- Strategic Technologies: What are they?
- Strategic Technology: Hadoop (IBM BigInsights)
- Strategic Technology: NoSQL
- Strategic Technology: Content Analytics (IBM ECM)
- Strategic Technology: Streams (IBM BigInsights)
- Strategic Technology: DevOps (Bluemix)
- Strategic Technology: Customer Experience Management (IBM TeaLeaf)
- Strategic Technology: Mobile Application Platform (IBM Worklight)
- Strategic Technology: API Gateway (Worklight)
- Strategic Technology: Application Vulnerability Scan and Test (IBM AppScan)
- Strategic Technology: Transaction Security Intelligence (IBM Trusteer)
- Strategic Technology: Mobile Test Tools
- Strategic Technology: Mobile Messaging (IBM Xtify)
- Strategic Technology: Mobile Device/App Mgt (IBM Fiberlink MaaS360)
- Strategic Technology: Cognitive Computing (IBM Watson)
- Strategic Technology: Data Security (IBM Guardium)
- Strategic Technology: Network Intrusion Prevention System (IBM IPS)
- Strategic Technology: Access Management
- Strategic Technology: Security Intelligence (IBM QRadar)
- Strategic Technology: Endpoint Management (IBM EM)
- Strategic Technology: Web Content Management (IBM WCM)
- Strategic Technology: Lightweight Web Development Tooling (IBM WEF)
- Strategic Technology: Web Site Platform (WebSphere Portal)
- Strategic Technology: Web Application Development Tooling (IBM RAD)
- Strategic Technology: Mobile Money Apps (Monitise)
- Strategic Technology: API Management (CastIron)
- Strategic Technology: Application Deployment Automation (UrbanCode Deploy)
- Strategic Technology: Release Coordination (UrbanCode Release)
- Strategic Technology: Service Virtualization (GreenHat)
- Strategic Technology: Strong Mobile Authentication (SoftKEY)
- Private: Native Mobile Development SDK’s
- Strategic Technology: Web Analytics (CoreMetrics)
We all dutifully endure the user ID and password on the hope that it will preserve our privacy, money and identity. As we need more and more user IDs and passwords we begin to reuse them and write them down, making them easier for friends, hackers or fellow train passengers to find. Also, snooping software such as key loggers can read them as we type them in or as they are transmitted.
Thus the need for stronger ways of identifying and proving who we are, something us techies call authentication. The fact that we are using software on our own phone, laptop or other device is a proven way to make it more difficult for others to use our user ID and password, so apps store information on the phone that it can read later to prove that you are using the same device . An even more powerful (and complementary) technique is the single-use password, where a password is generated that only works once, rendering it useless to anyone finding, guessing or snooping it.
Strong (customer) authentication is defined by the European Central Bank (ECB) as:
“a procedure based on the use of two or more of the following elements– categorized as knowledge, ownership and inherence:
(i) something only the user knows, e.g. static password, code, personal identification number;
(ii) something only the user possesses, e.g.token, smart card, mobile phone;
(iii) something the user is, e.g. biometric characteristic, such as a fingerprint.
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.”
“Strong authentication” is generally accepted to mean a type of multifactor authentication (MFA). MFA is required or strongly recommended by:
- European Central Bank (ECB) as specified above
- Federal Financial Institutions Examination Council (FFIEC) in the US
- Regulations in MEA such as those issued by Banking Regulation and
Supervision Agency (BDDK) in Turkey and others in UAE and Qatar
- Monetary Authority in Singapore (MAS) in its Technology Risk
Most mobile apps have a user ID and password. The user ID is used for identification and sometimes may be stored so that the user doesn’t need to enter it. The password (or a shorter pass-code) is the first factor of authentication and represents something that the user knows. Both are things that the user knows.
To meet the above ECB requirement a mobile app could also validate the mobile device (something the user has) and use the device as a token to produce a one-time password (OTP).
For example, Monitise/Pozitron SoftKEY uses a value stored on the device to generate a OTP to provide strong authentication that complies with the ECB definition.