Telecom giant aims to bring cloud-based ID to the masses
Tracy Hulver has no small plans for Verizon Enterprise Solutions. “We want to be the world’s largest identity provider,” he explains, though it’s a little tongue in cheek.
Verizon is known for its mobile phones and home Internet but the company has also been in the identity and credentialing business for years, explains Hulver, senior identity strategist at Verizon Enterprise Systems. Some of the business came from its acquisition of Cybertrust, but Verizon had deployments previously.
While the telecommunications giant might not be as widely known for identity services, the two sectors are analogous. Telecom companies have made it possible for anyone to dial an 11-digit number and reach an individual anywhere in the world, Hulver says. This is much like identity.
The company has primary two goals in the identity sphere. The first is to provide device and PKI-driven identity services to run large government implementations, Hulver says. The second is Verizon’s cloud-based offering for identity management called Universal Identity Services, explains Hulver. The Universal Identity Service performs the vetting, credential issuance, authentication and access management, Hulver says.
This is the service Verizon wants to bring to the masses. “Because of the complexity of PKI we created cloud-based authenticated identity,” he says. The service aims to tie a high-assurance credential – such as a PIV-I – to an individual without the cost and intricacy frequently associated with identity deployments.
The idea behind cloud-based identity is the same as with any cloud-based service, reduce the cost and complexity of deployment and implementation. An enterprise might be willing to tackle deployment of multi-factor credentials for 20,000 employees, but it’s an entirely different process when it comes to provisioning tens of million of customers, Hulver says.
Deploying physical tokens to that many customers is cost prohibitive but as the problem with passwords proliferate, stronger solutions are necessary. Verizon’s Data Breach Investigations Report shows that more than 80% of breaches are due to stolen or misused credentials. “The problem continues to grow and passwords continue to be the weak link,” Hulver says. “The need for cloud-based identity is growing and it’s a way to get credentials cheaply.”
Even as breaches and risks increase, organizations still remain slow to embrace the need for strong credentials for consumers, Hulver says. Instead they are going the route that corporate enterprises have taken, forcing tougher passwords by requiring a minimum number of alphanumeric characters, capitalizations and frequent password changes.
This solution doesn’t solve the problem and can cause headaches for users who have trouble remembering a growing list of complex user name and password combinations. “And if I really want to steal a password I could do some simplistic social engineering or use malware or a key logger,” Hulver stresses.
Multi-factor authentication is just starting to emerge as an option for consumers, but most sites offer the more secure solution have opted to make it optional, Hulver says. Sites don’t want to make access too difficult for fear of driving customers away. “Online companies are very sensitive to that and thus the adoption rates for (companies offering) multi-factor are less than 10%,” he adds.
Verizon’s Universal Identity Services aims to make authentication secure and easy. One use case has a consumer entering a user name and password and then scanning a QR code on a pre-registered mobile device as an extra authentication factor, Hulver says.
There are also risk analytics that can be used in the background as an extra authentication factor invisible to the consumer. For instance, if a consumer logs in from a home computer with the same wireless access point, same IP address and their pre-registered mobile phone is within five feet of them it’s likely that the correct individual is accessing the account.
When the same consumer attempts to login from another network or device, additional factors can be required such as a one-time passcode delivered to or generated by the individual’s mobile device.
Online retailers are showing interest in this type of risk-based authentication technology because it does not require the consumer to do anything different, Hulver says.
An airline has deployed Verizon’s Universal Identity Service to its gate agents, mechanics and reservationists, Hulver says. The company likes the cloud-based aspect of the system because it is easy to deploy to employees geographically dispersed across the country. Previously, the airline had employees using hardware tokens for access to services.
The airlines’ reservationists all work from home, Hulver explains. In the previous solution, if the token was misplaced the employee had to spend time on the phone with the help desk to access the network. The new system places the primary credential on the user’s handset with a one-time passcode application. If the phone is lost, stolen or damaged the employee can have a one-time passcode sent to another phone line or can access it through a computer application. “Universal Identity Services enables many different types of credentials,” he stresses.
Another deployment saw a health care provider implement the system for physician login, Hulver says. Doctors need a quick yet secure way to write electronic prescriptions. This system enables a physician to log on to a computer and then use a mobile device to receive a second factor of authentication.
What will identity look like in the future?
There are many ideas for what the identity ecosystem will look like in the coming years. Some envision consumers signing up with identity providers and paying for a service while others expect the relying parties to bear the cost.
It’s the latter model that Hulver sees catching on. “We don’t see the end user buying the credential,” he explains. The business model he sees is one in which the enterprise pays sub-pennies per transaction to benefit from the increased levels of security and convenience.
In a perfect world, Verizon would issue everyone a credential with some confidence of the asserted identity, commonly known as a level of assurance two, Hulver says. From there the credential could be leveled up. The current challenge, however, is that there is no place able to consume higher level credentials such as level four. The relying parties do not have the systems in place to accept these high assurance identities. It is a bit of a chicken and egg dilemma.
Until then, Verizon is laying the groundwork to help enterprises offer better security to its customers and employees. “It is difficult to change the way the world operates and come up with a different paradigm,” Hulver says. “But Verizon’s size and number of users enables us to deploy at a massive level.”
Biometrics problematic for online ID
Enterprises are showing a lot of interest in the use of biometrics to secure access to networks and web sites, says Tracy Hulver, senior identity strategist at Verizon Enterprise Systems. But most of the deployments are still in the pilot stage, as organizations want to make sure the technology works properly before fully rolling it out.
“The problem with biometrics is usability and reliability,” Hulver explains. “If I’m asking for a fingerprint does it work all the time?” If not, what do you do in cases of false rejection?
Biometrics are typically based on the probability of a match. “With passwords, PIN and one-tie passcodes you either enter it correctly or you don’t,” Hulver says. “With biometrics there’s a threshold, and security people are just now wrapping their heads around that.”