RSA Conference 2010 -- Day 3

| | Comments (0) | TrackBacks (2)
I can't believe it's only day three! It already feels like day 10. Today, I attended sessions presented by representatives from the Brazilian banking industry, Yahoo!, Google, Cisco, Bank of America, Qualys, and the US government.  There was a red threads that wove through all of these speakers' words that really caught my ear.  It was a topic I also heard while speaking with a German exhibitor on the show floor and other conference goers who I ate lunch with.  Any guesses as to what it was? Readers of my blog, especially those familiar with this year's theme for RSA, will certainly think it was cloud computing.  It wasn't though.  It was authentication.

The Brazilian banking representatives who worked for the first and eighth largest financial institutions spoke about the PKI that Brazil has recently launched.  The root of this trust hierarchy is the government itself.  When citizens are born, their fingerprints are taken at birth and placed in a government database.  At some later point, they are issued national identity cards.  Their fingerprints are encoded on the smart card of the ID and signed by the Brazilian root CA. 

Banks in Brazil apply to be intermediate CAs under the government's root.  When a citizen comes to one of them for a bank account, they must present their national ID card.  With this, they can authenticate the person using the biometric data on the card, the person's finger, and the signature of the root CA.  There are surely many factors that have led to the adoption of this technology in Brazil, but one is no doubt the scale of crime confronting the country.

Richard Clarke, Chairman of Good Harbor Consulting, asked rhetorically in his keynote, if America must get to similar level of crisis before taking more drastic measure to protect its citizens online.  An American gentleman that I had lunch with (who's name I unfortunately did not get) said that he wants a national ID, in order to protect his privacy.  He argued that by being able to positively identify himself using such an ID, he could avoid intrusive searches in cases where the government suspects him of crimes perpetrated by someone that looks like him.  While searching his computer, house, car, etc. to determine who he really is, the government may find things that are actually illegal.  Once they are convinced he is not the suspect they originally believed him to, they would then have the evidence necessary to convict him of other crimes.  Authentication initially would have prevented this, he argued.

Google, Yahoo!, B of A, and Cisco talked about how phishing is bombarding their users, and preventing the banks from using that channel to communicate to the full extent desired.  Due to a lack of authentication, email can not be trusted to deliver more value to customers.  In fact, the phishing attacks are discrediting the financial institution's brand and reputation, B of A said.  The solution the Web mail providers are employing is the same one the Brazilian banks are using to guard the online banking and ATM channels: PKI.  Unlike the South American organizations, however, Google and Yahoo! are not authenticating the end users; rather, they are only, initially, verifying the identity of the servers which are sending them email.  Email from unauthenticated servers are scrutinized more intensly than those from authenticated senders.

In her keynote, Secretary of the Department of Homeland Security, Janet Napolitano, said that what is needed is "privacy enhancing authentication."  CEO of Qualys, Philippe Courtot, said that it is the job of security professionals to "verify and to be on the lookout."  Bruno Quint of CORISECIO, a Germany service provider in the telco industry, told me about how his company is providing 2+ factor authentication using a national PKI (like Brazil's but without biometry) combined with Information Cards on on mobile devices to provide strong authentication that is easy to use.

From all of this, I will go out on a limb and make the following predictions about authentication:

  • America will inevitably role out a national ID card that uses PKI; it will not use biometry at first.
  • The creation of this PKI will be lobbied for by the financial industry.
  • It will be rolled out in 10 years or less.
  • It will eventually be used to securely authenticate online banking, e-commerce, voting, and other applications.
Disagree?  Have other predictions?  Share your opinion in a comment below or let me know.  Also, be sure to check back tomorrow for a summary of day 4 and watch my Twitter stream for live updates.