In our first article of the Smart Access & Identity Handbook, we focus on identity authentication. Jason Shedden, chief operating officer at Contactable, offers insights into identity authentication’s realities.
Contactable offers digital identity solutions that eliminate the need for traditional, paper-based identification methods. It designed a platform to create a federated identity service where an individual’s identity is managed and controlled by securely maintaining a database of different aspects of their identity, and sharing this with known and authorised businesses. Its Integrated Identity Platform (IIP) streamlines the identity verification process, using digital identity, KYC (Know Your Customer), biometrics, and seamless data integration. (More about the company can be found at www.securitysa.com/15287r.)
What is happening in South African businesses in terms of identity authentication?
Shedden: Identity authentication is becoming a real requirement in South Africa, especially as the regulator steps up to the batting plate in its battle against the Sovereign Risk Status in South Africa, which has seen a material increase in the role of strong identity authentication in a move to combat money laundering in South Africa.
An increase in biometric verification across all vertical industries (banking, gambling, medical, telecommunications, insurance, etc.) is rising, and a drive to truly know your customer is underway. Regulatory pressure in the form of fines and harsh penalties is becoming a reality, and ownership of the customer authentication process is consequently moving ‘closer to home’ as accountable institutions are impacted.
Simple trends like companies with distributed broker networks no longer rely on third-party distributors to perform the overall IDA process independently. In addition, telcos are being forced to introduce biometric data points into their authentication and re-authentication processes to combat the increase in SIM swap fraud resulting from a material rise in digital mobile wallets on offer through telecommunications companies. Overall, the heat is being turned up, and IDA resides at the heart of the industries’ resolve.
Companies also rely more on remote transactions to deliver services, as extending a physical network, via a branch or distributed agents, is expensive. The challenge remains, however, that remote access transactions are the most vulnerable to exploitation as they are, by definition, remote and outside of a trusted network. For this reason, technology has had to step in and step up to create a trust fabric in which to transact in this regard. Understanding exactly who resides at the end of a digital device is key, and simple identity number verification by the Department of Home Affairs is no longer a viable solution on its own.
Digital identities are very real, not only in South Africa, but globally. There are multiple use cases where digital identities are being used daily to conduct services like opening digital mobile banking wallets, RICA of SIM cards onto networks with strong KYC authentication, and authentication of users for online gaming (especially at the payout stage), amongst others. In addition, Web 3 brings about new possibilities with defederated ledger technology to introduce more robust digital transacting in the future through digital financial identities (DFIDs) and Sovereign State Identities (SSI).
[A defederated ledger is a type of distributed ledger technology (DLT) that combines elements of centralised and decentralised systems. In general, a defederated ledger aims to use the advantages of decentralisation, while maintaining a level of control and efficiency. - Ed.]
With standards such as FIDO, are we moving away from PINs and passwords?
Shedden: There is certainly a drive to move away from the traditional authentication methods, however, there is a notable battle between moving forward with technology and legacy systems that prevent this from happening seamlessly. OTPs, passwords, and PINs remain at the core of banking systems, mobile platforms, etc., and will continue to do so as long as the market is not fully educated on the alternatives.
If one considers how tools in Web 3 are assisting in future-based authentication (blockchain and digital wallets), then one must also consider that understanding how such tools work requires significant consumer education. Only a handful of the total digital population is familiar with the principles that Web 3 imparts. Until such philosophy is second nature to many, it will remain in the starting blocks despite its potential. One cannot imagine that PIN and password protocols will be redundant soon.
[According to Google Gemini, Web3 is vision for a new iteration of the internet, characterised by decentralisation, blockchain technologies, and token-based economics. It aims to shift control and ownership away from large corporations to individual users. – Ed.]
What about ‘non-password’ options?
Shedden: The philosophy of consumer education remains, as the Authenticator requires a degree of sophistication that the average consumer is not able or willing to engage. One must consider the entire digital audience when thinking about the success rate of new technologies. In South Africa alone, if you consider that most digital mobile consumers are in the mid to lower LSM market segments, then something like Authenticator has little place in this world. This is why legacy technologies like OTPs, PINs and passwords will remain into the foreseeable future.
How dangerous are passwords and PINs for IDA?
Shedden: It is hard to make a call on the dangers of PINs and passwords for IDA, specifically because context matters in this regard. How PIN and passwords are implemented is often where the danger is mitigated or not. For example, two-factor authentication is coupled with PIN or password mechanisms to enhance their efficacy, or CAPTCHAs are used to prevent robotic attacks where password interfaces are required. Without such mitigation standards, pure PIN and password standards are not secure given the processing power available today.
In this light, there is a definite move away from them as primary tools, and the inclusion of biometric data with strong NIST (National Institute of Standards and Technology) rated liveness algorithms is taking their place. One must always caution, however, to not spend significant time and effort to create a secure identity using IDA methodologies only to compromise the identity post creation by allowing PIN and password protocols as a means to modify or replace existing identity data. This is why biometric data is critical as the primary re-authentication protocol, and PIN and password should be part of a second-factor authentication only.
Is Identity as a service (IDaaS) taking hold in SA?
Shedden: There is no doubt that IDaaS is taking hold in South Africa. In the context of IDA, there are new synonyms to describe IDaaS, such as Integrated Identity Platforms (IIP’s) or Federated Identity Orchestration. At the heart of these services, regardless of what they are called, lies the ability to validate and authenticate a person’s identity using a digital channel only, and the growth rate of such services is material across almost all vertical sectors of the South African industry.
The best definition of trust is the extent to which organisations adopt and deploy IDaaS services; in this instance, many large corporations are leading the way. The role of IDaaS services are being fulfilled in collaboration with companies’ compliance divisions due to the regulatory pressures and rules imposed on them. It is no longer a purely operational process as it has to speak to a company’s risk management and compliance processes, which in turn speaks to the trust element of IDaaS as it addresses legal compliance.
Are devices on a network subject to IDA?
Shedden: In our experience, you cannot separate IoT from the requirements for IDA. We have seen some movement in including IDA for digital devices, but we have not yet seen the uptake in this regard. The philosophy, however, remains universally true in that a device entering any trust framework should be fully authenticated, just like a human. It contains the same (if not more) potential to do harm inside of a trusted ecosystem.
Some South African companies have made significant inroads into IoT and device authentication; however, the first challenge has been to provide a universal language that can connect all devices on the edge into a standardised integration framework. A good comparison of the problem is finding a universal translator for all spoken languages in the world so that one can communicate in a common tongue.
Experience has shown that the focus in this regard has preceded IDA authentication of devices as a priority; however, now that certain service providers have developed reputable gateways that can translate all devices into a common tongue, there is no doubt that IDA is part of the overall road map for IoT going forward.
How important is cybersecurity to people setting up or using IDA?
Shedden: Any institution that does not consider cybersecurity, identity management, IT security or any component of it as a singular concept has made its first material error. The principle of ‘absolute security’ and how data and identity management are handled across all facets of processing is fundamental. Frameworks like ISO 27001, as a minimum standard, are fast becoming a mandatory requirement for any provider looking to offer IDaaS services to reputable institutions.
There is a palpable thought movement driving an awareness regarding data protection as a collective responsibility in which all players in a value chain have a part to contribute towards protecting a consumer’s identity end to end. The proverbial ‘weakest links’ are being held accountable through things like ISO 27001 policies that enforce data processing standards and data processing responsibilities onto contracting parties to ensure a security standard is maintained throughout the value chain. While this is not easy to do, it has led to companies only doing business with companies with a good track record and well-established operations, including aspects like cyber security solutions, ISO 27001, governance, client list etc.
As to whether companies and users worry about cyber breaches when it comes to identity management, as opposed to focusing on making it as seamless and easy as possible, is a relevant question because, sadly, evidence of ‘quantity over quality’ still dominates a lot of corporate behaviour where revenue is the primary driver of success. The philosophy of closing out a sale is often done ‘at all costs’, and the consequences of such action are dealt with as a reactive remedial event for many companies.
It is less than ideal, and the role of the regulator, and to a greater extent the IDaaS service providers in the respective industries, is critical to driving a change in behaviour to ‘quality over quantity’. Ensuring efficient and streamlined IDaaS technology that contributes positively to user experience is fundamental to driving change.
Where IDaaS companies can contribute materially is to ‘force’ a minimum standard of IDA rather than offer their services as a mechanism to solve the requirements of IDA where the absolute minimum standard has been applied. IDaaS players have a great responsibility to educate their clients about the consequences of ‘quantity over quality’ in today’s changing landscape.
Where are SA companies in the move to Zero Trust?
Shedden: I am not qualified or experienced enough to talk on behalf of the industry as a whole, however, based on my experience, I can contribute that the difficulty of implementing Zero Trust resides principally in the granularity required to monitor or control micro aspects of a greater security system. This is all fine and well if you have implemented the latest cloud infrastructure and your company is state of the art in terms of its technology standards. because this is part of the offering at the time of implementation.
Where legacy systems exist, however, it becomes substantially more difficult to implement Zero Trust as such systems were never designed with Zero Trust in mind. Legacy systems hold true for many large corporates out there, especially where stability and consistency of performance is critical (banking systems), resulting in change only taking place over extended periods. Implementing the required checks and balances into legacy frameworks is a significant development investment in both time and money, and often the benefits of Zero Trust frameworks are not well understood or palpable enough for decision-makers to endorse such efforts as a core priority.
What role does your company play in the IDA market, how do you approach IDA, and what products/solutions/services do you offer?
Shedden: Contactable is proudly South African and has been independently listed as the leading provider of integrated identity platform services in Africa. It provides IDA services for many large corporations in South Africa that transcend many industry verticals, including telecommunications, retail services, insurance, banking, motor, gambling, medical, and financial services. The focus is on providing a strongly authenticated digital identity by layering up and assessing various identity attributes in a collective digital journey. This allows for the highest probable outcome for accurate IDA assessment and the establishment of trust.
For more information, contact Contactable,
| Tel: | +27 11 543 5800 |
| Email: | malckey@technews.co.za |
| www: | www.technews.co.za |
| Articles: | More information and articles about Technews Publishing |
| Tel: | +27 11 543 5800 |
| Email: | malckey@technews.co.za |
| www: | www.securitysa.com |
| Articles: | More information and articles about SMART Security Solutions |
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version