2019 - the year we may finally get to grips with Digital Identifcation & Authentication

On Thursday evening I was delighted to be speaking in Parliament on behalf of the MIDAS Alliance at the launch of Tech UK’s Digital IDs report, hosted by the All Party Parliamentary Group in Digital Identity. This very well attended event heard of the opportunities afforded by getting digital identification & authentication right, ranging from accessing banking services online, proving your age, or securing access to sensitive Government held data, such as your tax or medical records.

The launch was particularly timely given the breaking news last week of the attack against the 2 factor authentication technique being adopted by a number of banks, notably Metro, utilising one time passwords (OTPs) sent over SMS. Unfortunately, as was widely being reported, cyber criminals had developed a ‘new cyber attack’ to intercept these OTPs, gaining access to customers’ accounts. However, this ‘new’ attack exploited a well known and long standing vulnerability, which is highlighted in the forthcoming Strong Customer Authentication requirements going live under PSD2 in September this year.

Fortunately, the Tech UK report (along with the Emerging Payments Association Financial Crime report the week before, etcetera) highlights the British Standard in Digital Identification & Authentication (PAS499) as giving the necessary guidance to help steer organisations through such pitfalls to the satisfaction of these forthcoming banking security standards.

On Thursday I highlighted the importance of adopting these banking standards as best practice, rather than merely relying on common or good practice. After all, if your bank has to provide an additional layer of authentication security for a 30 euro e-commerce payment, wouldn’t you want, and indeed expect, your medical or tax records to have at least the same degree of protection.

Equally, it’s all very interesting knowing that there is definitely an Andrew Churchill in existence, but this is of little use if you can’t be sure that it is actually Andrew Churchill, and the right Andrew Churchill, that you are dealing with.

Thanks to Mvine for the photo