August 19, 2016
LiveEnsure: Driving Home the Difference between Identification and Authentication
By Joe Bush, CardNotPresent.com
Christian Hessler says his company’s identity is tied into the very idea of identity, and how it differs from authentication.
Hessler founded LiveEnsure, a startup trying to revolutionize interactive user authentication on smart devices, and he draws a distinct line between identity and authentication. The difference drives the company’s mission, says Hessler.
LiveEnsure triangulates location, device and customized user behavior to authenticate users, and Hessler says none of the information is shared, broadcast or stored. It boasts 1,200 system deployments in 80 countries with eight million end-user authentications since early field engagements began in late 2013.
According to the former CTO at two firms and senior engineer at Sun Microsystems, the fundamental problem with traditional authentication and what he calls “the general history of this security puzzle,” is that it has assumed identification is the same thing as authentication.
Hessler defines identity thus: “Passive, publicly available, stored set of bits that are often federated and shared for convenience and simplicity. It is a batch of self-reported credentials used to establish initial assumptions about who is on either end of the wire.”
Authentication, says Hessler, is not passive, but interactive, not self-reported but asserted from a variety of perspectives and in context. Not least important, says Hessler, is that authentication is “very individual.”
“They are not the same thing at all,” says Hessler. “In fact, they are so diametrically opposite that attempts to conflate or combine them for convenience or assumptive layering has been the most disastrous advance in this field. Single-sign-on is a modern time-saver, not a security layer.”
LiveEnsure uses multiple factors, he says, and is able to not only verify that the factors are accurate but also from the right device and in the right place together.
“We never have to mathematically send those values back and forth over the Internet or over the network or the Bluetooth in order to be able to verify they’re true,” says Hesser. “We mathematically approach it almost as an algebraic equation.
“If we’re going to do the same thing to both sides, independently without looking, I’ll just know that whatever I come up with at the end, which is very similar to an encryption-type approach, ought to be accurate even though I’m not going to care, capture or transmit the stuff that went into it.
“Because there might be a million ways to get to the same answer, but I know if I don’t get the same answer on both sides for that moment in time for that user for that device and for all the other credentials added into the mix, I’m absolutely sure that something is wrong and therefore we don’t have a true authentication.”
Hessler says the traditional methods of authentication are too hackable. He breaks them into three categories:
- Seeding, like tokens, certificates, secure elements, key fobs, USB widgets, passcode generators
- “Scratch and match,” which attempts to use unique characteristics of a person or device, like browser and machine signatures to physical probing of biometrics like fingerprints, voice prints, or facial recognition
- “Ring and ping,” which employs one-time-passwords, SMS messages, out-of-band emails, push notifications, secret challenges and location tracking
Hessler says the latter is the most used and least secure method of authentication, and when identity and authentication are blurred, security breaches occur. Context is the key to LiveEnsure’s solution.
“Authentication is also about context, not a sequence of serialized factors, but a comprehensive and interdependent matrix of truth that either is or is not genuine,” says Hessler. “Real authentication is real-time, independently asserted and contextually unique.
“All modern hacks happen when identity factors or credentials can be taken out of context and used in another context to assume the identity of the hacked victim. When this can be done over and over, or on a mass scale, it speaks directly to the problem of relying on identity to perform the job of authentication.”
Juniper Research senior analyst Steffen Sorrell says the world of digital authentication today is about compromise: sites and apps generally deal in terms of passwords that are liable to be weak, or two-factor authentication which compromises consumer demand for convenience and thus experiences low uptake. Sorrell says no authentication is 100-percent secure, though vulnerabilities can be “very difficult” to leverage at scale.
“LiveEnsure looks very interesting, in that the sum of multiple contexts provided by the user, site or app, and LiveEnsure is processed rather than a representation of each individual one,” he says. “This makes the service hard to replicate.”
LiveEnsure uses several partners, all of whom are collaborating on a system of in-store purchasing without handling identification and payment using cards. Intrinsic-ID provides physically unclonable factors (PUF) for device identification across iOS, Android and Windows Phone platforms. Drop Labs Inc., focuses on e-commerce use through mobile devices and wearable tech. Pebble is using LiveEnsure for authentication from its wearable devices. NCloud helps provide verification through a user’s contacts when the user has been locked out, loses the phone or is missing a factor.
Hessler says LiveEnsure partners with companies who have a similar philosophy about three areas: cutting-edge technology, scalability and the treatment of the user data “as being sacrosanct, as being private, as being something you don’t need to scrape, you just need to filter by or leverage or measure the influence of.”
Hessler says besides distinguishing between identity and authentication, LiveEnsure’s main differentiator is allowing the user to, as he says, “have some skin in the game.” Users can choose the way they swipe or they angle they hold the device or a PIN or a location-based factor. LiveEnsure has a free version, with no user choices, and a paid version. The company makes money by charging per authentication or per user per year.
“With biometrics and PINs and passwords users are usually passengers in the process,” Hessler says. “They have no control other than to purely respond. They have no control over that authenticity, nothing they can do to make it unique to them, to put in a abstraction layer between their fingerprint and what Apple thinks their fingerprint is.
“We allow the user to do that across any factor by influencing that factor with their own behavior and their own knowledge.”
And above all, says Hessler, is privacy.
“LiveEnsure is not in the big data business, we are not tracking your device, we are not tracking you, we are not watching for your location over time, we are not monitoring your behavior and measuring it over time, we are not keeping a database of all your mother’s previous names,” he says.
“The point is, we don’t capture any of the user data, we literally just measure that when that data is present it does or doesn’t have the valid effect on that context mathematically and those data points can come from anywhere.”
“At the end of the day it’s their authentication. It doesn’t belong to Google or Facebook, it belongs to the user, and they’re just loaning it for a temporary period of time.”