Which identity proof works best?
The existential question “Who am I?” has no clear answers in spite of a rush of technologies designed to prove identity.
In a debate over the right choices for multifactor authentication (biometrics, SMS code, knowledge-based authentication, etc.) at CyberSec 2016, Gary McAlum, chief security officer at USAA, said none of them are a silver bullet.
“We’re never going to use just one thing to authenticate,” he said. “There are going to be a lot of things, some of them passive, some that are active in the context of a particular transaction or interaction.”
McAlum favors the use of biometrics such as fingerprints for authentication. USAA combines biometrics with device identity, randomly generated tokens and other elements he did not disclose. Technologies like tokenization, geographic location and behavior patterns are likely to become part of the answer, too.
Not everyone believes in biometrics. “I’ve never been big on biometrics except for personal physical security,” said Frank Abagnale, who has advised the FBI on cybercrime for more than 40 years and is the subject of the book and movie “Catch Me If You Can.”
“When you think about it, you leave your fingerprints everywhere, on glasses, bottles, pens, all the things you use,” he said. “Anyone can pick up your fingerprint. Replicating your fingerprint with today’s technology is a simple thing to do. You can take a print with a gummy bear, put it on an iPhone and open the iPhone. We love fingerprints for identifying a criminal who’s committed a crime by cracking a safe. For access to biometric security, it’s not that great a tool. And I don’t know that I would trust a credit card company with my DNA, so that will always be an issue as well.”