While Minushkin doesn't have an answer for how you guarantee someone's identity when a security credential is originally issued, he claims that Priva-Tech does have the technology that guarantees that once one is issued -- known as "enrolment" -- an unauthorized duplicate can never be forged or issued to an imposter.
Says Minushkin, "We've created a fourth factor which unequivocally guarantees that 'what you have' is not only the right device, it is the device issued at the time of enrolment." Contrasting Priva-Tech's technology to smartcard technologies, Minushkin says that smartcards are only as good as the security of the private key that protects the encrypted data inside them. Citing a case where smartcard technologies were compromised, Minushkin told me "DirecTV deployed one of the best smartcard technologies around. But the minute someone got their hands on DirecTV's private key, thousands of people were able to hijack DirecTV's signal through forged smartcards. Our technology cannot be reproduced."
Citing trade secrets, Minushkin would not discuss details of the device, beyond noting that it uses something called adaptive morphing technology. The uniqueness of the credential, as well as any information that's stored in it, is protected by a layer of technology (in silicon) that's constantly changing. Minushkin says that this not only guarantees the safety of the data stored within, but also the uniqueness of the credential. "The devices simply cannot be duplicated," says Minushkin. "If it falls into the wrong hands, it's useless because we look for about 13 commonly known hacks like kiddy script stuff, nation-state stuff, etc, and then a bunch of other ones I can't mention, and if we see any of that, the device basically shuts down."
The technology supports three different types of authentication: PIN only, biometrics only, and a combination of PIN and biometrics. In the case of a PIN-only implementation (what you know), Minushkin admits that if someone got a hold of the device and knew the owner's PIN number, then security would be compromised. He suggests going with biometrics. "In the case of biometrics, the other thing we do at time of enrolment is put the biometric data in a database. This way, once you've gone through that initial layer of trust and have been enrolled, someone else cannot come and say they're you, show some forged credential, and say they've lost their credentials and need new ones. They would need to provide the biometric data, which only you can provide."
Using all of these measures, Minushkin says that Priva-Tech is adding a layer of confidence that the credentials being used are indeed the ones that were originally issued. He claims that this fourth factor is not available anywhere else.
But is it really a fourth factor of security, or is it just a new, improved, and secure version of the "what you have" factor? While it may seem like the sort of additional layer of security that can allow those in charge of any company's security to sleep a little better at night, both Gartner's Pescatore and I think it's the latter because it is, after all, still in the "what you have" category.
But, perhaps we should stop thinking in terms of number of factors of security. As Pescatore told me, "the number of factors of security is sort of irrelevant. It's more about which ones you're using. You could go with one -- as long as it's biometrics."
