The Power of Known Devices in Authentication

No expert would ever dispute the essential role that authentication plays in cyber security. Without reported identities being properly validated, all subsequent decisions of access and authorization are completed on shaky grounds. As a result, the cyber security industry is spending considerable time and energy on adaptive, behavioral, and multi-factor enhancements to the authentication process – and this is good news for all of us.

But if you were to chat with Steven Sprague, CEO of Rivetz, you would hear that perhaps all this time and energy are not enough. Steven’s claim is that despite the obvious benefits of handheld tokens, SMS verification, biometrics, and the like, if the authentication process depends on potentially compromised software, then identity validation can be corrupted. His argument – and it is a convincing one – is that strong authentication can only be done from a trusted device. And by trusted, he means hardware.

Steven offers this guidance based on a strong technical background in the hardware and software aspects of transaction validation. As former CEO of Wave Systems, he dealt for many years with the challenges of enterprise and government users trying to support computing functions from devices with no underlying trusted executive environment (TEE). From this experience, he gradually began to conclude that a trusted hardware base is essential if you want to really know the devices being used in your infrastructure for authentication.

The Rivetz solution is rooted in the TEE operating system inherent in hundreds of millions of Android devices. By developing an application that executes on Trustonic software, the Rivetz software can export two-factor authentication services that gain their strength from the underlying trusted hardware, rather than from operating system software that can be prone to integrity attacks. It is the secret to making devices known. And it might be the secret to transforming the way authentication is carried out across our industry.

The result of a more trusted hardware-based process is that any application service provider can create a database of known, registered devices. And by knowing the device identity of their users, providers can improve the user experience, introduce new types of services, and strengthen the authentication process. The Rivetz team believes many application service providers could dramatically improve their market capitalization by rethinking their user base in this manner. They also believe that enterprise teams might be able to rethink and streamline how they authenticate users.

One of the first applications Steven and the Rivetz developers considered for its solution was the securing of the Bitcoin wallet. And while this solution seemed a good match, perhaps a more interesting side-effect of this emphasis was that the blockchain data structure found its way into the Rivetz design as a means for providing higher assurance temporal audit for transactions occurring with the Rivetz deployment. Rivetz now deals with a plethora of different strong authentication business and government applications.

It seems evident that there will be challenges for the Rivetz team to solve in the near term (#Apple). But it also seems evident that a shift in our industry to a more trusted hardware base for authentication is an excellent idea – one that is worthy of additional consideration, especially for any application that must increase confidence in the validation of reported identities. Defense applications using mobile devices come to mind immediately.

I hope you’ll all give this overall concept some careful thought. In a time when it’s popular to say that software is swallowing hardware, Sprague’s axiom reminds us that perhaps we might want to take a moment to reflect on the issue of trust, before we put all our eggs in that basket. Hardware continues to matter, especially if you want to really know your devices.