Wednesday, October 26, 2005

Internet Identity Workshop 2005 (iiw2005) DAY 1 - 26 October 2005

Hi all,

[in vivo thoughts....from speaker to my brain to you..]

So having completed my journey to Berkeley, CA, I am now sitting and participating the IIW2005. Thanks to Phil, Kaliya, Drummond, and Doc for arranging for this. I'm honored and happy to participate...

Till now, I have sat through 6 presentations and thoroughly enjoyed the topics, especially the Q&A- even the IRC channel! However, one "gaping" hole I see so far is a lack of deep discussions on authentication - proving/validating/verifying the actual identity. As Art Coviello, CEO of RSA, stated, his company's solutions authenticate the possession / knowledge rather than the actual person. Biometrically-enabled authentication is the only way to prove irrefutable positive identity. I understand the vastly important need for infrastructure, standard data and message transports, et al, for identity management. However, the discussions have been sparse about strong authentication. As important as the former, we need to discuss how biometric data will be (a) integrated into this thought-leading identity infrastructures, (b) protected from attack vectors, (c) remediated against compromised identities, and (d) audited by authorities if required. I'll stay tuned and see if we begin to detail these important concepts...

Another key thought on identity is the access to critical, sensitive information. Today's transaction systems and processes required "regurgitated" critical and sensitive information, e.g., full name, SSN, address, driver's license number, etc. I wonder why cybercriminals are trauling the net (using SabaSearch.com et al) and targeting identity aggregators (credit report agencies, large retailers, CC companies, etc)? Simply because that's where the pointer to money is! ;-) Leveraging the Internet's network effect, cybercriminals can use millions of records to attempt fraud... More numbers, more chances to hit a gold bar. Their ally remains the use of static identifiers "regurgitated" to service providers to convert to an account then pilfer the account in another's name without positive identification. Therefore, if the critical, sensitive information for consumers is made impotent without positive, biometrically-enabled authentication, we "remove the sting" or value of that information, possibly curbing id theft...

Just something to think about...

More to come after I complete today's sessions...

/rob

posted by Rob Marano @ 6:25 PM 

1 Comments:

Anonymous Anonymous said...

SabaSearch.com is a legitimate website....I believe this article is referring to ZabaSearch.com. Please correct it. Thanks.

9:52 AM  

Post a Comment

<< Home