Our Authentifusion webinar last week answered a lot of questions - and created some great new ones.
During last week's webinar, which shined a spotlight on the direction and promise of “advanced authentication” as defined by PwC in their Global State of Information Security Survey for 2016 – we talked about a passwordless future, the role of device-based authentication in that future, and collectively imagined the usability and security benefits that could soon be provided by the notion of “continuous authentication.”
If you missed it, be sure to listen to the on-demand recording of the webinar.
I'm happy to report the webinar was a well-attended event with a high degree of engagement and enthusiasm from the participants who, not surprisingly, had tons of smart questions.
Here are some of the highlights from the Q&A portion of the webinar:
Q: If we use our phones and devices to authenticate, but we lose them or they’re stolen, have we given hackers access to all our accounts?
This is a great question, and one that seems to come up often. Every method of authentication has a “weakest link." If a phone or other device has no password or thumbprint protection but is used to authenticate into web sites or applications, and ultimately lost, then yes, there’s a problem.
My personal belief is that the possible damage in this case is limited to a very small window. Most of us would immediately notice if our phone was lost or stolen, and could notify our accounts. By comparison, with literally billions of user credentials available on the black market, most of us don’t realize when an account has been compromised until the thief is long gone.
Is it better to know you’re vulnerable (because you can’t find your phone, let’s say) or to blindly trust that your passwords aren’t being bought with bitcoins by some anonymous fraudster?
Q: Does “advanced authentication” as described by PwC apply to the Internet of Things?
Emphatically yes, and device-based authentication applies exceptionally well. Both will have a much stronger play in “consumer IoT” than in “industrial IoT”, but there are immediate opportunities today. In the webinar, we talked about a new “keyless” program at Starwood Hotels that uses your phone, NFC (“near-field communications”) and an authentication code to replace keycards for accessing your hotel room. This combination (your device + NFC + an authentication protocol) could be applicable to cars, smart meters, and home environmental systems in the very near future.
Q: How does your Customer Authentication solution differ from iovation's typical Fraud solution?
While the platform and many of the underlying functions are the same, there is a big difference in perspective and how the search algorithms are tuned. I call this the difference between “finding bad actors” (fraud prevention) and “securing good customers” (authentication).
In the first case, we look at a given device – whether mobile, laptop, a library-bound desktop, or iPad – and try to determine if any evidence of risk exists, or if this is a device we can match to one of the million-plus devices our customers may have placed fraud evidence against. In the latter case, we’re simply trying to answer the question, “Is this the device the customer paired with their account previously?” If it is the same, an exact match, a partial match, or a loose match, how much risk might be presented by this determination?
To access the entire Q&A session, check out the on-demand recording of the webinar.
And don't forget to keep your eyes peeled for the next webinar in the series, coming soon!