Feeds

UK firm touts alternative to digital certs

Secure token scheme launched at Parliament

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Two factor authentication, using secure tokens is being backed as an alternative to digital certificates by a UK company, which is enjoying support from the Parliamentary All Party Export Group.

At an event in the Houses of Parliament yesterday, London-based Quizid Technologies launched its outsourced authentication solution. This it hopes will deliver a cost effective alternative to PKI to businesses, and eventually consumers.

The company has developed a two-fold security system that incorporates a physical security token (the Quizid Card - a credit card size authentication device that dynamically generates unique authentication key codes) and an ASP-based authentication centre (the Quizid Vault - where authentication key codes are referenced and access granted).

As a first step Quizid is promoting the technology as a means to replace static passwords within organisations, and for the delivery of Web services. It already has clients (including executive search firm Calibre One) using its technology to replace Windows log-in. This is an innovation in the established field of two-factor authentication, where RSA Security is the established market leader.

Authenticating citizens

However Quizid has wider ambitions for the technology and wants to get it into the hands of consumers and citizens, as what Quizid CEO Peter Newport described as a "sensibly priced and easy to use method of proving identity over insecure networks or via the telephone".

The essential pitch here is that static passwords are rubbish and digital certificates have failed to take off as promised, but people still need to be able to prove their identity online.

Enter a physical hardware device, like the Quizid card, which has the sole function of authentication. It doesn't have a photo or contain any information about a user beyond reference to a user name. This isn't a national identity card.

Quizid cards would be sold as a service and banks and shareholding services might be able to offer them to consumers for £10 to £15 per year, the pitch goes. The same card, once issued to an employee, might be used in banking or to receive government services online, in Quizid's scheme.

That's one way of reducing the cost of putting digital identities in the hands of citizens, though it goes against the prevailing culture among retailers and banks of wanting to control and manage their relationship with customers themselves. Then there's the possible data protection issues.

When a similar scheme was introduced in Sweden people ended up with multiple hardware token and we're not convinced the same thing wouldn't happen here.

Richard Barrington, Industry Director of the e-Envoy's Office, struck a node of cautious enthusiasm in welcoming Quizid's approach.

He says the government is engaged in discussions with the industry about Quizid's device and about whether it can accept somebody's identity with trust and confidence based on credentials issued by third party companies.

Digital certificates are pants

Earlier this week we reported how single sign-on via digital certificates is "on life support" at the UK Government Gateway, and we pondered whether the government would get involved in issuing certificates itself.

The problem here is that government IT projects have a disastrous history and the failure of the Post Office's recently aborted ViaCode digital certificate business hardly inspires confidence.

Barrington said the Quizid scheme would allow government to leverage what industry is doing. The Quizid cards provide authentication without loss of privacy, he added.

So will hardware-based token become the preferred method for citizens to access government services in say two years time, we wondered?

Barrington said government was keeping its options open but he did point out the shortcomings of alternative approaches like digital certificates and smart cards.

"The digital certificates market has so far failed to deliver robust certification that meets government needs," he told us. "ViaCode didn't achieve mass market acceptance. Small business simply doesn't understand digital certificates."

"The business processes behind digital certificates weren't in place, for example there was very little non-repudiation," he added

Smart cards, which were expected to occupy this niche, need a widespread installed base of smart card readers to take off.

Hardware tokens don't have this problem and require only small changes to Web sites and call centres, so they represent an attractive alternative, he added.

Quizid cards are activated using a personal colour key entered into the card. If a card is lost it can be cancelled, in much the same way as you'd cancel a credit card.

All eggs in one basket?
But what of the other security issues?

We quizzed Quizid's Newport about whether the Quizid vault represents a single point of failure and might therefore become subject to DdoS attacks.

First of all connections to the Quizid vault can only be made through VPN connections (and it has looked at the issue of spoofing), Newport told us. The company uses two data centres with triple redundancy on servers. Audit servers record transactions. Routers are configured to only accept VPN traffic.

This, and the fact that these servers only run lightweight applications, appears to take care of the capacity issue, which has plagued schemes like the Census and Nectar of late.

Also the scheme would grow from a small base, which helps.

Nobody's heard of Quizid before but the firm does have friends in the corridors of power. They persuaded the Labour chairman of the Commons Export Committee, Ken Peckham MP, to wax lyrical about its export potential. Not to be outdone, his Tory counterpart Nigel Evans also described it as a potential worldbeater.

We'll see. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.