February 6, 2019

ITU knocks down passwords, opts for next-generation authentication method

ITU knocks down passwords, opts for next-generation authentication method

By Emmanuel Elebeke

The International Telecom-munications Union, ITU, has faulted the use of passwords in building digital financial services, describing it as a faulty foundation.

It strongly recommend that digital financial services should be built on authentications far less risky and highly sophisticated than the easily manipulable password authentication.

In its standardisation work on Identity management architecture and mechanisms released recently, ITU said over three billion usernames and passwords were stolen in 2016, and the number of data breaches in 2017 rose to 44.7 per cent, higher than that recorded in 2016.

A digital ID strategist and standards expert, Andrew Hughes of InTurn Consulting, said: “We are moving away from the ‘shared secret’ model of authentication.”

Hughes, who was referring to the username-password model of authentication, maintained that there are no secrets anymore, considering the prevalence of data breaches.

Designed to overcome the limitations of passwords, specifications developed by the FIDO Alliance (Fast Identity Online) enable users to authenticate locally to their device using biometrics with the device. Then authenticating the user online with public key cryptography.

This model is presumed not to be susceptible to phishing, man-in-the-middle attacks or other forms of attacks targeting user credentials.

Stakeholders to launch policy documents on financial inclusion

“This is the biggest transformation we have seen in authentication in 20 years,” said the Managing Director of Technology Business Strategy at Venable, Jeremy Grant.

“Google, Microsoft and Apple are among the companies now baking FIDO specs into their products,” says Grant. “These specs are shipping out in most devices and browsers in use today,” he added.

FIGI’s work on next-generation authentication has been influential in ushering FIDO specifications into the ITU standardisation process. The December 2018 approval of FIDO specifications as ITU international standards, ITU X.1277 and ITU X.1278 is expected to stimulate their adoption globally.

FIGI, the Financial Inclusion Global Initiative, is a three-year programme of collective action led by ITU, the World Bank Group and the Committee on Payments and Market Infrastructure, with support from the Bill & Melinda Gates Foundation. It aims to advance research in digital finance and accelerate financial inclusion in developing countries.

Last week’s FIGI Symposium in Cairo introduced participants to a new report on next-generation authentication technologies that has emerged from the FIGI Working Group on ‘security, infrastructure and trust.’

The report describes use cases of strong authentication in digital financial services, in particular the enrolment of a customer opening an account and the authentication of a returning customer.

It details the technologies available to support these use cases, and offers related guidance to regulators as well as authentication providers and providers of digital financial services.