Persistent Systems - an Indian e-business product engineering firm, serving global customers in digital business transformation, banking and healthcare - today announced a breakthrough deal with the USAA group of American financial services companies to access and productize USAA’s patent portfolio in secure authentication. The immediate outcomes of the agreement will be diverse new Risk Based Authentication (RBA) methods available across multiple channels and multiple devices. 

This development crystalises USAA’s strong commitment to the FIDO Alliance and leverages Persistent’s long relationship with Nok Nok Labs and other authentication specialists.

USAA’s market mainly comprises military personnel in need of banking, insurance, investments and retirement fund.  This is generally a highly mobile customer base, and certain online expectations are particularly hard to meet.  Help desk and password resets are especially challenging when defence personnel are in the field; network connectivity can’t be taken for granted, and classical “Knowledge Based Authentication” (KBA) breaks down when you are far from home and can’t access paperwork.  Some six years ago, USAA started a search for end user identity management components to deploy to its people, but were not satisfied by anything on the market.  So the company decided they had to build their own capability, and from the ground up, they researched and developed a dynamic risk based authentication platform.  This technology will now be available to Persistent’s global user population.

We will likely see Persistent emerge as a new and powerful player in the ever-evolving Identity Management marketplace, with innovative authentication options appearing as standard in Persistent’s wide range of original branded and OEMed e-business solutions.

USAA has amassed a major patent portfolio and now desires that its IP become available across the financial services sector, to its competitors, and far beyond.  USAA CSO Gary McAlum explains “we are stronger together than we are apart”.

In my view this is a ringing endorsement that security is like public health – it’s in the interests of everyone to be safe.  Really no company should compete on the basis of safety (or hygiene) for that it not the sort of world we want to live in.

Going forward, Persistent’s work in Risk Based Authentication (RBA) is guided by Five Principles:

  1. Customer access should be simple and secure, regardless of the channel they choose.
  2. Better knowledge of individuals will reduce authentication overhead when recognising customers.
  3. Authentication should adapt dynamically according to risks quantified from the customer’s context, history and behaviour.
  4. Modular ongoing risk assessments allow organisations to adjust authentication as real world environments continue to shift.
  5. Authentication technologies must be pluggable and configurable in the infrastructure, to best mitigate new threats as they unflold.

From what I’ve seen, the early fruits of Persistent’s deal with USAA will include password-less logon for multiple devices and network environments, and new continuous authentication capabilities.  From truly mobile apps through to the Internet of Things, continuous authentication will be one of the most crucial security capabilities.  

These sorts of authentication tools bring privacy benefits too. Most obviously they help cut the extraneous flow and retention of personal information entailed by KBA. More fundamentally, systems which deal in low level authentication signals help designers break the identification act down into minimal information exchanges. The focus shifts from a default interest in who someone is, to a more precise inquiry about what they are (in terms of less personally revealing attributes). 

Increasingly, devices and applications will constantly monitor what their users are doing and where they are doing it, the state of their hardware and even their surroundings, to enable automated risk-based decisions about what it is safe for them do next.  USAA’s solutions integrate different signals about how users access services, the history of access, geolocation, multi-modal biometrics, and diverse second factor mechanisms.  The focus is on the types of signals that cannot be stolen or easily spoofed (after all, in the push to get rid of passwords, we must not open up new and even more subtle vulnerabilities to identity takeover).  A key element of USAA’s IP is new scoring algorithms for weighting combinations of signals, to quantify the true state of the user, in context, in real time.

We are witnessing the slow but steady embedding of intelligent authentication into applications and personal devices.  The need for human intervention (be it by the user themselves or their supporters) will keep falling, as new digital technologies deliver the right services to the right people at the right time in the right place.