Navigating Secure Authentication Across the Wild West of the Internet

Published

2 years ago

02/08/2019

Navigating Secure Authentication Across the Wild West of the Internet

By Ralf Gladis, CEO, Computop

Remaining secure while benefiting from all the Internet has to offer is what we, as consumers, seek. Which is why secure identification and authentication are increasingly vital. The transfer of sensitive data, including payment transactions, must be performed with as little risk as possible to protect not just customers, but service providers too, against the theft and misuse of valuable information.

Currently the largely uncharted digital world can feel like the wild west when it comes to security. The combination of user name and password is comparatively insecure and alternative, more sophisticated methods are competing for the best positions on the market. We have yet to see the solid establishment of a standardised and generally accepted system for secure identification and authentication, but in the meantime, it’s important to understand the landscape.

Identification and authentication

These terms are often used synonymously, but they describe two different processes. Identification is when a person proves their identity to an authority or entity to which they were previously unknown. This occurs, for example, via conventional registration with an email address and password, which is sufficient for many services. For more sensitive applications such as payment transactions or banking, on the other hand, there are more sophisticated identification processes such as Postident and WebID. These use significantly more complex methods to check whether a person corresponds to the identity he or she claims to have.

Authentication, conversely, involves recognition. After a user has identified themselves and registered, they must log in and for this and all subsequent uses, be authenticated. The usual pairing of user name and password entered during registration are typically used for this purpose.

However, this method has long been criticised because compared to other processes, it is relatively insecure – particularly when the user’s email address also serves as the username.In addition, many customers consider password management to be tedious which means that instead of using complex letter and number combinations they resort to an easily memorable code based on birth dates or family names. Unsurprisingly this is easy to crack and presents a high security risk.

Social-login solutions from sites including Facebook, Twitter, LinkedIn or Google apply once the user has registered, which means that website operators don’t store the log-in data on their servers. Instead, authentication is performed via the plug-in of the relevant site, making it harder for criminals to steal login information and hack the account. Many platforms offer optional two-factor authentication via mobile phone number, which makes them significantly more secure than with just one password or with access via a password manager but this is not compelling to users who are often reluctant to give the sites their mobile numbers. To address this, Apple has just launched a new privacy tool, ‘Sign In with Apple’, which uses customer’s Apple ID rather than their email address, to verify credentials.Meanwhile, the social media giants still lack the final proof of identity which can only be provided by service providers who identify their users in a lawful manner and then securely link the information to an authentication process. They are then able to link each authentication to the identity behind it.

Processes such as ‘Identity management’ and ‘Postident’ in Germany or BankID in Sweden are state-regulated identity verifications which meet high security requirements. Regulators recognise them as equivalent to identification through personal presence. These processes must fulfil specific regulations in the relevant countries to be accepted as secure by the government. For example, in Germany, the identification must be carried out by service provider employees who are in access-protected rooms. Additional requirements include uninterrupted video identifications in real-time and adequate image and sound quality.

PKI

Identification and authentication can be encoded asymmetrically via a private and a public key. This relies on a certification authority (CA) which verifies public keys and issues digital certificates for them. The key pair is usually generated on the device or smartcard of the user. The private key always stays with the user, while the public counterpart, which has been signed by the CA, is submitted to the service for which they are registering. For authentication, the service provider sends the user a calculation which they can only solve if they possess the private key -this is the central security element. Only the service with the matching public counterpart which has sent the request is able to check the solution. The security provider only issues it in a protected environment. This may be, for example, a protected hardware sector in an iPhone. They sign the public key with a certificate authority (CA). As with the SSL certificate of a website, the certificate is verifiable for any outsider and is generally issued for the email address of the user. The authenticity, confidentiality and integrity of messages are guaranteed. If the issuer of the certificate has checked and verified the identity of the user, the user can use it to sign documents in accordance with signature legislation. The digital signature thus replaces the ‘wet’ signature.

With clearly and lawfully identified customers, data centres and smartcards, banks have the ideal conditions to work PKI, but they are not widely adopting it at the moment.

FIDO

To reduce password reliance, the FIDO Alliance (Fast IDentity Online) is establishing public and licence-free industry standards for global online authentication. Like PKI, FIDO uses a pair comprising a public and a private key. However, the duo is generated through the FIDO authenticator, a protected software area in the smartphone, and this supports user verification which takes place every time the key is used, for example via biometric methods such as iris or fingerprint scans.

Almost all operating systems offer suitable interfaces.For web services, FIDO is a convenient and secure option for authentication which they can integrate easily using a FIDO server. With web authentication, the W3C consortium (a body for the standardisation of technology on the Internet) has adopted an authentication standard for web browsers with a FIDO connectionalready being used in Microsoft Edge, Google Chrome and Mozilla Firefox and is being considered by Apple for Safari. It enables password-free authentication in the browser. Users can log into websites using their fingerprint or via face recognition, rather than a user name and password. Manufacturers can use the API for smartphones and tablets with a fingerprint sensor (e.g. Touch ID) or face recognition (Windows Hello, Face ID). The biometric user data therefore remains in a secure area of the device, where it never leaves.

FIDO & PSD2

The revised Payment Services Directive (PSD2) aims to make electronic payments in Europe more convenient and secure by requiring stronger authentication. To this end, it must manage at least two of the following three factors:

Knowledge: Information that only the user knows (e.g. password).
Possession: Something that only the user owns (e.g. smartphone).
Inherence: Something that is a personal or physical aspect of the user (e.g. fingerprint)

FIDO enables secure authentication without passwords. A separate key pair exists in the FIDO authenticator for every service to which a user logs in. The authenticator represents the factor of possession. A smartphone combines it with the factors of knowledge or inherence. The FIDO authenticator builds on this as it can only be activated via a PIN, fingerprint sensor or facial recognition. Computop’s FIDO solution will enable merchants to provide their customers with a biometric login to their webshop account but also to authenticate their payment in a safe and quick process that will be beneficial for the shopping experience. It is important to note that biometric data is stored in a highly encrypted secure element on the customer’s device and is never handed over to the service provider.

Blockchain

Blockchain is a continuously expandable list of records (blocks) that are chained through cryptographic techniques, whereby each consists of a cryptographically secure hash of the previous block, a timestamp and the transaction data. If someone wishes to manipulate a block, they must also change all the following blocks, a costly exercise making this type of fraud unprofitable and the technology tamper-proof.

Identity providers and brokers can store the customer’s identity information along with the offered trust level, the cost of an identification and the delegation address for the authentication in the blockchain. The end customer clicks on the central checkout button on the e-tailer’s website and enters their email address there. The system checks if a local authentication is available for the customer – either via a FIDO biometric solution or a user name and password combination. It then asks the blockchain if there is a registered identity provider for the customer. If not, they can register locally. The identity provider delivers the identity information and confirms the successful authentication.

Summary

PSPs like Computop have to be prepared for the challenges that the future presents. As we’ve seen, numerous initiatives will ensure secure digital identification and authentication in the future. Standards such as FIDO set the course for future business and government communication which gets by without passwords. Google, HUAWEI, Intel, Lenovo, Microsoft, Samsung and others are working on the aspects of functionality and convenience. Retailers can decide if they identify and authenticate customers using their own system or instead work with service companies and full-service identity providers. However, development on the market shows one thing clearly: the reign of passwords is coming to an end.

UK might need negative rates if recovery disappoints – BoE’s Vlieghe

Published

1 hour ago

19/02/2021

linker 5

UK might need negative rates if recovery disappoints - BoE's Vlieghe 1

By David Milliken and William Schomberg

LONDON (Reuters) – The Bank of England might need to cut interest rates below zero later this year or in 2022 if a recovery in the economy disappoints, especially if there is persistent unemployment, policymaker Gertjan Vlieghe said on Friday.

Vlieghe said he thought the likeliest scenario was that the economy would recover strongly as forecast by the central bank earlier this month, meaning a further loosening of monetary policy would not be needed.

Data published on Friday suggested the economy had stabilised after a new COVID-19 lockdown hit retailers last month, while businesses and consumers are hopeful a fast vaccination campaign will spur a recovery.

Vlieghe said in a speech published by the BoE that there was a risk of lasting job market weakness hurting wages and prices.

“In such a scenario, I judge more monetary stimulus would be appropriate, and I would favour a negative Bank Rate as the tool to implement the stimulus,” he said.

“The time to implement it would be whenever the data, or the balance of risks around it, suggest that the recovery is falling short of fully eliminating economic slack, which might be later this year or into next year,” he added.

Vlieghe’s comments are similar to those of fellow policymaker Michael Saunders, who said on Thursday negative rates could be the BoE’s best tool in future.

Earlier this month the BoE gave British financial institutions six months to get ready for the possible introduction of negative interest rates, though it stressed that no decision had been taken on whether to implement them.

Investors saw the move as reducing the likelihood of the BoE following other central banks and adopting negative rates.

Some senior BoE policymakers, such as Deputy Governor Dave Ramsden, believe that adding to the central bank’s 875 billion pounds ($1.22 trillion) of government bond purchases remains the best way of boosting the economy if needed.

Vlieghe underscored the scale of the hit to Britain’s economy and said it was clear the country was not experiencing a V-shaped recovery, adding it was more like “something between a swoosh-shaped recovery and a W-shaped recovery.”

“I want to emphasise how far we still have to travel in this recovery,” he said, adding that it was “highly uncertain” how much of the pent-up savings amassed by households during the lockdowns would be spent.

By contrast, last week the BoE’s chief economist, Andy Haldane, likened the economy to a “coiled spring.”

Vlieghe also warned against raising interest rates if the economy appeared to be outperforming expectations.

“It is perfectly possible that we have a short period of pent up demand, after which demand eases back again,” he said.

Higher interest rates were unlikely to be appropriate until 2023 or 2024, he said.

($1 = 0.7146 pounds)

(Reporting by David Milliken; Editing by William Schomberg)

UK economy shows signs of stabilisation after new lockdown hit

Published

1 hour ago

19/02/2021

linker 5

UK economy shows signs of stabilisation after new lockdown hit 2

By William Schomberg and David Milliken

LONDON (Reuters) – Britain’s economy has stabilised after a new COVID-19 lockdown last month hit retailers, and business and consumers are hopeful the vaccination campaign will spur a recovery, data showed on Friday.

The IHS Markit/CIPS flash composite Purchasing Managers’ Index, a survey of businesses, suggested the economy was barely shrinking in the first half of February as companies adjusted to the latest restrictions.

A separate survey of households showed consumers at their most confident since the pandemic began.

Britain’s economy had its biggest slump in 300 years in 2020, when it contracted by 10%, and will shrink by 4% in the first three months of 2021, the Bank of England predicts.

The central bank expects a strong subsequent recovery because of the COVID-19 vaccination programme – though policymaker Gertjan Vlieghe said in a speech on Friday that the BoE could need to cut interest rates below zero later this year if unemployment stayed high.

Prime Minister Boris Johnson is due on Monday to announce the next steps in England’s lockdown but has said any easing of restrictions will be gradual.

Official data for January underscored the impact of the latest lockdown on retailers.

Retail sales volumes slumped by 8.2% from December, a much bigger fall than the 2.5% decrease forecast in a Reuters poll of economists, and the second largest on record.

“The only good thing about the current lockdown is that it’s no way near as bad for the economy as the first one,” Paul Dales, an economist at Capital Economics, said.

The smaller fall in retail sales than last April’s 18% plunge reflected growth in online shopping.

BORROWING SURGE SLOWED IN JANUARY

There was some better news for finance minister Rishi Sunak as he prepares to announce Britain’s next annual budget on March 3.

Though public sector borrowing of 8.8 billion pounds ($12.3 billion) was the first January deficit in a decade, it was much less than the 24.5 billion pounds forecast in a Reuters poll.

That took borrowing since the start of the financial year in April to 270.6 billion pounds, reflecting a surge in spending and tax cuts ordered by Sunak.

The figure does not count losses on government-backed loans which could add 30 billion pounds to the shortfall this year, but the deficit is likely to be smaller than official forecasts, the Institute for Fiscal Studies think tank said.

Sunak is expected to extend a costly wage subsidy programme, at least for the hardest-hit sectors, but he said the time for a reckoning would come.

“It’s right that once our economy begins to recover, we should look to return the public finances to a more sustainable footing and I’ll always be honest with the British people about how we will do this,” he said.

Some economists expect higher taxes sooner rather than later.

“Big tax rises eventually will have to be announced, with 2022 likely to be the worst year, so that they will be far from voters’ minds by the time of the next general election in May 2024,” Samuel Tombs, at Pantheon Macroeconomics, said.

Public debt rose to 2.115 trillion pounds, or 97.9% of gross domestic product – a percentage not seen since the early 1960s.

The PMI survey and a separate measure of manufacturing from the Confederation of British Industry, showing factory orders suffering the smallest hit in a year, gave Sunak some cause for optimism.

IHS Markit’s chief business economist, Chris Williamson, said the improvement in business expectations suggested the economy was “poised for recovery.”

However the PMI survey showed factory output in February grew at its slowest rate in nine months. Many firms reported extra costs and disruption to supply chains from new post-Brexit barriers to trade with the European Union since Jan. 1.

Vlieghe warned against over-interpreting any early signs of growth. “It is perfectly possible that we have a short period of pent up demand, after which demand eases back again,” he said.

“We are experiencing something between a swoosh-shaped recovery and a W-shaped recovery. We are clearly not experiencing a V-shaped recovery.”

($1 = 0.7160 pounds)

(Editing by Angus MacSwan and Timothy Heritage)

Oil extends losses as Texas prepares to ramp up output

Published

6 hours ago

19/02/2021

linker 5

Oil extends losses as Texas prepares to ramp up output 3

By Devika Krishna Kumar

NEW YORK (Reuters) – Oil prices fell for a second day on Friday, retreating further from recent highs as Texas energy companies began preparations to restart oil and gas fields shuttered by freezing weather.

Brent crude futures were down 33 cents, or 0.5%, at $63.60 a barrel by 11:06 a.m. (1606 GMT) U.S. West Texas Intermediate (WTI) crude futures fell 60 cents, or 1%, to $59.92.

This week, both benchmarks had climbed to the highest in more than a year.

“Price pullback thus far appears corrective and is slight within the context of this month’s major upside price acceleration,” said Jim Ritterbusch, president of Ritterbusch and Associates.

Unusually cold weather in Texas and the Plains states curtailed up to 4 million barrels per day (bpd) of crude production and 21 billion cubic feet of natural gas, analysts estimated.

Texas refiners halted about a fifth of the nation’s oil processing amid power outages and severe cold.

Companies were expected to prepare for production restarts on Friday as electric power and water services slowly resume, sources said.

“While much of the selling relates to a gradual resumption of power in the Gulf coast region ahead of a significant temperature warmup, the magnitude of this week’s loss of supply may require further discounting given much uncertainty regarding the extent and possible duration of lost output,” Ritterbusch said.

Oil fell despite a surprise drop in U.S. crude stockpiles in the week to Feb. 12, before the big freeze. Inventories fell by 7.3 million barrels to 461.8 million barrels, their lowest since March, the Energy Information Administration reported on Thursday. [EIA/S]

The United States on Thursday said it was ready to talk to Iran about returning to a 2015 agreement that aimed to prevent Tehran from acquiring nuclear weapons. Still, analysts did not expect near-term reversal of sanctions on Iran that were imposed by the previous U.S. administration.

“This breakthrough increases the probability that we may see Iran returning to the oil market soon, although there is much to be discussed and a new deal will not be a carbon-copy of the 2015 nuclear deal,” said StoneX analyst Kevin Solomon.

(Additional reporting by Ahmad Ghaddar in London and Roslan Khasawneh in Singapore and Sonali Paul in Melbourne; Editing by Jason Neely, David Goodman and David Gregorio)

Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.