One challenge is that with loss or failure of the primary authenticators, users would be unable to conduct any on-line commerce. The ideal way to solve this potential problem would be to have a primary and secondary authentication device. A useful analogy is having a spare set of keys in the event of misplacement, loss or misadventure. This may take the form of a HOTP enabled photo ID or a second mobile phone.
This document has not covered the best way to provide authentication to users seeking access to assets. As in all complex systems, this is where the “devil is in the detail”.
The one given is that the authentication must be resilient and distributed. A useful analogue would be peer-to-peer traffic used to distribute torrent files. For mobile phones users, systems exist but a prioritisation or escalation protocol may be required to ensure authentication is given priority in a similar fashion to Quality of Service (QOS) used for Voice over Internet Protocol (VoIP) in network transport.
The simplest and most inexpensive way to ensure rapid deployment would be for users to authenticate to their existing Financial Service or Mobile Service provider. Establishing a third party to enable interoperability (Australian Transaction Reports and Analysis Centre - Austrac’s business model is a good example) is a high priority, as long as it is cost effective and doesn’t require an army of public servants to administer it.
Critical pieces of the infrastructure required to implement the Federated System are in commercial production in all organisations around the nation. Here are the nuts and bolts that make these systems work together.
Better online security for Australian Citizens
Pundits speculate that criminal activity targeting on-line commerce is in its infancy. By initiating a National system and framework, Australia can demonstrate real leadership in protecting its citizens from online threats.
It’s much better than passwords
Passwords fail to meet the needs of security. Increasing complexity in password management is costing organisations vast sums of money and failing to protect the digital assets they are supposed to protect. Stronger unchanging passwords are easier to administer (and remember) and more challenging to crack. By extending the length of a password to 12 characters the chances of a brute force attack achieving success is minimal. One or two very strong unchanging passwords are better than any number of weak passwords. Adding MFA to this strategy makes the efficacy of the system much better.
Improved Safety and Privacy
By ensuring sign on credentials are valid, the security of users privacy and identity are protected with a subsequent increase of trust in systems and processes. With the ability to extend the reach of this improved security, all stakeholders benefit.
National Defence and Security
By building better security safeguards into Australia’s national infrastructure, citizens are assured that the potential of state sponsored threats is mitigated. By using Information technology as an attack vector, more resilient and protected systems are able to repel infection or attack.
Reduction in Financial Loss and Risk
Online fraud is a measureable cost we must all add to what we pay for the use of Financial Services. The Return on Investment (ROI) based upon this framework is impossible to gauge but like insurance, how do you measure success?
The framework provides greater protection for users of consumer social media (Facebook), business social media (LinkedIn) and hybrids (Twitter). Lives have been lost because of online bullying with little or no legal recourse for the victims. Is digital assault a valid crime? Non repudiation is guaranteed ensuring that the lawless slings and arrows delivered via online media may be curbed to conform to current defamation legislation.
By implementing a national multi-factor authentication system Australian citizens will benefit from having the highest levels of online security in the world. This technology may provide a significant competitive advantage to business in securing digital assets and could lead to innovation based export opportunities. The headlines report massive breaches of information that directly expose our financial systems to grave risk. Australia must set the benchmark in secure digital vigilance to safeguard our information security perimeter from existing and potential threats.
About the Author:
Mike Ryan is a freelance copywriter and marketing contractor with a passion for Information Security. He has presented at an Australian Information Security Association (AISA) branch meeting prosecuting the case for improved security and that punitive legislation be enforced to protect Australian citizens from data disclosure and privacy breaches.
Mike Ryan – Brass Razoo Group Website: www.brassrazoo.net.au