- Osterman Research on behalf of SecureKey
Practical Methods for Improving Authentication
Tweet Follow @webtorials
4 Comments
Are you essentially offering a secure alternative to "Sign in via FaceBook"? (I never use this because of concerns about FB credentials being relatively weak, imho.
It all comes down to trust, and therefore assurance levels. Social accounts typically have a low level of assurance. Other credentials such as your drivers license, passport, or credit card typically have higher assurance levels when compared to social networks (e.g. Facebook). Specifically, the higher assurance credential providers have done some sort of identity proofing or vetting to determine the validity of your identity. Think about what was required to get your passport, or drivers license. Now, compare that to the process of creating a new Facebook account. Big difference, right? So, it is to no surprise then that many organizations trust physical passports more, than Facebook accounts.
As an FYI, here is a list of the levels of assurance (LOA):
- Level of Assurance (LOA) 1: Little or no confidence in the asserted identity’s validity.
- Level of Assurance (LOA) 2: Some confidence in the asserted identity’s validity.
- Level of Assurance (LOA) 3: High confidence in the asserted identity’s validity.
- Level of Assurance (LOA) 4: Very high confidence in the asserted identity’s validity
(source: http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf)
Ultimately, it all depends on what you are doing online. If you are dealing with high value transactions, then your best bet is to use a higher level of assurance. For other applications, LOA1 is perfectly fine. The main point being, that with a huge plethora of identities and credentials, why not let users choose what identity to bring? Rather than force a new one on them.
Thanks for your question!
What does BYOC (Bring Your Own Credentials) mean in the context of this paper? Are you essentially offering a secure alternative to "Sign in via FaceBook"? (I never use this because of concerns about FB credentials being relatively weak, imho.
Similar to the BYOD term, but rather the concept of bringing your own identity or credential. Examples could be, your bank account, drivers license, national ID, or a variety of social credentials. One example of this is what we (SecureKey) are doing with the Canadian government, specially how citizens can interact with government services. Canadians can now use their bank credentials to access a variety of government resources, rather than use a username and password that they tend to forget (http://securekeyconcierge.com). All while maintaining their privacy.