Blockchain's authentication dilemma
by Mike Lynch, Chief Strategy Oficer, InAuth
While blockchain, the decentralized ledger technology, enjoys strong interest in the financial industry, it is also enjoying a recent wave of interest from nonfinancial firms. Aided by a strong commercialization push by Microsoft and IBM, blockchain deployments are taking root in industries as varied as the global shipping trade and pharmaceutical distribution and sales.
The greatest practical test for the nascent technology might be a deal recently inked between Walmart and IBM to use blockchain to track some of the billions of products that regularly flow through the retailer’s massive supply chain. That's a blockbuster agreement involving two of the biggest names in the world, and a huge endorsement for the technology's potential.
IBM envisions a blockchain system in which everyone involved in the shipping of a product has access to the associated documentation and can track progress along the way. In this system, participants granted access to the trail can monitor the live version of the data without intermediaries or oversight by a central authority.
This is all very promising in the battle against fraud in shipping and distribution networks. But while blockchain has plenty of potential to create an open, fully documented audit trail, it does not address a key driver in fraud — that is, the authentication problem.
In other words, is the person attempting to access the data who they claim to be?
Authenticating an individual is usually accomplished through the use of multifactor authentication, which requires that person to produce two or more attributes that can include something they know (for example, a PIN number), something they possess (a device such as their PC or smartphone), or something intrinsic to their physical person (for instance, their fingerprint).
Combining two or more of these attributes creates a good multifactor strategy and significantly lowers the risk of unauthorized access. If a blockchain deployment is launched without this protection in place, the data contained in it may not be secure at all. In that case, blockchain deployments will be ripe targets for fraudsters to gain illicit entry by pretending to be someone else.
One commonly overlooked factor in multifactor authentication is the device (i.e., mobile phone, PC, tablet, etc.) used to access the system. Using a device for authentication offers the dual benefits of enhancing the security of sensitive data while increasing usability.
When devices are included as part of the authentication process, users are not even aware of it and enjoy a frictionless experience — while hackers are screened and blocked entirely. The device itself also can serve as an indicator of risk and be analyzed for the presence of malware, fraud tools, location abnormalities, and thousands of other attributes.
That said, blockchain technology in commercial applications is still in its infancy, and has many years to go before it enters mainstream use, if ever. Still, IT professionals looking to adopt and deploy the technology would be wise to consider incorporating optimal security practices to the data it manages. Device authentication should be considered a necessary step in the paradigm.
Michael Lynch is Chief Strategy Officer at InAuth, where he is responsible for developing and leading new products strategy and cultivating key U.S. and international partnerships. He has two decades of experience gained while holding leadership roles in IT and technology at financial services, consulting and Fortune 500 companies.