Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2017 Session 34: Paradigma Shift

(Andrew Hughes)

User recognition?? User Authentication (Login)

Is Apple an ecosystem?

Until apple finds a way the users will break out of the system.

Everyone has their own wallets payment methods, etc.

Is it actually an open standard talk - apple doesn't participate in the identification discussions, so until it is worth for apple to change the chances are not big that apple is going to shift.

Continuous authentication.

What is the difference between User recognition and User Authentication?

By User recognition we mean no user interaction, authentication with no pop up, no second factor, nothing…

Once you are in it continues to go on. For example google maps (they only prompt to you if something goes wrong).

NYMY is something that would be complicated to realize without identification for example.

Most not enterprise designers realize that the percentage of the population will not do it (either they don't want to do it or don't know how to id).

One option are also long session cookies.

Does the service provider consider UR to be better or the same as UA?

The concept is to figure up who is the user and to hook him up to the account, it is minimizing the amount of user interaction basically.

There is no good universal way to do this.

The difference what we normally have is that you can ask for consent from the user and how do you handle consent when you leave a long session with the user.

The risk based authentication is some kind of solution, for example banks use this technology a lot, it is part of the user recognition but it is not used much outside those use cases.

On the enterprise side it is questionable if it the enterprises have interest in this at all.

For example google is very good at detecting hijacked accounts for that reason (good risk based authentication) tracking times of login, geolocation.

It can be seen as the lowest level of assurance.

Imagine Microsoft, if they are making a new library would they really consider going this way without login (using user recognition)?For example Credit cards, you can pay by just holding your card over the machine, without any pin whatsoever.

There is academic research about the LOA in this. It is the lowest level of recognition but it is the most certain way.

Device fingerprinting for example, if you use your phone the whole time through the day, if you see an actual person log on, you get the fingerprint based on the motion of that person. (so this means that someone is being recognized considering their behavior their movements etc …)The other problem is privacy.

Holding so much data bout people, their movement, behaviors, etc. is a huge problem much bigger than just the information about the passwords, accounts, etc.

If my phone is tracking where i am at what time that is a huge problem as a personal information attribute.

But on the other hand if this information is not leaking than there actually is no problem.