SlideShare a Scribd company logo

Token or no token-2,000 word arti cle

Download as DOCX, PDF
Hector Hoyos
Hector Hoyos
1 of 5
1 Token or No Token: Bringing Sanity And Order To The World of Identity Assertion By: Hector Hoyos, Chairman and CEO Hoyos Labs It is said that the definition of insanity is doing the same thing over and over again, expecting a different result every time. I feel that this is the direction into which the identity assertion industry is headed-into the realm of insanity. A few years ago, in 2010 I deployed the world’s first completely iris-based access control system at Bank of America Headquarters in Charlotte, North Carolina. It was based on the original proprietary technology and products, the HBOX and Eyelock, that I invented at the company I founded Global Rainmakers, Inc., now known as Eyelock Corp. It was true sights of beauty to see thousands upon thousands of Bank of America (BAC) team members gain entry to their workplaces all around the city of Charlotte with nothing more than a glance of their irises. Yes, that is correct, no tokens or access cards of any kind were used, and yes this was the HQ of one of the largest financial institutions in the world. It took us nearly 3 years to achieve such milestone. That deployment in the Summer of 2010 reshaped the face of the access control and the biometrics industries. Yet today, 3 years later, like the setback that general aviation suffered when the Condorde was removed from service, it appears that both industries have forgotten the lessons learned from that BAC deployment. One word defines all those lessons: CONVENIENCE. Back then there was a single paradigm that drove the success of that deployment and every other successful deployment across the world: CONVENIENCE. Think about this for a minute. If you knew that it was as safe as using your access card, would you rather not have to carry an access card and just use what you never leave home without, your iris-biometrics? Well, a good portion of the folks at BAC at first did not accept our Iris systems, voicing many concerns over privacy and data security; however, all those concerns were quelled upon seeing their co-workers waltz into the building right through the access points, without having to dig into their wallets or purses to pull out an access card. I was a personal witness to this. I wanted to understand the human behaviors factor in all that we were doing. It turned out to be The key element in the success of our deployments. I remember an exchange I had with a very nice lady who worked at BAC HQ in Charlotte. She was holding a cup of coffee in her left hand, her bag and coat in her right hand, and had files tucked under her right arm. I glanced at her and very quickly inquired what she thought of my irisgate. “ Look at me, are you kidding, its as CONVENIENT as a fast food drive-through,” she responded. There it was! After all the years of R&D and the tens of millions invested, after all the long hours discussing the sleek look of the housing, after all the science and
2 technology innovation accomplished, it was best summed up from a real world user and her 20 second experience-what the user wants, recognizes, cares about, and remembers is the CONVENIENCE. I felt like a famous producer at the premiere of his hit movie, except that my premiere only lasted 20 seconds. Then I glanced back across the lobby of this fantastic Gold Leeds structure BAC built in the center of Charlotte, and felt a warm fuzzy feeling as I saw hundreds of additional users take for granted what everyone had originally thought to be impossible, daunting, unacceptable-token-less iris-based access. Fast-forward 3 years. I am reading a Forbes article about Google introducing Google ID in 2014. Hmm, Interesting. As I progress through the article the more confused and perplexed I become. Google is proposing a 2-factor authentication system (2FA) using a username, a pin, plus a Yubikey token that connects to the USB port of your computer. Wow! What just happened? Had I gone back in time unknowingly? I knew Google was a member of the FIDO (Fast identity Online) Alliance, which supports biometrics in combination with a similar token. Yet now they had changed their minds and decided to completely drop biometrics? To begin with, like many, I never agreed with the flawed proposition of the FIDO Alliance requiring carrying a physical token to identify you. For years I had spread the “gospel of biometrics according to Hoyos”, in which I predicted that at some point in the near future we would have to drop usernames, passwords, and pins, and that all of them would be replaced with biometrics on mobile devices- smartphones to be precise. Many of my writings throughout the years pointed in this direction. The main reason I pointed to smartphones as the biometrics acquisition tool is because of the issue of CONVENIENCE. Its something we always carry that we cannot do without, not an extra something. Many folks over the years, in both the private and public sector, discounted my position of a world in which all identities will be asserted by means of our biometrics, simply telling me that passwords would never go away, even though they had nothing to back their position other than their corporate opinion. I based my position on facts stemming from my real world experiences. Today, I feel vindicated, because it is no longer the “gospel of biometrics” or even the “gospel of CONVENIENCE” according to Hoyos that is sending the message out to the world. Today, studies abound from Ericson, Paypal, IBM, Microsoft, and the Ponemo Institute that say exactly what I have been saying for the last 10+ years. According to Ericson’s study titled: “Your Body The New Password”, 52 percent of smartphone users want to use their fingerprints instead of passwords, a further 61 percent of people want to use fingerprints to unlock their phones, and 48 percent are interested in using eye-recognition. Another study by Paypal shows that consumers “are OK” with biometrics, and that 53 percent of those surveyed are “comfortable” replacing passwords with
3 fingerprints, and 45 percent would opt for a retinal scan. I’m sure they meant an iris scan, which shows how successful the biometrics industry has been educating consumers about types of biometrics. IBM Fellow and Speech CTO David Nahamoo states that over the next five years, your unique biological identity and biometric data – facial definitions, iris scans, voice files, even your DNA – will become the key to safeguarding your personal identity and information. and replace the current user ID and password system. Microsoft Research funded a study titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” Among its main conclusions they state that the replacement to passwords should conform to the following criteria: nothing to carry, efficient to use, and easy recovery from loss. They go so far as to state that these criteria are achieved mostly by biometric schemes, and further state that tokens do NOT achieve this. After reading this I was really confused, because as Google did before, Microsoft had also joined the mighty ranks of the FIDO Alliance. Yet FIDO’s standard identity authentication protocol requires the use of a Yubikey token, but Microsoft Research’s Cormac Herley in Redmond placed his name representing Microsoft Research on the study cited above. So which is it: To use a token or not to use a token? Is Microsoft going against their own study because they don’t believe in its results or have they lost faith in biometrics at a time when the overwhelming majority of consumers are clamoring for biometrics to replace their usernames and passwords? What makes a company and a product successful is the adoption and continued support by consumers of its offerings. If there is something I have learned in all my years in the technology business is that this is an absolute truth. Consumers rule!!! Consumers the world over, all want the same thing: CONVENIENCE. Sure they want to be secure, but NOT at the cost of their CONVENIENCE. Any proposed scheme by any company or Alliance that intends to go against the grain of consumers in this sense will fail. So there it is, I just predicted the fall of the FIDO Alliance, as well as anyone else that attempts to architect and engineer an inconvenient identity authentication process. So much for swinging at windmills! Yet this time I am armed with something called HoyosID.
4 HoyosID is an identity assertion platform, which utilizes your smartphone as the biometrics acquisition device by using an app, which runs on Iphone and Android. The HoyosID Identity Assertion Platform leverages all available resources to secure the digital access management in a unique, convenient, and secure way. If you don’t want to use usernames and passwords, and securely login with your biometrics, HoyosID will facilitate such for you. You simply click on the login in a web page, which awakens the HoyosID app on your smartphone, you look at it, it acquires your biometrics, and logs you in. If you are not you, then our IDS (Intrusion Detection System) will block your smartphone and you. To hack you, someone must first appropriate your smartphone, and then attempt to hack it. So the HoyosID architecture effectively forces hackers to have to attempt hacking a user at a time. Gone will be the days of massive attacks that affect multitudes of consumers from a single breach. At Hoyos Labs we have invested most significantly into spoofing counter measures development. Spoofing is passing an authentication on the digital systems using a false credential that seems to be valid of an actual user registered in the system, such as a high-resolution photograph of you. Liveness detection counter measures are how the mobile application could recognize a live person from decoy images. HoyosID also prevents replay attacks, which is when someone attempts to “inject” a recording of yourself into the system as someone else. HoyosID employs 2-way SSL to connect to the server that uses IDS and proprietary algorithms for encryption. The IDS identifies the attempts to replicate timestamp and blacklists the offending devices quickly and permanently. A very critical differentiator to HoyosID is that it provides a Biometrics Open Protocol Standard (BOPS), which is an open source API that enables the integration into the HoyosID identity Assertion Platform of any third party biometrics solution in the market. Yes we did! 3rd party. So if you want to use your fingerprint through your Iphone 5S or the Samsung with iris identification, when available, on the HoyosID Platform, you could do that. The HoyosID platform through BOPS enables the interconnection to it of any device that opens, closes, and turns on or off, to be controlled with any biometrics device(s) that communicates through it. In HoyosID there are no biometrics stored anywhere, except in your smartphone, and in an encrypted mode. When the SSL private key is generated it is done by the server and not the device, and is not stored anywhere, since its lifetime is limited to a few seconds. The IDS and HoyosID proprietary algorithms that work in the back-end allows detecting the real user from someone who tries to impersonate you over the network. The HoyosID Identity Assertion Platform
5 currently runs on Amazon Web Services for its server, which uses proven cryptographic methods to secure its infrastructure. Users will soon be able to download the HoyosID Identity Assertion Apps at no cost to them, for use in their Iphones or Android phones from the Google Play Store and Apple’s App Store in the first quarter of 2014. Hoyos Labs’ HoyosID will initially support iPhone, Samsung Galaxy S4, Galaxy Note 2, and as well the HTC One. Those who think of themselves as my competitors will most likely dismiss me; however, I place my Faith in the hands of consumers who rule. It’s a brand new identity assertion world.

Recommended

Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...
Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...
Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...Global Business Events
 
Startup Spotlight: OneID
Startup Spotlight: OneIDStartup Spotlight: OneID
Startup Spotlight: OneIDpii2011
 
What is the security risk of face recognition -C&T RF Antennas Inc
What is the security risk of face recognition -C&T RF Antennas IncWhat is the security risk of face recognition -C&T RF Antennas Inc
What is the security risk of face recognition -C&T RF Antennas IncAntenna Manufacturer Coco
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
BeenVerified Berkman Submission
BeenVerified Berkman SubmissionBeenVerified Berkman Submission
BeenVerified Berkman Submissioncanarickd
 
IT Quiz -Seniors - Jan 2013
IT Quiz -Seniors - Jan 2013IT Quiz -Seniors - Jan 2013
IT Quiz -Seniors - Jan 2013Suresh Kumar P
 
5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)
5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)
5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)Menadžment Centar Beograd
 
Employer Use and Regulation of Employees in the Virtual World
Employer Use and Regulation of Employees in the Virtual WorldEmployer Use and Regulation of Employees in the Virtual World
Employer Use and Regulation of Employees in the Virtual WorldCharles Mudd
 

Recommended

Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...
Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...
Phil Cracknell, Head of Security & Privacy Services at Company85 - BYO A good...Global Business Events
 
Startup Spotlight: OneID
Startup Spotlight: OneIDStartup Spotlight: OneID
Startup Spotlight: OneIDpii2011
 
What is the security risk of face recognition -C&T RF Antennas Inc
What is the security risk of face recognition -C&T RF Antennas IncWhat is the security risk of face recognition -C&T RF Antennas Inc
What is the security risk of face recognition -C&T RF Antennas IncAntenna Manufacturer Coco
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
BeenVerified Berkman Submission
BeenVerified Berkman SubmissionBeenVerified Berkman Submission
BeenVerified Berkman Submissioncanarickd
 
IT Quiz -Seniors - Jan 2013
IT Quiz -Seniors - Jan 2013IT Quiz -Seniors - Jan 2013
IT Quiz -Seniors - Jan 2013Suresh Kumar P
 
5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)
5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)
5 .ICV kongres controllera 2017 - PUBLICIS ONE (Branislav Lončar)Menadžment Centar Beograd
 
Employer Use and Regulation of Employees in the Virtual World
Employer Use and Regulation of Employees in the Virtual WorldEmployer Use and Regulation of Employees in the Virtual World
Employer Use and Regulation of Employees in the Virtual WorldCharles Mudd
 
March 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineMarch 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineHector Hoyos
 
02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of Biometrics02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of BiometricsHector Hoyos
 
Multi-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachMulti-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachJigisha Aryya
 
Biometrics Technology
Biometrics TechnologyBiometrics Technology
Biometrics TechnologyTony Adjuder, C.P.S.
 
Identiy Authentication White Paper
Identiy Authentication White PaperIdentiy Authentication White Paper
Identiy Authentication White PaperHector Hoyos
 
Top Trends from SXSW Interactive 2014. The Big Roundup.
Top Trends from SXSW Interactive 2014. The Big Roundup.Top Trends from SXSW Interactive 2014. The Big Roundup.
Top Trends from SXSW Interactive 2014. The Big Roundup.Ashika Chauhan
 
The How of Biometrics
The How of BiometricsThe How of Biometrics
The How of BiometricsPeachy Essay
 
Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Pietro Leo
 
2018 12 version 1.6 trustmark for smart cities
2018 12 version 1.6 trustmark for smart cities2018 12 version 1.6 trustmark for smart cities
2018 12 version 1.6 trustmark for smart citiesPeter Bihr
 
Epistemic Responsibility in the IT Society
Epistemic Responsibility in the IT SocietyEpistemic Responsibility in the IT Society
Epistemic Responsibility in the IT SocietyPeerEvaluation
 
Biometrics Today article
Biometrics Today articleBiometrics Today article
Biometrics Today articleHector Hoyos
 
Groundhog Writing Papers Notebook Journal With Lin
Groundhog Writing Papers Notebook Journal With LinGroundhog Writing Papers Notebook Journal With Lin
Groundhog Writing Papers Notebook Journal With LinMaritza Tyson
 
Bio metrics in secure e transaction
Bio metrics in secure e transactionBio metrics in secure e transaction
Bio metrics in secure e transactionIJARIIT
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Hitoshi Kokumai
 
Trends in Biometric Identity Management.pdf
Trends in Biometric Identity Management.pdfTrends in Biometric Identity Management.pdf
Trends in Biometric Identity Management.pdfIdentity Herald
 
Ins & Outs of Biometric Authentication
Ins & Outs of Biometric AuthenticationIns & Outs of Biometric Authentication
Ins & Outs of Biometric AuthenticationIVR Technology Group
 
Biometric authentication methods
Biometric authentication methodsBiometric authentication methods
Biometric authentication methodsFelixTaelemans
 
Authentication in 2020 - Predictions by the neXus CTO
Authentication in 2020 - Predictions by the neXus CTOAuthentication in 2020 - Predictions by the neXus CTO
Authentication in 2020 - Predictions by the neXus CTOhagero
 
Biometrics
BiometricsBiometrics
BiometricsSatish Chandra
 
The Web Analyst's Code of Ethics
The Web Analyst's Code of EthicsThe Web Analyst's Code of Ethics
The Web Analyst's Code of EthicsJohn Lovett
 

More Related Content

Similar to Token or no token-2,000 word arti cle

March 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineMarch 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineHector Hoyos
 
02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of Biometrics02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of BiometricsHector Hoyos
 
Multi-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachMulti-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachJigisha Aryya
 
Identiy Authentication White Paper
Identiy Authentication White PaperIdentiy Authentication White Paper
Identiy Authentication White PaperHector Hoyos
 
Top Trends from SXSW Interactive 2014. The Big Roundup.
Top Trends from SXSW Interactive 2014. The Big Roundup.Top Trends from SXSW Interactive 2014. The Big Roundup.
Top Trends from SXSW Interactive 2014. The Big Roundup.Ashika Chauhan
 
The How of Biometrics
The How of BiometricsThe How of Biometrics
The How of BiometricsPeachy Essay
 
Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Pietro Leo
 
2018 12 version 1.6 trustmark for smart cities
2018 12 version 1.6 trustmark for smart cities2018 12 version 1.6 trustmark for smart cities
2018 12 version 1.6 trustmark for smart citiesPeter Bihr
 
Epistemic Responsibility in the IT Society
Epistemic Responsibility in the IT SocietyEpistemic Responsibility in the IT Society
Epistemic Responsibility in the IT SocietyPeerEvaluation
 
Biometrics Today article
Biometrics Today articleBiometrics Today article
Biometrics Today articleHector Hoyos
 
Groundhog Writing Papers Notebook Journal With Lin
Groundhog Writing Papers Notebook Journal With LinGroundhog Writing Papers Notebook Journal With Lin
Groundhog Writing Papers Notebook Journal With LinMaritza Tyson
 
Bio metrics in secure e transaction
Bio metrics in secure e transactionBio metrics in secure e transaction
Bio metrics in secure e transactionIJARIIT
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Hitoshi Kokumai
 
Trends in Biometric Identity Management.pdf
Trends in Biometric Identity Management.pdfTrends in Biometric Identity Management.pdf
Trends in Biometric Identity Management.pdfIdentity Herald
 
Ins & Outs of Biometric Authentication
Ins & Outs of Biometric AuthenticationIns & Outs of Biometric Authentication
Ins & Outs of Biometric AuthenticationIVR Technology Group
 
Biometric authentication methods
Biometric authentication methodsBiometric authentication methods
Biometric authentication methodsFelixTaelemans
 
Authentication in 2020 - Predictions by the neXus CTO
Authentication in 2020 - Predictions by the neXus CTOAuthentication in 2020 - Predictions by the neXus CTO
Authentication in 2020 - Predictions by the neXus CTOhagero
 
The Web Analyst's Code of Ethics
The Web Analyst's Code of EthicsThe Web Analyst's Code of Ethics
The Web Analyst's Code of EthicsJohn Lovett
 

Similar to Token or no token-2,000 word arti cle (20)

March 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineMarch 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech Byline
 
02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of Biometrics02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of Biometrics
 
Multi-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachMulti-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and Approach
 
Biometrics Technology
Biometrics TechnologyBiometrics Technology
Biometrics Technology
 
Identiy Authentication White Paper
Identiy Authentication White PaperIdentiy Authentication White Paper
Identiy Authentication White Paper
 
Top Trends from SXSW Interactive 2014. The Big Roundup.
Top Trends from SXSW Interactive 2014. The Big Roundup.Top Trends from SXSW Interactive 2014. The Big Roundup.
Top Trends from SXSW Interactive 2014. The Big Roundup.
 
The How of Biometrics
The How of BiometricsThe How of Biometrics
The How of Biometrics
 
Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...
 
2018 12 version 1.6 trustmark for smart cities
2018 12 version 1.6 trustmark for smart cities2018 12 version 1.6 trustmark for smart cities
2018 12 version 1.6 trustmark for smart cities
 
Epistemic Responsibility in the IT Society
Epistemic Responsibility in the IT SocietyEpistemic Responsibility in the IT Society
Epistemic Responsibility in the IT Society
 
Biometrics Today article
Biometrics Today articleBiometrics Today article
Biometrics Today article
 
Groundhog Writing Papers Notebook Journal With Lin
Groundhog Writing Papers Notebook Journal With LinGroundhog Writing Papers Notebook Journal With Lin
Groundhog Writing Papers Notebook Journal With Lin
 
Bio metrics in secure e transaction
Bio metrics in secure e transactionBio metrics in secure e transaction
Bio metrics in secure e transaction
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
 
Trends in Biometric Identity Management.pdf
Trends in Biometric Identity Management.pdfTrends in Biometric Identity Management.pdf
Trends in Biometric Identity Management.pdf
 
Ins & Outs of Biometric Authentication
Ins & Outs of Biometric AuthenticationIns & Outs of Biometric Authentication
Ins & Outs of Biometric Authentication
 
Biometric authentication methods
Biometric authentication methodsBiometric authentication methods
Biometric authentication methods
 
Authentication in 2020 - Predictions by the neXus CTO
Authentication in 2020 - Predictions by the neXus CTOAuthentication in 2020 - Predictions by the neXus CTO
Authentication in 2020 - Predictions by the neXus CTO
 
Biometrics
BiometricsBiometrics
Biometrics
 
The Web Analyst's Code of Ethics
The Web Analyst's Code of EthicsThe Web Analyst's Code of Ethics
The Web Analyst's Code of Ethics
 

Token or no token-2,000 word arti cle

  • 1. 1 Token or No Token: Bringing Sanity And Order To The World of Identity Assertion By: Hector Hoyos, Chairman and CEO Hoyos Labs It is said that the definition of insanity is doing the same thing over and over again, expecting a different result every time. I feel that this is the direction into which the identity assertion industry is headed-into the realm of insanity. A few years ago, in 2010 I deployed the world’s first completely iris-based access control system at Bank of America Headquarters in Charlotte, North Carolina. It was based on the original proprietary technology and products, the HBOX and Eyelock, that I invented at the company I founded Global Rainmakers, Inc., now known as Eyelock Corp. It was true sights of beauty to see thousands upon thousands of Bank of America (BAC) team members gain entry to their workplaces all around the city of Charlotte with nothing more than a glance of their irises. Yes, that is correct, no tokens or access cards of any kind were used, and yes this was the HQ of one of the largest financial institutions in the world. It took us nearly 3 years to achieve such milestone. That deployment in the Summer of 2010 reshaped the face of the access control and the biometrics industries. Yet today, 3 years later, like the setback that general aviation suffered when the Condorde was removed from service, it appears that both industries have forgotten the lessons learned from that BAC deployment. One word defines all those lessons: CONVENIENCE. Back then there was a single paradigm that drove the success of that deployment and every other successful deployment across the world: CONVENIENCE. Think about this for a minute. If you knew that it was as safe as using your access card, would you rather not have to carry an access card and just use what you never leave home without, your iris-biometrics? Well, a good portion of the folks at BAC at first did not accept our Iris systems, voicing many concerns over privacy and data security; however, all those concerns were quelled upon seeing their co-workers waltz into the building right through the access points, without having to dig into their wallets or purses to pull out an access card. I was a personal witness to this. I wanted to understand the human behaviors factor in all that we were doing. It turned out to be The key element in the success of our deployments. I remember an exchange I had with a very nice lady who worked at BAC HQ in Charlotte. She was holding a cup of coffee in her left hand, her bag and coat in her right hand, and had files tucked under her right arm. I glanced at her and very quickly inquired what she thought of my irisgate. “ Look at me, are you kidding, its as CONVENIENT as a fast food drive-through,” she responded. There it was! After all the years of R&D and the tens of millions invested, after all the long hours discussing the sleek look of the housing, after all the science and
  • 2. 2 technology innovation accomplished, it was best summed up from a real world user and her 20 second experience-what the user wants, recognizes, cares about, and remembers is the CONVENIENCE. I felt like a famous producer at the premiere of his hit movie, except that my premiere only lasted 20 seconds. Then I glanced back across the lobby of this fantastic Gold Leeds structure BAC built in the center of Charlotte, and felt a warm fuzzy feeling as I saw hundreds of additional users take for granted what everyone had originally thought to be impossible, daunting, unacceptable-token-less iris-based access. Fast-forward 3 years. I am reading a Forbes article about Google introducing Google ID in 2014. Hmm, Interesting. As I progress through the article the more confused and perplexed I become. Google is proposing a 2-factor authentication system (2FA) using a username, a pin, plus a Yubikey token that connects to the USB port of your computer. Wow! What just happened? Had I gone back in time unknowingly? I knew Google was a member of the FIDO (Fast identity Online) Alliance, which supports biometrics in combination with a similar token. Yet now they had changed their minds and decided to completely drop biometrics? To begin with, like many, I never agreed with the flawed proposition of the FIDO Alliance requiring carrying a physical token to identify you. For years I had spread the “gospel of biometrics according to Hoyos”, in which I predicted that at some point in the near future we would have to drop usernames, passwords, and pins, and that all of them would be replaced with biometrics on mobile devices- smartphones to be precise. Many of my writings throughout the years pointed in this direction. The main reason I pointed to smartphones as the biometrics acquisition tool is because of the issue of CONVENIENCE. Its something we always carry that we cannot do without, not an extra something. Many folks over the years, in both the private and public sector, discounted my position of a world in which all identities will be asserted by means of our biometrics, simply telling me that passwords would never go away, even though they had nothing to back their position other than their corporate opinion. I based my position on facts stemming from my real world experiences. Today, I feel vindicated, because it is no longer the “gospel of biometrics” or even the “gospel of CONVENIENCE” according to Hoyos that is sending the message out to the world. Today, studies abound from Ericson, Paypal, IBM, Microsoft, and the Ponemo Institute that say exactly what I have been saying for the last 10+ years. According to Ericson’s study titled: “Your Body The New Password”, 52 percent of smartphone users want to use their fingerprints instead of passwords, a further 61 percent of people want to use fingerprints to unlock their phones, and 48 percent are interested in using eye-recognition. Another study by Paypal shows that consumers “are OK” with biometrics, and that 53 percent of those surveyed are “comfortable” replacing passwords with
  • 3. 3 fingerprints, and 45 percent would opt for a retinal scan. I’m sure they meant an iris scan, which shows how successful the biometrics industry has been educating consumers about types of biometrics. IBM Fellow and Speech CTO David Nahamoo states that over the next five years, your unique biological identity and biometric data – facial definitions, iris scans, voice files, even your DNA – will become the key to safeguarding your personal identity and information. and replace the current user ID and password system. Microsoft Research funded a study titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” Among its main conclusions they state that the replacement to passwords should conform to the following criteria: nothing to carry, efficient to use, and easy recovery from loss. They go so far as to state that these criteria are achieved mostly by biometric schemes, and further state that tokens do NOT achieve this. After reading this I was really confused, because as Google did before, Microsoft had also joined the mighty ranks of the FIDO Alliance. Yet FIDO’s standard identity authentication protocol requires the use of a Yubikey token, but Microsoft Research’s Cormac Herley in Redmond placed his name representing Microsoft Research on the study cited above. So which is it: To use a token or not to use a token? Is Microsoft going against their own study because they don’t believe in its results or have they lost faith in biometrics at a time when the overwhelming majority of consumers are clamoring for biometrics to replace their usernames and passwords? What makes a company and a product successful is the adoption and continued support by consumers of its offerings. If there is something I have learned in all my years in the technology business is that this is an absolute truth. Consumers rule!!! Consumers the world over, all want the same thing: CONVENIENCE. Sure they want to be secure, but NOT at the cost of their CONVENIENCE. Any proposed scheme by any company or Alliance that intends to go against the grain of consumers in this sense will fail. So there it is, I just predicted the fall of the FIDO Alliance, as well as anyone else that attempts to architect and engineer an inconvenient identity authentication process. So much for swinging at windmills! Yet this time I am armed with something called HoyosID.
  • 4. 4 HoyosID is an identity assertion platform, which utilizes your smartphone as the biometrics acquisition device by using an app, which runs on Iphone and Android. The HoyosID Identity Assertion Platform leverages all available resources to secure the digital access management in a unique, convenient, and secure way. If you don’t want to use usernames and passwords, and securely login with your biometrics, HoyosID will facilitate such for you. You simply click on the login in a web page, which awakens the HoyosID app on your smartphone, you look at it, it acquires your biometrics, and logs you in. If you are not you, then our IDS (Intrusion Detection System) will block your smartphone and you. To hack you, someone must first appropriate your smartphone, and then attempt to hack it. So the HoyosID architecture effectively forces hackers to have to attempt hacking a user at a time. Gone will be the days of massive attacks that affect multitudes of consumers from a single breach. At Hoyos Labs we have invested most significantly into spoofing counter measures development. Spoofing is passing an authentication on the digital systems using a false credential that seems to be valid of an actual user registered in the system, such as a high-resolution photograph of you. Liveness detection counter measures are how the mobile application could recognize a live person from decoy images. HoyosID also prevents replay attacks, which is when someone attempts to “inject” a recording of yourself into the system as someone else. HoyosID employs 2-way SSL to connect to the server that uses IDS and proprietary algorithms for encryption. The IDS identifies the attempts to replicate timestamp and blacklists the offending devices quickly and permanently. A very critical differentiator to HoyosID is that it provides a Biometrics Open Protocol Standard (BOPS), which is an open source API that enables the integration into the HoyosID identity Assertion Platform of any third party biometrics solution in the market. Yes we did! 3rd party. So if you want to use your fingerprint through your Iphone 5S or the Samsung with iris identification, when available, on the HoyosID Platform, you could do that. The HoyosID platform through BOPS enables the interconnection to it of any device that opens, closes, and turns on or off, to be controlled with any biometrics device(s) that communicates through it. In HoyosID there are no biometrics stored anywhere, except in your smartphone, and in an encrypted mode. When the SSL private key is generated it is done by the server and not the device, and is not stored anywhere, since its lifetime is limited to a few seconds. The IDS and HoyosID proprietary algorithms that work in the back-end allows detecting the real user from someone who tries to impersonate you over the network. The HoyosID Identity Assertion Platform
  • 5. 5 currently runs on Amazon Web Services for its server, which uses proven cryptographic methods to secure its infrastructure. Users will soon be able to download the HoyosID Identity Assertion Apps at no cost to them, for use in their Iphones or Android phones from the Google Play Store and Apple’s App Store in the first quarter of 2014. Hoyos Labs’ HoyosID will initially support iPhone, Samsung Galaxy S4, Galaxy Note 2, and as well the HTC One. Those who think of themselves as my competitors will most likely dismiss me; however, I place my Faith in the hands of consumers who rule. It’s a brand new identity assertion world.