Monthly Archives: January 2015

Strategic Technology: Strong Mobile Authentication (SoftKEY)

This entry is part 31 of 33 in the series Strategic Technologies

We all dutifully endure the user ID and password on the hope that it will preserve our privacy, money and identity. As we need more and more user IDs and passwords we begin to reuse them and write them down, making them easier for friends, hackers or fellow train passengers to find. Also, snooping software such as key loggers can read them as we type them in or as they are transmitted.

Thus the need for stronger ways of identifying and proving who we are, something us techies call authentication. The fact that we are using software on our own phone, laptop or other device is a proven way to make it more difficult for others to use our user ID and password, so apps store information on the phone that it can read later to prove that you are using the same device . An even more powerful (and complementary) technique is the single-use password, where a password is generated that only works once, rendering it useless to anyone finding, guessing or snooping it.

Strong (customer) authentication is defined by the European Central Bank (ECB) as:

“a procedure based on the use of two or more of the following elements– categorized as knowledge, ownership and inherence:

(i) something only the user knows, e.g. static password, code, personal identification number;

(ii) something only the user possesses, e.g.token, smart card, mobile phone;

(iii) something the user is, e.g. biometric characteristic, such as a fingerprint.

In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet.  The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.”

“Strong authentication” is generally accepted to mean a type of multifactor authentication (MFA).  MFA is required or strongly recommended by:

  • European Central Bank (ECB) as specified above
  • Federal Financial Institutions Examination Council (FFIEC) in the US
  • Regulations in MEA such as those issued by Banking Regulation and
    Supervision Agency (BDDK) in Turkey and others in UAE and Qatar
  • Monetary Authority in Singapore (MAS) in its Technology Risk
    Management Guidelines.

Most mobile apps have a user ID and password.  The user ID is used for identification and sometimes may be stored so that the user doesn’t need to enter it.  The password (or a shorter pass-code) is the first factor of authentication and represents something that the user knows.  Both are things that the user knows.

To meet the above ECB requirement a mobile app could also validate the mobile device (something the user has) and use the device as a token to produce a one-time password (OTP).

For example, Monitise/Pozitron SoftKEY uses a value stored on the device to generate a OTP to provide strong authentication that complies with the ECB definition.

Reading List: Ishmael, An adventure of the Mind and Spirit

This entry is part 6 of 6 in the series Doing Strategy

I talk a lot about technology strategy and the importance of technology strategy to business strategy.  I think it is important to understand the importance of technology historically in order to grasp what is actually at stake here.  For that, best to go back to ancient times and look at what effect past technological advances have had on people.

Let me just cut to the chase.  The primary purpose of technology to business is to exploit it to gain competitive advantage.  The main point of competitive advantage is to use it against your competitors.  Extreme cases of advantage generally are used to wage war against ones competitors.  War is not the same as competition.  Competition is natural as all plants and animals compete.  This is the basis for evolution (or creation if you prefer).  War, a uniquely human activity–and specifically unique to man after the advent of technology, means to annihilate ones competition completely as much as possible.

This means that you need to think beyond basic competitive advantage.  Does a new technology give your competitors sufficient advantage to wage war?  Think about…

  • the capability to manipulate oil prices being used to wage an economic war against a nation,
  • the capability to manipulate local or national elections being used to wage a political or economic war against a class,
  • the ability to attack networks and computers being used to wage an electronic war against an organization or group

…but content for another post because I am wandering well beyond the scope of the book now.

A notable instance of this is the ferocity with which agricultural and post-agricultural peoples have murdered hunter/gatherer, herdsmen and other pre-agricultural peoples for thousands of years.  Consult Wikipedia on this if you like which, at the time of my reading it, included: “Modern scholars typically view the stories of Adam and Eve and Cain and Abel to be about the development of civilization during the age of agriculture; not the beginnings of man, but when people first learned agriculture, replacing the ways of the hunter-gatherer.

An easy and inspiring read about this can be found in Ishmael, An adventure of the Mind and Spirit: