Online Identity and Trust

Posted by Kerry Loftus, Vice President of Consumer Authentication

I am constantly evaluating our offerings and other technology solutions, asking: will this really play in my hometown of Erie, PA? The challenge for security vendors has always been there but have we delivered solutions that provide a broad spectrum of security for our customers depending on their needs, risks and users? Two years ago, when the FFIEC guidance around multifactor authentication came out, our customers told us we hadn't. Companies like VeriSign quickly innovated to find that right balance between security, usability, and convenience. Device IDs, images, networked authentication and a whole host of convenient 2-factor credentials emerged and the race is on to find that next game- changing security solution.

We at VeriSign believe there are two critical pieces to this moving forward:

1. Open standards. In other words: two-factor authentication solutions from multiple vendors allowing customers to mix and match and price shop depending on their risks and user profiles. Meet OATH, openauthentication.org. Created in 2003, OATH came together to publish specifications that a whole host of vendors can innovate around.

2. Convenience and lower costs. 75 members in OATH later, we have SMS OTP, flash drives with OTP capability, mobile phone applications that can generate authentication credentials, credit card sized devices, etc.

No one can dispute that consumers spend more money at places they trust. Convenient, low-cost security solutions will play in Erie, PA. If your security vendor can't show you that they comply with open standards and deliver cost effective, convenient solutions its probably time to move on.

Read more: "OATH: One Token To Rule Them All" by Avi Baumstein of InformationWeek

Posted by Kerry Loftus at 01:45 PM | Permalink | Comments (0) | TrackBacks (0)

My name is Jen Gilburg and I am the Director of Business Development for the Identity and Authentication Solutions team here at VeriSign.

Google's announcement of the launch of a new program that allows users to post their medical records online caught my attention. While there are obvious benefits to having a centralized store of historical health information, medications, test results, etc., my first inclination was to be concerned about the security of such personal information.

Naturally I am inclined to believe that everything should have strong authentication. However, not wanting to be overly paranoid, I thought I would investigate just what the exposure is should one gain access to my medical records. I mean -- just how much damage could be done should someone discover that I have hay fever and a rather bizarre allergic reaction to arugula? Is there value in gaining access to my epi-pen prescription?

So I did some simple research. I first went to my insurer who has a portal for which I had previously registered for an online account. Once I logged in with what I will admit was a weak userID and password, I was actually surprised to see the ability to view my name, Group ID # and Member # -all in clear text! I could review my benefits, and should I have entered them previously- my online medical records. Additionally I could order online prescriptions, check claim status, and file pre-authorization forms for any medical procedure covered by my plan.

My paranoia was starting to feel justified.

I then went to my healthcare provider which is a regional medical foundation and also has an online portal. I was able to request appointments, book labs, renew prescriptions and see test results all by gaining access via a weak user name and password.

Alright so access is easy- a little more information than I care to admit is readily available- but what really is the risk of personal damage?

According to 2006 National Health Interview Study- 14.8% or 43.6 million Americans are without health insurance. That was a 2.2M increase over the prior year and this number no doubt is even higher once 2007 reports. With that there has been an increase in medical insurance fraud. It would be relatively easy to hijack an account, make appointments, order tests, and see the results all online using someone else's insurance and identity. Beyond the initial visit when asked to provide the insurance card, have you ever been asked for any validation of identity when visiting your doctor or for that matter when picking up a prescription?

This is ripe for a black market of fraudsters selling "insurance plans" to the otherwise uninsured.

My initial concern was justified. The importance of providing strong authentication for such online services to prevent hijacking is equal to the value such online access provides for better medical care. California has seen the risk strong enough to extend the landmark breach notification laws to include notification of any compromise of a medical record in its recently passed Assembly Bill 1295.

I hope that Google, Microsoft and other vendors who provide medical record storage will take the threat seriously and offer strong authentication. We have plenty of room for them in the VIP Authentication Services Network.

And to you patients out there...it is within your patient bill of rights to demand that extra layer of protection.

In good health,

Jen

Posted by Jen Gilburg at 03:14 PM | Permalink | Comments (1) | TrackBacks (0)

My name is Fran Rosch and I manage the group that writes this blog and develops VeriSign's identity and authentication solutions.

I just got back from a 2-week trip to India, Israel and London talking to customers, prospects, and VeriSign team members. I spent much of the time talking about how customers should deploy solutions that are very "risk based." When consumers access lots of critical data or financial assets on their website, a user name and password is probably not enough. But how much is enough? Does one solution fit all? How much should we change user experience? How much should we spend on security and authentication?

As I traveled through the airports in San Francisco, Frankfurt, Bangalore, Delhi, Mumbai, Amman, Tel Aviv and Heathrow, I was struck by the very different security policies and I realized that they also deploy "risk-based" approaches just as we recommend on our customer's Web sites. Here were some different approaches I noticed:

* The BA flight leaving from Tel Aviv to London was the highest risk with the maximum security. As you would expect, the security in Tel Aviv was very tight with about 5 layers of screening including in-depth personal interviews, bag checks that open every compartment, dogs, etc.

* However, the security for the flight from Bangalore to Delhi was not high because internal country flights are not as sensitive.

* The flight from London to SFO had tighter security...you couldn't take liquids even though that is OK at other airports.

This reminds me of the point that we make to our customers - use layers of security to catch different types of fraud, security that maps to different types of risk. And here are examples in the off-line world where it already works!!

Posted by Fran Rosch at 01:20 PM | Permalink | Comments (0) | TrackBacks (0)

We were pleasantly surprised by the positive response to our announcement around VeriSign joining the OpenID Foundation. These articles feature our VP of Innovation, Nico Popp.

OpenID Gets Star Power By Kenneth Corbin of InternetNews.com

Tech heavyweights join OpenID Foundation board By Deborah Gage of The San Francisco Chronicle

OpenID gains support for online single sign-on By Shane Schick of ComputerWorld Canada

Posted by Kerry Loftus at 01:26 PM | Permalink | Comments (0) | TrackBacks (0)

Hi! My name is Kerry Loftus and I have product marketing and management ownership for our consumer authentication product offerings. By day, I'm a dedicated VeriSign employee focusing for the last 8 years on security technologies that are valuable to our customers in helping them better secure their online interactions with customers, business partners and employees. Few would also suspect, outside of my career, I'm a dedicated wife and mother to 4 kids (two boys and two girls, ages 1 - 13 years). Yikes! By keeping my toes in both professional and day-to-day worlds, I hope to bring real-world perspective to a space that is highly technical, potentially complicated, but incredibly essential in our still emerging digital world.

We found an awesome video on YouTube: the "MiniGeek" gets his PayPal security key in the mail, and shows us as he sets it up in less than two minutes. It's child's play! (this video has been removed.)

Posted by Kerry Loftus at 10:47 AM | Permalink | Comments (0) | TrackBacks (0)

But what happens when your entire online identity is consolidated into a single entity? It becomes a prime target for attack. In the pre-OpenID world, attackers need to steal your individual credentials for each and every site you visit; but if they're all replaced with a single OpenID, hacking just one account gives you the keys to the castle.

The need for strong account protection has never been greater, which is why we've integrated our VIP Authentication Service with the VeriSign Labs' Personal Identity Provider as a showcase for how strong authentication melds with user-centric identity. Our users agree - a significant percentage of PIP users already protect their OpenID with a PayPal Security Key or a VIP Security Card.

Once you add strong authentication to OpenID, you need a way for relying parties to request it, and for identity providers to answer those requests. This is where the PAPE standard comes in, providing a standardized language for OpenID sites to talk about the strength of their authentication.

In the OpenID world, we're encouraged to put all of our eggs into one basket. Just make sure you stick a good lock on it!

Posted by Jeff Burstein at 08:16 AM | Permalink | Comments (1) | TrackBacks (0)

Hi, I'm Jeff Burstein, a product manager on the VIP team.

Today is Super Tuesday, and as a California resident, I went to vote this morning in the primary election. Since this is a blog about identity and trust, let's examine what I needed today to prove my identity to vote: nothing. Do I really look that trustworthy?

I walked into my polling place, went up to the table and told the poll worker my name, which she dutifully looked up in the voter roll and crossed out. No identity check needed, no need to show my ID, check a signature, or any other form of authentication -- just the honor system. (And of course the threat of going to jail for voter fraud!)

For those of us who live and breathe identity and authentication every day this is just unnatural! Of course, there are all sorts of reasons for the lack of strong authentication for voting today, most having to do with budgets, voter turnout, the 24th amendment, and the potential for discrimination. So what can be done to strengthen voter authentication while still preserving equal access and maintaining the integrity of the secret ballot? Some ideas are coming out of the Caltech-MIT Voting Technology Project, who held a conference on this very topic in 2006. But considering the recent fiascoes with touchscreen voting machines, it may be hard to get the public to accept new technology solutions to voting problems.

-- Jeff

Posted by Jeff Burstein at 09:12 AM | Permalink | Comments (1) | TrackBacks (0)