Blogger: Mark Diodati
Tim Renshaw is a VP at TriCipher, and he has a blog over at http://eyedentityonline.com. TriCipher is a consumer authentication company; its technology provides mobile PKI in various forms, and provides additional security by splitting the private key. He had a post about my two-part interview with Jeff Gould at eWeek (the second part of the interview is here, and Tim’s blog entry is here). Basically, he says I don’t know what I am talking about. How can I resist a reply?
One fact that I have stated continually over the years is that no mainstream authentication method (consumer or enterprise) is bulletproof. Even the PKI solution Tim touts is problematic, and I don't agree with his assessment that it will solve the consumer authentication problem. It's clear from talking to the world's largest financial institutions that most FIs are not prepared to deploy a full-blown client and/or hardware solution - U.S. consumers don't want them (note: the recent VeriSign/eBay announcement is not a bellwether for general consumer usage), and the FIs are unprepared for the onslaught of help desk calls. But, let's assume for the sake of argument that FIs could deploy smart cards on a large scale.
Smart cards offer a highly tamper-resistant storage mechanism for private keys. Most people would agree that smart cards are the most mainstream secure storage mechanism for private keys (after all, the deployment of HSMs to end users is impractical, right?). I like the technology for the right use cases, and I think it is perhaps the best authenticator available from a security perspective (provided, as with any authentication technology, that the identity proofing is done correctly). But even smart cards are subject to attack. Let's say that the client middleware is configured to authenticate the user once via PIN (or biometric), then enable continual access to the private key. User malware can send data down to the smart card for signing by the private key, but the user would never know. Let's kick it up a notch - let's make the user enter the PIN every time a signing function is required (ignoring usability implications). Malware could send down data to the card for signature that is different from what the user is expecting to sign.
Software-based PKI solutions overcome some of the smart card deployment concerns, but they are not as secure as smart cards and are subject to similar attacks as the one Tim specifies for typing biometrics.
Another fact that I have also stated over the years is that authentication solutions must be layered to provide an adequate level of identity assurance that is required for the application. This is why you are seeing the FIs overlay risk analytic engines on top of primary authentication mechanisms. No one technology will do the trick. I’m not summarily dismissing either the typing biometric or PKI technologies. To suggest however, that PKI will solve the consumer authentication problem is disingenuous.