Sophos Cloud Optix
Credit card giant MasterCard has shared plans to do away with passwords in online payments, with an all-new authentication standard to eventually replace 3D Secure.
3D Secure is the extra layer of security placed on many online card payments, underlying systems such as MasterCard SecureCode, Verified by Visa, and American Express SecureKey.
Originally developed by Visa, the 3D Secure protocol has been widely disliked for years, recently described by media celebrating its potential downfall as “hated” and by academic researchers as “a textbook example of how not to design an authentication protocol.”
Its requirement for complex passwords and erratic behaviour patterns irritated end users, while the use of pop-ups and later iframes from third-party sites worried security experts.
Development of the new system is being jointly led by MasterCard and Visa, and promises to “utilise richer cardholder data”, opening up opportunities for all sorts of second-factor authentication options.
Exactly how it will work and what sorts of second factors may be supported remains to be finalised, but MasterCard’s news release mentions one-time passwords and fingerprints.
It also notes that it’s been looking at face and voice recognition, and even heart-rhythm-reading wristbands.
Using aspects of your body to identify you would make authentication processes smoother, although the wisdom of using something you cannot change is regularly questioned.
One-off passwords, coming from a code-generating dongle or app or sent to your phone as an SMS, interrupt the flow of things a little more but also provide decent security.
The problem with most of these in the past has been their reliance on additional technology. While you can carry passwords around in your head, fingerprints and heartbeats need to be read by something, and computer-generated codes need to be generated by something. You’d then need that something to hand anytime you wanted to make a payment online.
This problem is slowly being overcome by our mobile devices. The most basic cellphone can provide SMS-based codes, smartphones can handle code-generating apps easily, and higher-end models now all have inbuilt fingerprint readers, so many of these options will be available to many people much of the time.
Still, of course, there’s the issue that not everyone will be on board. Not everyone has even a “dumbphone”, and those who do don’t always have charge or signal. Not everyone would be willing to deal with one-off codes, and for now at least, only a small minority would want to wear a bio-sensing device at all times.
So the death of passwords may still be some way off. As MasterCard puts it, the system “could be adopted in 2015” and will “gradually replace” the existing model, meaning the change will take some time even if it’s adopted soon. It even says it expects “far fewer prompts for passwords”, rather than none at all.
The new model is expected to run alongside the current one, for a while at least, and adoption is likely to be led by the wealthier and more tech-savvy, who tend to be less at risk from fraud in the first place.
So, it’s unlikely that the cybercrooks will be rethinking their target list any time soon, but it’s good to see some signs of progress towards retiring an old and sloppily-implemented security paradigm.
Great. Now we can all be like RFID-implanted cows.
This idiotic POS caused me to get an Amex card so I never have to deal with it again.
” heart-rhythm-reading wristbands”? So, I guess I could only order a pillow when my heart rate is low and exercise gear when my heart rate is fast…
I doubt it reads actual (analog) heart noise. It probably reads the electrical signals. I don’t know for sure, but I would guess that the specific frequencies, amplitude, beat patters (the parts of a single heartbeat), etc. are unique.
One problem with eliminating passwords in favor of biometrics or codes sent to a phone is that it opens up a privacy hole. In the USA at least, one does not have to reveal a password to authorities, but they can require a fingerprint, or presumably any other biometric input. The logic is that they can examine anything you have, but can’t force you to reveal what you know.
In many countries, this “password versus biometrics” thing is a red herring because the issue isn’t that you are required to reveal your password, rather that you are required by law to make your data available (by analogy with opening up your garden shed so it can be searched).
Decrypting a hard disk, for example, doesn’t actually require you to reveal your password.
You can claim to be unable to decrypt the disk (or to be unable to unlock your shed), e.g. because you forgot the password and lost the recovery code, and if the court believes you, I guess that’s that. If you *can’t*, you can’t. But if the court decides you can but you *won’t*, that’s an offence in its own right.
I think, as they suggested – will need to run with a range of options to facilitate the needs / concerns / requirements of their individual customers. I.e. some people might love the use of their heart rate monitor / finger print scanner while others are never without their smartphone and could use that.
In terms of it being something that takes additional time, to complete a transaction, they could make a pre-generate button / app the generates a code with a 3-5 minute use window. You push the button, pre-generate your code while you are in the Queue and then proceed to process your payment as usual.
Whatever they decide to run with (if not all options simultaneously) definitely needs to be something that you cannot forget or leave behind and it also must be something that either cannot fail or has built in fail-safes / fall-backs.
I’m probably not making much sense, I’ve not had much coffee yet…
Also, if you have it handy. do you have a source for the research behind what you said.
“adoption is likely to be led by the wealthier and more tech-savvy, who tend to be less at risk from fraud in the first place.”
Just interested in reading it, if you have it handy.
Thanks!