Does Priva-Tech's fourth factor of security really exist, or is it just a cleverly disguised version of one of the other three factors?
When security professionals compare notes, one of the first questions they ask each other is whether or not they have one-, two-, or three-factor security. If Priva-Tech can convince the world that a fourth factor exists, the security conversation could be changing.
Single factor security, widely regarded as the weakest form of security, is based only on what you know. This could be a user id, a password, or a combination of the two . Much stronger is two-factor security; usually a combination of what you know and something you have. The ATM card that you have combined with the PIN number that you know is the most common implementation of two-factor security.
The third factor, and one which has recently been getting a lot of attention, is who you are; it is always, via biometrics, verified by a body part unique to you -- your fingerprint, your eyes, or your face.
According to Gartner security analyst John Pescatore, "Because of the cost, you rarely if ever (even in the most sensitive situations) see all three factors deployed simultaneously. Biometrics is usually used to replace the 'what you know' part because it's so weak. Even for the most secure installations, doubling up with two factors --- who you are and what you have --- is plenty. But even that is expensive.
"For example, banks want to get away from PIN numbers because people forget them. They could do something that is a combination of an ATM card and a fingerprint reader, perhaps with the fingerprint reader right on the card. But banks have been slow to move to a better system because the cost is so horrendous."
If doubling up with two of the three factors is enough (and still cost prohibitive for many), does it make sense to have a fourth factor?
Priva-Tech's Jeff Minushkin thinks so. The company, which he says has been in stealth mode for several years and servicing government-based clients, is ready to reach out to corporations with what he says is a fourth factor of security.
Minushkin and Pescatore agree on two things. First, virtually every security scheme, is based on a trusted authority that verifies identity before issuing the credentials needed to gain access to secure information or facilities. Two, a security implementation is only as good as the trust in that authority. Regardless of how many security factors are deployed, there's always a risk that an imposter can get his or her hands on someone else's security credentials. "It just has to do with who is issuing the credentials," says Minushkin. "Suppose someone goes to a bank, and says they're you and that they need a replacement credential like an ATM card? Who is verifying that the person is indeed you, and what are they basing that verification on? Is verification based on a document that can be easily forged--like a driver's license? The whole thing is a house of cards."
While most banks don't issue a replacement card on the spot and, as a measure of security, send it to the account holder instead, there are plenty of situations where security credentials can fall into the wrong hands. "The risk is known." says Minushkin. "Banks, for example, accept a certain amount of fraud. They have numbers built into their spreadsheets because they've accepted that that there's a broken trust layer."
Indeed, the trust layer is broken. For example, the Commonwealth of Massachusetts issues new and replacement driver's licenses using commonly available digital cameras and laser printers. In my experience, that easily forged document is generally accepted by most individuals who are charged with verifying someone's identity. As highlighted by a recent lawsuit against Verisign, such fraud and forgery is rampant in today's world. In that suit, the original owner of Sex.com Gary Kremen alleges that a con man was able to steal the domain Sex.com from him because of a lax verification process at domain registrar Verisign.
But, whereas the financial risks of such fraud can be built into spreadsheets, Minushkin says the post 9/11world is a different place "Think about something like a trusted traveler card that you would need to board an aircraft," says Minushkin . "With something like that, you can't afford even one breakdown." If they begin issuing such a credential, they're original identification process has to be airtight.
While Minushkin doesn't have an answer for how you guarantee someone's identity when a security credential is originally issued, he claims that Priva-Tech does have the technology that guarantees that once one is issued --- known as "enrollment" --- an unauthorized duplicate can never be forged or issued to an imposter.
Says Minushkin, "We've created a fourth factor which unequivocally guarantees that 'what you have' is not only the right device, it is the device issued at the time of enrollment." Contrasting Priva-Tech's technology to smartcard technologies, Minushkin says that smartcards are only as good as the security of the private key that protects the encrypted data inside them. Citing a case where smartcard technologies were compromised, Minushkin told me "DirecTV deployed one of the best smartcard technologies around. But the minute someone got their hands on DirecTV's private key, thousands of people were able to hijack DirecTV's signal through forged smartcards. Our technology cannot be reproduced."
Citing trade secrets, Minushkin would not discuss details of the device, beyond noting that it uses something called adaptive morphing technology. The uniqueness of the credential, as well as any information that's stored in it is protected by a layer of technology (in silicon) that's constantly changing. Minushkin says that this not only guarantees the safety of the data stored within, but also the uniqueness of the credential. "The devices simply cannot be duplicated," says Minushkin. "If it falls into the wrong hands, it's useless because we look for about 13 commonly known hacks like kiddy script stuff, nation-state stuff, etc, and then a bunch of other ones I can't mention, and if we see any of that, the device basically shuts down."
The technology supports three different types of authentication: PIN only, biometrics only, and a combination of PIN and biometrics. In the case of a PIN-only implementation (what you know), Minushkin admits that if someone got a hold of the device and knew the owner's PIN number, then security would be compromised. He suggests going with biometrics. "In the case of biometrics, the other thing we do at time of enrollment is put the biometric data in a database. This way, once you've gone through that initial layer of trust and have been enrolled, someone else cannot come and say they're you, show some forged credential, and say they've lost their credentials and need new ones. They would need to provide the biometric data, which only you can provide."
Using all of these measures, Minushkin says that Priva-Tech is adding a layer of confidence that the credentials being used are indeed the ones that were originally issued. He claims that this fourth factor is not available anywhere else.
But is it really a fourth factor of security, or is it just a new, improved, and secure version of the "what you have" factor? While it may seem like the sort of additional layer of security that can allow those in charge of any company's security to sleep a little better at night, both Gartner's Pescatore and I think it's the latter because it is, after all, still in the "what you have" category.
But, perhaps we should stop thinking in terms of number of factors of security. As Pescatore told me, "the number of factors of security is sort of irrelevant. It's more about which ones you're using. You could go with one-- as long as it's biometrics."
What do you think? Does Priva-Tech's guarantee of a non-forgeable credential qualify as a fourth factor of security? Debate with your fellow readers using TalkBack . Or write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.
