1. 1
Token or No Token: Bringing Sanity And Order To The World of Identity
Assertion
By: Hector Hoyos, Chairman and CEO Hoyos Labs
It is said that the definition of insanity is doing the same thing over and over
again, expecting a different result every time. I feel that this is the direction into
which the identity assertion industry is headed-into the realm of insanity.
A few years ago, in 2010 I deployed the world’s first completely iris-based access
control system at Bank of America Headquarters in Charlotte, North Carolina. It
was based on the original proprietary technology and products, the HBOX and
Eyelock, that I invented at the company I founded Global Rainmakers, Inc., now
known as Eyelock Corp. It was true sights of beauty to see thousands upon
thousands of Bank of America (BAC) team members gain entry to their
workplaces all around the city of Charlotte with nothing more than a glance of
their irises. Yes, that is correct, no tokens or access cards of any kind were used,
and yes this was the HQ of one of the largest financial institutions in the world. It
took us nearly 3 years to achieve such milestone. That deployment in the
Summer of 2010 reshaped the face of the access control and the biometrics
industries.
Yet today, 3 years later, like the setback that general aviation suffered when the
Condorde was removed from service, it appears that both industries have
forgotten the lessons learned from that BAC deployment.
One word defines all those lessons: CONVENIENCE. Back then there was a
single paradigm that drove the success of that deployment and every other
successful deployment across the world: CONVENIENCE. Think about this for a
minute. If you knew that it was as safe as using your access card, would you
rather not have to carry an access card and just use what you never leave home
without, your iris-biometrics? Well, a good portion of the folks at BAC at first did
not accept our Iris systems, voicing many concerns over privacy and data
security; however, all those concerns were quelled upon seeing their co-workers
waltz into the building right through the access points, without having to dig into
their wallets or purses to pull out an access card. I was a personal witness to
this. I wanted to understand the human behaviors factor in all that we were doing.
It turned out to be The key element in the success of our deployments.
I remember an exchange I had with a very nice lady who worked at BAC HQ in
Charlotte. She was holding a cup of coffee in her left hand, her bag and coat in
her right hand, and had files tucked under her right arm. I glanced at her and very
quickly inquired what she thought of my irisgate. “ Look at me, are you kidding,
its as CONVENIENT as a fast food drive-through,” she responded. There it was!
After all the years of R&D and the tens of millions invested, after all the long
hours discussing the sleek look of the housing, after all the science and
2. 2
technology innovation accomplished, it was best summed up from a real world
user and her 20 second experience-what the user wants, recognizes, cares
about, and remembers is the CONVENIENCE. I felt like a famous producer at the
premiere of his hit movie, except that my premiere only lasted 20 seconds. Then
I glanced back across the lobby of this fantastic Gold Leeds structure BAC built
in the center of Charlotte, and felt a warm fuzzy feeling as I saw hundreds of
additional users take for granted what everyone had originally thought to be
impossible, daunting, unacceptable-token-less iris-based access.
Fast-forward 3 years. I am reading a Forbes article about Google introducing
Google ID in 2014. Hmm, Interesting. As I progress through the article the more
confused and perplexed I become. Google is proposing a 2-factor authentication
system (2FA) using a username, a pin, plus a Yubikey token that connects to the
USB port of your computer. Wow! What just happened? Had I gone back in time
unknowingly? I knew Google was a member of the FIDO (Fast identity Online)
Alliance, which supports biometrics in combination with a similar token. Yet now
they had changed their minds and decided to completely drop biometrics?
To begin with, like many, I never agreed with the flawed proposition of the FIDO
Alliance requiring carrying a physical token to identify you. For years I had
spread the “gospel of biometrics according to Hoyos”, in which I predicted that at
some point in the near future we would have to drop usernames, passwords, and
pins, and that all of them would be replaced with biometrics on mobile devices-
smartphones to be precise. Many of my writings throughout the years pointed in
this direction. The main reason I pointed to smartphones as the biometrics
acquisition tool is because of the issue of CONVENIENCE. Its something we
always carry that we cannot do without, not an extra something. Many folks over
the years, in both the private and public sector, discounted my position of a world
in which all identities will be asserted by means of our biometrics, simply telling
me that passwords would never go away, even though they had nothing to back
their position other than their corporate opinion. I based my position on facts
stemming from my real world experiences.
Today, I feel vindicated, because it is no longer the “gospel of biometrics” or even
the “gospel of CONVENIENCE” according to Hoyos that is sending the message
out to the world. Today, studies abound from Ericson, Paypal, IBM, Microsoft,
and the Ponemo Institute that say exactly what I have been saying for the last
10+ years.
According to Ericson’s study titled: “Your Body The New Password”, 52 percent
of smartphone users want to use their fingerprints instead of passwords, a further
61 percent of people want to use fingerprints to unlock their phones, and 48
percent are interested in using eye-recognition.
Another study by Paypal shows that consumers “are OK” with biometrics, and
that 53 percent of those surveyed are “comfortable” replacing passwords with
3. 3
fingerprints, and 45 percent would opt for a retinal scan. I’m sure they meant an
iris scan, which shows how successful the biometrics industry has been
educating consumers about types of biometrics.
IBM Fellow and Speech CTO David Nahamoo states that over the next five
years, your unique biological identity and biometric data – facial definitions, iris
scans, voice files, even your DNA – will become the key to safeguarding your
personal identity and information. and replace the current user ID and password
system.
Microsoft Research funded a study titled “The Quest to Replace Passwords: A
Framework for Comparative Evaluation of Web Authentication Schemes.” Among
its main conclusions they state that the replacement to passwords should
conform to the following criteria: nothing to carry, efficient to use, and easy
recovery from loss. They go so far as to state that these criteria are achieved
mostly by biometric schemes, and further state that tokens do NOT achieve this.
After reading this I was really confused, because as Google did before, Microsoft
had also joined the mighty ranks of the FIDO Alliance. Yet FIDO’s standard
identity authentication protocol requires the use of a Yubikey token, but Microsoft
Research’s Cormac Herley in Redmond placed his name representing Microsoft
Research on the study cited above. So which is it: To use a token or not to use a
token? Is Microsoft going against their own study because they don’t believe in
its results or have they lost faith in biometrics at a time when the overwhelming
majority of consumers are clamoring for biometrics to replace their usernames
and passwords?
What makes a company and a product successful is the adoption and continued
support by consumers of its offerings. If there is something I have learned in all
my years in the technology business is that this is an absolute truth. Consumers
rule!!! Consumers the world over, all want the same thing: CONVENIENCE. Sure
they want to be secure, but NOT at the cost of their CONVENIENCE. Any
proposed scheme by any company or Alliance that intends to go against the
grain of consumers in this sense will fail. So there it is, I just predicted the fall of
the FIDO Alliance, as well as anyone else that attempts to architect and engineer
an inconvenient identity authentication process. So much for swinging at
windmills! Yet this time I am armed with something called HoyosID.
4. 4
HoyosID is an identity assertion platform, which utilizes your smartphone as the
biometrics acquisition device by using an app, which runs on Iphone and
Android.
The HoyosID Identity Assertion Platform leverages all available resources to
secure the digital access management in a unique, convenient, and secure way.
If you don’t want to use usernames and passwords, and securely login with your
biometrics, HoyosID will facilitate such for you. You simply click on the login in a
web page, which awakens the HoyosID app on your smartphone, you look at it, it
acquires your biometrics, and logs you in. If you are not you, then our IDS
(Intrusion Detection System) will block your smartphone and you. To hack you,
someone must first appropriate your smartphone, and then attempt to hack it. So
the HoyosID architecture effectively forces hackers to have to attempt hacking a
user at a time. Gone will be the days of massive attacks that affect multitudes of
consumers from a single breach.
At Hoyos Labs we have invested most significantly into spoofing counter
measures development. Spoofing is passing an authentication on the digital
systems using a false credential that seems to be valid of an actual user
registered in the system, such as a high-resolution photograph of you. Liveness
detection counter measures are how the mobile application could recognize a
live person from decoy images.
HoyosID also prevents replay attacks, which is when someone attempts to
“inject” a recording of yourself into the system as someone else. HoyosID
employs 2-way SSL to connect to the server that uses IDS and proprietary
algorithms for encryption. The IDS identifies the attempts to replicate timestamp
and blacklists the offending devices quickly and permanently.
A very critical differentiator to HoyosID is that it provides a Biometrics Open
Protocol Standard (BOPS), which is an open source API that enables the
integration into the HoyosID identity Assertion Platform of any third party
biometrics solution in the market. Yes we did! 3rd party. So if you want to use
your fingerprint through your Iphone 5S or the Samsung with iris identification,
when available, on the HoyosID Platform, you could do that. The HoyosID
platform through BOPS enables the interconnection to it of any device that
opens, closes, and turns on or off, to be controlled with any biometrics device(s)
that communicates through it.
In HoyosID there are no biometrics stored anywhere, except in your smartphone,
and in an encrypted mode. When the SSL private key is generated it is done by
the server and not the device, and is not stored anywhere, since its lifetime is
limited to a few seconds. The IDS and HoyosID proprietary algorithms that work
in the back-end allows detecting the real user from someone who tries to
impersonate you over the network. The HoyosID Identity Assertion Platform
5. 5
currently runs on Amazon Web Services for its server, which uses proven
cryptographic methods to secure its infrastructure.
Users will soon be able to download the HoyosID Identity Assertion Apps at no
cost to them, for use in their Iphones or Android phones from the Google Play
Store and Apple’s App Store in the first quarter of 2014. Hoyos Labs’ HoyosID
will initially support iPhone, Samsung Galaxy S4, Galaxy Note 2, and as well the
HTC One. Those who think of themselves as my competitors will most likely
dismiss me; however, I place my Faith in the hands of consumers who rule. It’s a
brand new identity assertion world.