Visa’s Post-pass­word Se­cu­rity Strat­egy

These days, pass­words are too eas­ily com­pro­mised to be of much use, but peo­ple still use them. To get past our re­liance on pass­words, Visa is build­ing an open plat­form for the pro­tec­tion of in­ter­net-con­nected de­vices.

ISO & Agent - - INSIDE 11/12.2017 - BY JOHN ADAMS

Visa is also join­ing the open de­vel­op­ment trend, with a goal of ad­vanc­ing se­cu­rity. Ul­ti­mately, the card network wants to em­brace a “smarter” al­ter­na­tive to pass­words.

In­ci­dents such as the Equifax breach cre­ate more ur­gency to move be­yond static iden­ti­fiers and au­then­ti­ca­tion meth­ods, and Visa is get­ting ag­gres­sive about push­ing dy­namic tools to vet and shield iden­tity.

Visa re­cently in­tro­duced Visa ID In­tel­li­gence, an open plat­form that is­suers, de­vel­op­ers and other par­ties can use to en­able bio­met­rics and other for­ward­look­ing au­then­ti­ca­tion tech­niques.

“We want to pro­vide faster ac­cess to what we think is smarter au­then­ti­ca­tion tech­nol­ogy,” said Mark Nelsen, se­nior vice pres­i­dent of risk and au­then­ti­ca­tion prod­ucts at Visa.

Visa projects that 20 bil­lion de­vices will be in­ter­net- con­nected by 2020, but not all de­vice mak­ers put se­cu­rity first. This places an onus on faster time to mar­ket for iden­tity pro­tec­tion. Visa wants to sup­port forms like face ID and touch bio­met­rics, which im­prove se­cu­rity through the use of fa­mil­iar au­then­ti­ca­tion habits.

“Con­sumers’ ex­pec­ta­tions for dig­i­tal ex­pe­ri­ences have been shaped by fric­tion­less and el­e­gant ex­pe­ri­ences pro­vided by brands like Ap­ple and Amazon,” said Julie Con­roy, re­search di­rec­tor of the re­tail bank­ing prac­tice at Aite Group, adding Aite’s re­search has found con­sumers choose con­ve­nience over se­cu­rity. “While there are cer­tainly tech­nolo­gies that can of­fer the win-win

and en­able ex­pe­ri­ences that are both more con­ve­nient and more se­cure, get­ting those so­lu­tions de­ployed in a timely man­ner is a chal­lenge for many busi­nesses.”

Visa’s not alone in try­ing to move peo­ple, mer­chants and is­suers be­yond pass­words, nor is its strat­egy new— com­pa­nies have wanted to dump user­names and pass­words for years.master­card sup­ports “selfie” ID as part of its im­ple­men­ta­tion of 3D- Se­cure, and fin­ger­print ID is a sta­ple of mo­bile wal­let apps, which are also build­ing to­ward fa­cial recog­ni­tion.

Avail­able through the Visa De­vel­oper Plat­form, Visa ID In­tel­li­gence ( VIDI) is ac­ces­si­ble through Visa’s ap­pli­ca­tion pro­gram­ming in­ter­faces and soft­ware de­vel­op­ment kits. Visa has vet­ted its tech­nol­ogy part­ners for se­cu­rity and con­sumer pri­vacy, in­clud­ing on­site as­sess­ments, pen­e­tra­tion test­ing, and on­go­ing com­pli­ance au­dits. The plat­form also en­ables stream­lined con­tract­ing to shave time off of ne­go­ti­a­tions.

VIDI com­pares images from the user’s cam­era with photo IDS (driver’s li­cense, pass­port, mil­i­tary ID), while ex­tract­ing and con­vert­ing in­for­ma­tion from doc­u­ments into dig­i­tal form. This is de­signed to speed ac­count cre­ation and serves as an al­ter­na­tive to calls to cus­tomer ser­vice to per­form pass­word re­sets or re­place cards.

Bio­met­ric choices through VIDI are eyes, face, fin­ger­print and voice, with Daon pow­er­ing the bio­met­ric tech­nol­ogy. Ap­pli­ca­tions in­clude app lo­gin, pay­ments, step-up au­then­ti­ca­tion, and other fea­tures. VIDI of­fer­ings will ex­pand in 2018 to user data and de­vice data to im­prove dig­i­tal iden­tity de­ci­sion­ing, work­ing with Neustar and Threat­metrix.

What could be par­tic­u­larly help­ful to banks is the abil­ity to use open de­vel­op­ment as a “sand­box” to test and de­velop tech­nol­ogy that’s part of a tai­lored iden­tity risk strat­egy.

Dy­namic au­then­ti­ca­tion does not move peo­ple away from pass­words, but an in­terim step is still wel­come, ac­cord­ing to Avi­vah Li­tan, a vice pres­i­dent and se­cu­rity spe­cial­ist at Gart­ner.

“Sup­ple­ment­ing pass­words is im­por­tant. It will take a long time to get rid of pass­words, be­cause peo­ple feel un­com­fort­able with get­ting rid of pass­words,” Li­tan said.

With Thurs­day’s an­nounce­ment, Visa is ex­pe­dit­ing this ap­proach. Ma­jor breaches at Equifax and large re­tail­ers have ex­posed holes in preven­tion that ex­ist through the pay­ments and broader tech­nol­ogy in­dus­tries. There’s a talent short­age, fears of se­vere long-term im­pact on mer­chants and a con­cern that even larger in­ci­dents are on the hori­zon.

As such, there’s a “ur­gency of now” to Visa’s strat­egy.

The breaches don’t nec­es­sar­ily in­volve Visa, but have a down­stream im­pact since ID theft usu­ally fu­els card theft. It can take up to two years to add a new se­cu­rity sys­tem at a bank or mer­chant, and that time­frame doesn’t fit a quickly chang­ing threat en­vi­ron­ment, Con­roy said.

“Any­thing that can cut down on the com­plex­ity of bring­ing more ef­fec­tive au­then­ti­ca­tion on­line is wel­comed,” said Al Pas­cual, re­search di­rec­tor and head of fraud and se­cu­rity at Javelin Strat­egy & Re­search.

Banks con­tend with far more than tech­ni­cal in­te­gra­tion and con­tract man­age­ment chal­lenges when im­ple­ment­ing new forms of au­then­ti­ca­tion, Pas­cual said.

“More specif­i­cally, in­sti­tu­tions need to de­ter­mine which so­lu­tions fit into their au­then­ti­ca­tion strat­egy across chal­lenges and prod­ucts, what vul­ner­a­bil­i­ties may ex­ist and how to best man­age for them,” he said.

Con­sumers en­counter many au­then­ti­ca­tion mo­ments dur­ing the course of a day, whether ac­cess­ing an ac­count, check­ing a bal­ance, or re­port­ing a lost card, Nelsen said. With so many pos­si­ble in­ter­ac­tions, speed and sim­plic­ity are key.

“We’re all about speed in in­tro­duc­ing new ID au­then­ti­ca­tion tech­nol­ogy. How can we do that faster…how can we get bio­met­rics in wide use in six months to a year out,” Nelsen said, adding a more tan­gi­ble time­line for bio­met­rics adop­tion is de­sire­able. “Bio­met­rics are stronger and more con­ve­nient to con­sumers…is­suers strug­gle with speed to mar­ket.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.