RE: [projectvrm] Now here's a novel way to identify that it's really you.

["T.Rob" < >]

So basically, the Nymi as envisioned on the list (uses the biometric as the actual credential) isn't good enough and the version that I proposed (uses the biometric to access the HSM) is too complicated to build.  Well then, we've reached a dead-end.  Security is inherently complex and somebody has to deal with that complexity.  If the users can't deal with it and the programmers can't deal with it, who's left? 

 

 

 

From: Peter Cranstone [mailto: ]
Sent: Wednesday, September 04, 2013 22:44 PM
To: T.Rob; 'Patrick Devine'; 'Drummond Reed'
Cc: 'Kevin Cox'; 'ProjectVRM list'
Subject: Re: [projectvrm] Now here's a novel way to identify that it's really you.

 

T. Rob,

 

Spot on - but good luck coding it and making it all work. 

 

I had a chance today to meet with a real prospect in the Health Care industry - it is simply staggering the problems they are trying to solve. Adding all this stuff in is the last thing on their mind. Their customers want three things:

1. Convenience
2. Privacy
3. Control

And the network admins wants two things:

1. Show Me the Money
2. Simple integration

If your design fails to align the above then it remains a science experiment. The person I met with had 6 strategies to implement and less than 18 months to do it all. Mobile apps were of ZERO interest because they didn't solve this problem - if it doesn't make them money, or save money to increase their profits then they're not interested. They want an incredible customer experience, they want it on every mobile device and they want it now. 

 

And most importantly it has to work with their current and future business processes. Fail that test and you'll get zero adoption. Plus the word AGILE came up almost in every other breath - as in make it scale, make it adapt, make it work.

 

The size of the opportunity was literally breath taking.

 

 

 

 

Peter

_________________________
Peter J. Cranstone
CEO.  3PMobile

Boulder, CO  USA

Improving the Mobile Web Experience

Cell: 720.663.1752

Web site: www.3pmobile.com

 

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.

 

 

From: "T.Rob" < "> >
Date: Wednesday, September 4, 2013 8:19 PM
To: "Peter J. Cranstone" < "> >, 'Patrick Devine' < "> >, 'Drummond Reed' < "> >
Cc: 'Kevin Cox' < "> >, 'ProjectVRM list' < "> >
Subject: RE: [projectvrm] Now here's a novel way to identify that it's really you.

 

There's an assumption here that the biometric is used to authenticate to the back-end server.  The article on the Nymi was written for lay persons and so does not go into detail about what it does or how.  It focuses primarily on the biometric aspect of the device.  There's no reason whatsoever that the biometric would be the actual credential used.  It's definitely not how *I* would design the device and I'm only barely a cypherpunk.  I can't imagine someone who is would design it that way either.

 

But since the discussion thus far seems to be based on the belief that the biometric credential would be passed to the back-end, let's talk for a minute about HSMs – Hardware Security Modules.  An HSM is a purpose-built device designed to hold cryptographic keys, be as impervious as possible to side-channel attacks such as deriving keys from emitted RF, and to make the keys unrecoverable if tampered with.  Yubikey is an example of a consumer-level HSM.  IBM DataPower devices are an example of an Enterprise HSM and in that case if tampered they brick so badly that they emit smoke.

 

If the Nymi is an HSM then it would pair to you, store the biometric credential internally and never release it.  Then when pairing to your phone or to a web site, the device and the provider would establish an encrypted session and exchange credentials which Nymi would place in tamper-resistant storage.  The biometric would unlock Nymi and the Nymi would be like LastPass and store all your credentials, providing them as needed to the back end.  The credentials themselves would be dynamic, could utilize a system like OATH which is time-based, could be revoked or replaced, and would differ for each device, web site or service.

 

At least that's how *I'd* design it.  Whether it actually works like that I don't know.  But I haven't seen anything that describes how it does work and until I do I'm not assuming it would be so poor a design as to expose the biometric beyond the device itself.  If anyone does have detail on the technical specs of the Nymi, I'd love to see them.  I apologize if it was posted already and I missed it.

 

-- T.Rob

 

 

From: Peter Cranstone [ ">mailto: ]
Sent: Wednesday, September 04, 2013 9:37 AM
To: Patrick Devine; Drummond Reed
Cc: Kevin Cox; ProjectVRM list
Subject: Re: [projectvrm] Now here's a novel way to identify that it's really you.

 

Exactomundo! 

 

I was waiting for someone to catch that - once a piece of data becomes 'static' its value is diminished cryptographically. Remember for 98% of the population the current methods are 'good enough'. For the 2% you have to add 'physical security' to make it more valuable. Think about entry into the White House - security is done in layers - once you reach the inner layer you're deemed trust worthy (enough that you don't have a physical weapon on you). 

 

Everybody thinks that if Apple adds a fingerprint reader that commerce will suddenly take off because of better security. Better security doesn't drive e-commerce. Better products, less transactional friction and pent up consumer demand drive commerce. It will be at least 3 years before there's sufficient volume of bio-metric devices in the hands of consumers to make the value worthwhile. In the interim e-commerce vendors will have to support all login types.

 

But 95% of them will still use what's good enough - username and password.

 

 

 

 

Peter

_________________________
Peter J. Cranstone
CEO.  3PMobile

Boulder, CO  USA

Improving the Mobile Web Experience

Cell: 720.663.1752

Web site: www.3pmobile.com

 

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.

 

 

From: Patrick Devine < "> >
Date: Wednesday, September 4, 2013 4:47 AM
To: Drummond Reed < "> >, "Peter J. Cranstone" < "> >
Cc: Kevin Cox < "> >, ProjectVRM list < "> >
Subject: RE: [projectvrm] Now here's a novel way to identify that it's really you.

 

Importantly don’t forget this is effectively a static credential when it comes to online. There is no mitigation to Man in the Middle and as with all biometrics no chance for transaction signing. It’s a great way of logging into your local devices or access systems. Remember all biometrics work on a set of static information that once it is converted to an electronic format can be systematically spoofed!

 

Rgds

Patrick

 

From: "> [ ">mailto: ] On Behalf Of Drummond Reed
Sent: Wednesday, September 04, 2013 4:26 AM
To: Peter Cranstone
Cc: Kevin Cox; ProjectVRM list
Subject: Re: [projectvrm] Now here's a novel way to identify that it's really you.

 

Nice catch. It certainly helps reinforce the idea that a wearable authentication device paired with a personal cloud (via any intermediary device, from a smartphone to a laptop) could become a widely adopted solution for stronger authentication.

 

On Tue, Sep 3, 2013 at 6:33 PM, Peter Cranstone < " target="_blank"> > wrote:

Not really, it's just another way of connecting to either a personal cloud or vendor. There are also other approaches that will work as well.

 

 

 

 

Peter

_________________________
Peter J. Cranstone
CEO.  3PMobile

Boulder, CO  USA

Improving the Mobile Web Experience

 

Cell: 720.663.1752

Web site: www.3pmobile.com

 

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.

 

 

From: Kevin Cox < " target="_blank"> >
Date: Tuesday, September 3, 2013 6:33 PM

To: "Peter J. Cranstone" < " target="_blank"> >
Cc: ProjectVRM list < " target="_blank"> >
Subject: Re: [projectvrm] Now here's a novel way to identify that it's really you.

 

Is there anything special about xdi as a way of connecting?

 

Kevin

On Wednesday, September 4, 2013, Peter Cranstone wrote:

Exactly - it just needs a way to connect to the web. XDI can do that.

 

 

 

 

Peter

_________________________
Peter J. Cranstone
CEO.  3PMobile

Boulder, CO  USA

Improving the Mobile Web Experience

 

Cell: 720.663.1752

Web site: www.3pmobile.com

 

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.

 

 

From: Kevin Cox < "> >
Date: Tuesday, September 3, 2013 5:30 PM
To: "Peter J. Cranstone" < "> >
Cc: ProjectVRM list < "> >
Subject: Re: [projectvrm] Now here's a novel way to identify that it's really you.

 

This will integrate with any system that identifies you by your physical presence

This means boinym could connect to your phone as an authentication device instead of a photo or fingerprint or voiceprint

This means boinym does not need special infrastructure to gain a market

 

K

On Wednesday, September 4, 2013, Peter Cranstone wrote:

http://www.theverge.com/2013/9/3/4688162/bionym-nymi-could-replace-all-your-passwords

 

 

 

 

 

Peter

_________________________
Peter J. Cranstone
CEO.  3PMobile

Boulder, CO  USA

Improving the Mobile Web Experience

 

Cell: 720.663.1752

Web site: www.3pmobile.com

 

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.

 

--
Sent from Gmail Mobile

--
Sent from Gmail Mobile