Working some related topics here. we have a considerable opportunity now to have a universal device that can provide identity. Need to make the credentials secure in the context that the individual needs or wants.
The Identity in Everyone's Pocket By Phil Vachon
Communications of the ACM, January 2021, Vol. 64 No. 1, Pages 46-55 10.1145/3424262
Most every technology practitioner has a smartphone of some sort. Around the world cellular connectivity is more ubiquitous than clean, running water. With their smartphones, owners can do their banking, interact with their local government, shop for day-to-day essentials, or simply keep in touch with their loved ones around the globe.
It's this ubiquity that introduces interesting security challenges and opportunities. Not even 10 years ago, a concept like biometric authentication was a novelty, reserved only for specialized applications in government and the financial services industry. Today you would be hard-pressed to find users who have not had the experience of unlocking their phones with a fingerprint, or more recently by simply looking at the display. But there is more to the picture than meets the (camera's) eye: Deep beneath layers of glitzy user interfaces, there is a world of secure processors, hardware-backed key storage, and user-identity management that drives this deceptively simple capability.
Newer phones use these security features in many different ways and combinations. As with any security technology, however, using a feature incorrectly can create a false sense of security. As such, many app developers and service providers today do not use any of the secure identity-management facilities that modern phones offer. For those of you who fall into this camp, this article is meant to leave you with ideas about how to bring a hardware-backed and biometrics-based concept of user identity into your ecosystem.
The goal is simple: Make it as hard as possible for attackers to steal credentials and use them at their leisure. Let's even make it difficult for users to clone their own credentials to share with other users. In addition to this protection, let's ensure that adding extra factors such as biometric authentication provides a stronger assurance of who the user is. Bringing keys and other secrets closer and closer to something that is physically attached to the user provides a stronger assurance of the identity of the user who just authenticated to the device. ... "
No comments:
Post a Comment