic guidance in the publication because data, ONE factor, is the only thing used for authentication.
Indirect Assertion of Identity has fully matured, and its history is proven: ZDNET – “Gemalto reports 4.6 billion record breaches in the first half of 2018” – October 9, 2018. This is an average of 145 records per second! Indirect assertion of identity has been proven a failure. With breach rate growth of over 100% annually, has the time come for a direct assertion of identity model.
Direct Assertion of Identity on the Internet is the only solution to Indirect Assertion of Identity, it is a binary decision.
Article by channel:
Everything you need to know about Digital Transformation
The best articles, news and events direct to your inbox
Read more articles tagged: Cyber Security, Featured
Popular Now
Related Articles
