How GOV.UK Verify Has Stopped Short Of Delivering the Perfect Citizen Experience

Make it easy for people to self-serve online and that is what the vast majority of people will elect to do. Public sector organisations have invested millions in putting key services online and have also spent a significant amount of money making us aware of them. For these organisations it means that they can reduce costs associated with delivering ‘manned’ service and for the citizen it means they can get access to the information and resources they need 24/7.

If you have used any of these services you will know that it is something of a mixed bag when it comes to the user experience. Renewing car tax for example is a relatively straight-forward process that saves a visit to the Post Office, but dealing with certain elements of the HMRC website offers an altogether different experience. Then, if you have to pick up the phone and choose the wrong time of day to do so you can expect an excruciatingly long wait. A quick search on Twitter and you will see what people have to say.

One of the problems people have when dealing with public sector organisations is the fact that we do not need to engage with them very often, but when we do it is inevitably for something important. As a result of this infrequent usage I for one without fail will fall at the first hurdle - passing through the Gateway.

The Government Gateway account is something you must sign-up for to access HMRC online services and it is essentially a username and password. However, it isn’t a username of my choosing and it consists of 12 randomly generated numbers. So, when I need to file my tax return it isn’t getting my accounts in order that creates the stress, but trying to remember where I jotted down the username and password when my account was first activated (which was some years ago). It is frustrating and can be more than a little concerning, especially if filing a return at the eleventh hour to avoid a penalty!

As a citizen I have no choice. Yet, as a customer shopping online I know the power of the pound in my pocket and if I am not getting the service experience I expect then I can vote with my feet. These commercial organisations know this and there is a groundswell of activity at the moment to improve how customers can login and authenticate themselves. But just because government organisations do not have to change it doesn’t mean that they should not evolve their identity verification and authentication processes.

Step forward the much debated and anticipated replacement to the Government Gateway. The GOV.UK Verify initiative is being closely observed by governments around the world, as a new way to improve the verification of a citizen’s identity (replacing archaic face-to-face and postal methods used currently).  In many respects GOV.UK Verify is a great idea. It gives the user a choice of which specialist third-party organisation they can use to initially validate their identity (it should take around 15 minutes) and after this one-time-only process the user then simply logs in. But for me it is here at the authentication stage that this fantastic innovative project falls down, as it reverts to the standard username and password, which is my bugbear with the current Gateway.

I had hoped that such a trailblazing and forward-looking project would have looked beyond passwords, especially given the raft of compelling one and two factor authentication alternatives that are being adopted in private sector (and indeed some public sector) organisations right now.

I of course appreciate and value the prospect that GOV.UK Verify will hopefully improve the protection of my data from the increasingly resourceful professional cybercriminals or opportunists. And, I also look favourably on the new front-end interface (it could not have been much worse!). However, from a user experience perspective (and I am taking as a citizen/customer rather than an authentication expert) it does not satisfy my expectation for a fast and secure authentication experience.

I cannot help but feel that they have stopped just one step too short, and if they had taken this single step they could have made an exciting project a truly ground-breaking initiative that would set the standard for not only other public sector organisations but private sector businesses to follow.  My hope is that as the service is rolled-out and bugs are ironed out there will be a planned phasing out of the password in favour of something that will enhance and does not inhibit the customer experience.

Author: Fred Astfeldt

Case study: The City of St. Petersburg

Known as “The Sunshine City”, St.Petersburg, Florida in the US averages 361 days of sunshine each
year. It covers 61.7 sq. miles and has a population of approximately a quarter of a million people making it the 5th largest city in Florida. St. Petersburg has emerged as a top destination for the arts with the Dali Museum, the Dale Chihuly world renowned glass collection, and six art districts. It is the job of the city’s 2,500+ employees to provide the essential services and support that keeps the city running smoothly.

The challenge

The city has a growing number of employees that need to access resources on the city network, whilst working away from the office. To help them, the city implemented a remote access solution from VMware and mobile device management from AirWatch. However, with many of the software applications not available in mobile versions, it was causing a problem for those logging on via tablets and smartphones.

The solution was to use VMware View, which would give employees remote access to the desktop applications they needed from their mobile devices. However, this increased the security risk, as Brian Campbell, Information Technology Security Officer at the City of St. Petersburg explains: “The only security requirement offered by VMware View to gain access to the users' desktop was their security credentials of user ID and password. Whilst we have stringent polices for user ID creation and robust password management, we recognised that it simply was not enough.”

Mr. Campbell uses the example of a mobile device being inadvertently infected with a key-logger, which could capture the login credentials and potentially be used to infiltrate the system and cause disruption.

The city decided that an additional layer of security was needed and a two-factor authentication (2FA) solution would be the most prudent way forward. The city’s Information Security team investigated, demonstrated and discounted a number of the market leading solutions. Mr. Campbell explains: “The solutions we looked at were not straightforward, elegant, nor in a small enough form factor to make us feel comfortable in choosing any of them. That is until we found PINgrid from Winfrasoft.”

Initially the simplicity of PINgrid made the team wary, but also intrigued enough to embark upon rigorous and thorough testing to scrutinise every aspect of the solution. The result was zero failures. “We had to know if a solution so simple could meet our high expectations,” Adds Mr Campbell. “During the testing phase we were in frequent contact with the Winfrasoft team and their responses to our questions were always immediate and positive. Not only were we impressed with the solution were also impressed with their customer service.”

Having found its 2FA solution, the city invested in user licenses for PINgrid for the members of staff who are authorised to have remote access, and today it is fully integrated with the VMware solution.

The benefits

To use PINgrid all an employee with remote access rights needs to do is download the app (available from all major app stores) on to their mobile device. Meanwhile, the Information Security team creates their account which in turn triggers an email to be sent to the employee, which includes their initial PINgrid pattern. The entire process takes a matter of minutes.

Now, all the user needs to do to login is to access VMware View but before they enter their username and password they are prompted for a One Time Code. This code is obtained by simply opening the PINgrid app and entering the corresponding digits that appear in their pattern.

“For staff choosing to install the app on their personal devices we ensured that they understood that the PINgrid app is essentially a standalone number generator requiring no Internet access, no “phone home” requirement, and giving them reassurance that it is completely independent and that they could use it with confidence,” notes Campbell.

“We have found that the beauty of PINgrid is in its simplicity,” remarks Mr. Campbell. “It has been easy to deploy and the roll-out required virtually no user training, even though we offered it to everyone, only around 5% of the users requested assistance” Campbell concludes: “PINgrid is absolutely the solution we were looking for but didn’t expect to find. It works perfectly, is consistent and we have no complaints or problems at all. We are very pleased indeed.”

VIDEO: Winfrasoft CEO, Steven Hope Explains Why the Time Has Not Yet Come for Biometrics

Last week our CEO, Steven Hope, joined leading privacy, identity and security experts from across  Europe to present at Building Trust on a Hyperconnected World, an event hosted by EEMA and OASIS at the EMEA headquarters of CA Technologies, Ditton Manor.

In the session entitled ‘Biometrics: the time has come?’, Steven was joined by Professor JJ Nietfield from the University Medical Centre in Utrecht, the Chair of the OASIS IBOPS Technical Committee, Abbie Barbir and Executive Director of EEMA, David Goodman. During his presentation and the panel debate which followed, Steven shared his perspective on the hype surrounding the use of biometrics. He explained that whilst the technology does have the potential to have a place in the identification and authentication process, there is a reason why it has not yet taken off in the way many experts had expected.

Steven argued that the proliferation of biometrics on the latest smart devices is focused on delivering a convenient user experience, and is not about delivering tight security, despite the worrying efforts of some large organisations (especially those in the banking sector) trying to find ways to exploit the likes of TouchID for authentication purposes. He also observed how the word ‘biometrics’ has wrongly become synonymous with security, and explained how smart devices operating consumer-grade biometric sensors, could not and should not be expected to deliver the accuracy and reliability of high-end biometrics equipment used in the commercial world.

You can watch Steven's full presentation here...

Passwords won’t be gone in the blink of an eye

I truly believe we are about to turn the corner in finally replacing password-based authentication, but I am concerned that many organisations (some vendors and some end-user businesses) are getting a little distracted with the current flavours of the month.

Last month I posted a blog explaining why emojis are not the future of authentication. This week I find myself having similar conversations about selfies, following MasterCard’s announcement that it is experimenting with a mobile app, through which the customer poses for a selfie, blinks and hey presto they are authenticated!

Many of us use emojis and take selfies everyday (as well as using social networks which is another method being considered), so on face value it would seem to make sense to try and find ways of adopting them as authentication tools. However, passwords have been with us for a long time and don’t think that they are going to go in the blink of an eye!

From an end-user perspective passwords cause us headaches, because they are overused and as we all do so much online, we need to remember so many of them. Most of us solve this problem by using the same password (or variations of it), causing organisations major headaches as we compromise their security protocols. The thing is, we all want to be secure and protected but we are also impatient and don’t want to be inconvenienced, so we look for short cuts

.

Now, imagine this brave new world where passwords have been replaced by the headline hitting gimmicks. As it is the start of July you want to login to your online banking to check you have been paid. To do so you are asked to provide a fingerprint (biometric). Great news you have money in your account and it is time to renew your car insurance and they want you to prove you are who you say you are with a selfie. Next you decide to do your weekly shop but before you can arrange delivery you need to use your secret combination of emojis. Three different methods to authenticate. Suddenly passwords don’t seem so bad!

For all their failings passwords are ubiquitous in our society. There is an encouraging ground swell of support to displace them, but if they are to be usurped it needs to be with something that has the potential to become just as prolific and lasting, and crucially doesn’t cause the people who use them pain.

Author: Fred Astfeldt, Winfrasoft

Winfrasoft to Help Organisations Move from Passwords and Hard Token Authentication at the Security IT Summit 2015

Winfrasoft today announced that at the Security IT Summit 2015 it will be demonstrating how organisations can move away from password-based security with the award-winning PINgrid, PINpass and PINphrase. The one-day event takes place on 7th July at the Hilton London, Wembley.

At the Security IT Summit, Winfrasoft (an OATH and FIDO Alliance Member) will provide security professionals working in B2B and B2C organisations with a fresh alternative to their current authentication and transaction verification methods. Delegates will learn how they can remove the reliance on password-based authentication and pressure on the helpdesk for resets, eliminate procurement costs and administration surrounding card readers and keyring tokens, and innovate without the need to implement expensive biometrics.

- PINgrid is an award-winning and patented multi-factor authentication and transaction signing solution that is being used in the public and private sector today to transform any mobile device into a soft-token, via a simple offline app, replacing passwords with a memorable pattern that automatically generates an OTP.

 - PINpass turns any mobile device into a token by sending a six to eight digit OTP to it via SMS or email. By combining it with a PIN, or an existing Active Directory password, PINpass creates a strong 2FA solution.

- PINphrase uses Random Character Authentication.

PINgrid, PINphrase and PINpass all support implementation in 1.5 and 2FA environments.

Head of Sales at Winfrasoft, Fred Astfeldt comments: “Recently we have seen a reaction from retail banks as they start to offer customers a choice in how they authenticate themselves online, giving the option to continue with card-reader or keyring token, or to login using their memorable information. In PINphrase, Winfrasoft is the only authentication speciality with an off-the-shelf product that enables any organisation to implement this form of authentication without the need to develop it in-house.”

Astfeldt adds: “Our solutions have been rigorously tested in public and private sector organisations and have been proven to deliver strong, robust and reliable authentication. However, they have also been demonstrated to have a major impact on improving the end-user experience.”

In addition to PINgrid, PINphrase and PINpass, Winfrasoft will also be demonstrating its Enterprise Desktop Logon and Remote Desktop Agent for organisations using Microsoft’s Remote Desktop Services, Citrix and VMware. These solutions enhance secure access to the corporate network, applications and data by augmenting the username and password login with either 1.5 or 2FA.

For more information about the Security IT Summit visit: www.securityitsummit.events

Follow the event on Twitter @SecIT_Summit

Why Password Vaults, and Emojis are not the Future of Authentication

The news this week that Last Pass has suffered a security breach is a reminder of why I am not a fan of the password vaults currently on the market.

Password vaults serve one purpose only and that is to make it easier for people to store their login
credentials centrally. They are not about making those credentials more secure. Yes, you will see marketing materials talking about encryption and the like, but at the end of the day all you are doing is consolidating your passwords and ‘securing’ them with just one master code.

People buy in to password vaults for convenience in fact Last Pass has the tagline ‘The last password you’ll ever need’. It is essentially the same as storing all your credit, debit and store cards, along with your driving licence and cash in a wallet. It seems like a great idea until it gets stolen.

For me, the root cause of the problem isn’t the password vault itself, but the password. Most of us tend to see the login screen as an obstacle that stands in the way of us doing what it is that we want to do. Anything that makes it quicker and easier to get through the process is welcomed with open arms. To illustrate my point, how many of you click the ‘remember this password’ when given the opportunity? I know I have.

If we are being honest most of us are willing to make some form of trade-off between security and convenience, but we should not be expected to do so. Passwords continue to haunt our lives because organisations decide to enforce their use, and in most instances it is because they do so as they don’t know what else to do. As security professionals it is our role to give these organisation choice, show them that there is a better way and crucially, put forward a compelling business case that will drive lasting change.

At the same time Last Pass has been hitting the headlines this week, so too has Tripwire for its attempt to solve the problem using Emojis. As a marking gimmick it has certainly succeeded in grabbing attention, and they seem to be heading in the right direction by trying to make login credentials easier to remember and leveraging the capabilities of mobile devices. But could such a solution viably replace every website, mobile app or corporate network that currently uses a password? Emojis might appeal to millennials logging on to a social forum, but would a silver surfer feel comfortable using them for their online banking? It may well be more secure than a password but I can’t imagine entering: smiley face, sad face, birthday cake and love heart to authorise a transaction from my corporate bank account!

Meanwhile, at the other end of the scale biometrics are promising to change the world, but unless you are a large bank with money to burn it is pretty much out of reach, and even then you have the issue of standardising on a biometric.

This is the big challenge we as an industry face if we are going to replace something as ubiquitous as a password. We need to find something that has the potential to be just as ubiquitous in the future, otherwise we will be stuck in the same old rut. 

We think we might have just the thing! www.pingrid.com 

Author: Fred Astfedlt, Winfrasoft

Reducing Customer Friction with Better Authentication

Retail banks around the work are trying to get to grips with a difficult challenge. How to make their identification and authentication processes secure enough to protect them and satisfy the regulators, but at the same time balance that with the desire of customers to have a frictionless experience. This was one of the key issues that was debated at a one day conference held at the Department of Business Innovation and Skills in London last week.

Attended by experts in e-identity and authentication, those working in some of the largest banks in Europe, as well as representatives from the European Commission and the European Banking Association (EBA), the event was held a few weeks after 24 out of 28 authorities from EU member states signed up to the new EBA guidelines for online payment security. Coming in to force from 1st August 2015 these guidelines require banks to have stronger authentication whereby a customer must provide non-reusable security details. So, unsurprisingly online payments was a red hot topic of conversation.

The problem with online payments today is when consumers buy something online they reach for their debit or credit-card. However, these cards were introduced when there was no Internet and where designed to be presented at the point-of-sale. As a result banks are having to deal with huge amounts of fraud from online card payments, costing huge sums of money and draining resources.

Since their introduction cards have evolved, such chip-and-pin, and more recently contactless payment technology for low value transactions, but the later makes these cards more, rather than less susceptible to crime. So it is interesting to see how the rapid uptake of this innovation, which suggests customers are willing to trade a level of security for convenience, in much the same way as they opt for easy to remember passwords for their online accounts.

The problem for banks is that whilst customer may be happy with a trade-off, the banks and its regulators are not. However, they know that to gain and retain customers they need to find ways of delivering a more frictionless online experience. Hence, whether you are a business or a retail customer you may have seen the need to for your card reader or key-ringer number generator (otherwise known as a hard-token) diminish in favour of more convenient methods of online authentication. Of course, this is also great news for banks as the cost to administer these devices is very high indeed.

However, during the conference it was clear that banks are eager to find ways to strengthen their identification and authentication processes in a friction free manner, and worryingly many explained how they are investigating the use cases of biometrics in all its forms.

In my opinion, there are a number of significant stumbling blocks when it comes to biometrics. Not only the level of investment and management that is required, and the sophistication of biometric readers on the current crop of ‘smart devices’, but also the challenge and cost of on-boarding all new and existing customers. This is far from the frictionless experience that customers are wanting, and banks are replacing one costly technology with another! Also, these readers currently feature on the higher end devices, alienating the majority of customers. And, as one speaker was quick to point out – what happens if a customer using biometrics is a victim of fraud? Criminals will undoubtedly find a way to cheat the system. So, how does a victim then go about proving they are who they say they are?

One of the most insightful observations of the day was that banks can choose to add as many ‘layers’ of security as they wish, but if they are going to satisfy the customer they need to make the customer feel like they are using just one, any more and they feel like barriers. So, whether they are logging on or transacting via a website, on a desktop PC, a browser on a smartphone or tablet, or via an app, the process needs to be convenient, reliable and of course trusted.

This is why the username, password and memorable information approach has been well adopted as it is device agnostic. So, if you want to have stronger security (and whilst this approach it strong it could be stronger) you need to find a solution that can also work in this environment, and currently biometric readers are neither robust nor ubiquitous enough to satisfy these requirements.

However, there was unanimous consensus that using smart/mobile devices was undoubtedly the way forward. Using these devices presents a way to improve the authentication process for banks, without adversely impacting or burdening the customer. Yet, rather than biometrics, these device can be used to replace card-readers or key-ring tokens, by augmenting the username and password login in with a one-time code generated through an offline app residing on the device.

From the banks perspective this approach is relatively inexpensive when compared to hard-tokens and biometrics. It can be rolled out rapidly at a regional, national or international level and it ease the possible friction for the customer.

Another great benefit of this approach is that as well as being used for logging on to online bank accounts, it can also be used for swift online transaction verification, meaning online card payments can be afforded a far greater level of protection, which is great news for the banks who can save millions in reduced fraud incidents and the customers who are less likely to be innocent victims.

Author: Steven Hope, CEO, Winfrasoft