index
As part of the GoCrypto interview series, Mike Ermolaev interviewed Arshad Noor, CTO of StrongKey. With over 34 years of experience in the information technology industry, Arshad has spent the last 23 years focusing on solving data protection problems using application cryptography. He has designed and built public key infrastructures (PKIs) that strengthen defenses in the banking, defense, telecommunications, pharmaceutical, biotechnology, and e-commerce industries, which particularly require strong authentication and encryption. In particular, Noor wrote the first open source symmetric key management system and contributed to numerous security standards.
During the interview, Noor shared his insights on global digital identity systems, emphasizing the urgency of building a cohesive global digital identity system and the recognition that only internationally accepted security protocols can secure our increasingly digital lives. He also spoke about social tokenization and supported the idea of a retail US central bank digital currency (CBDC), a topic he has been quite vocal about recently. This conversation is a continuation of GoMining’s interview series, which brings you insights from leading experts in the cryptocurrency and data security space.
Noor's pioneering contributions to digital identity and data protection
Noor’s innovations include StrongKey Sign-On (SKSO), a web application for strong user authentication without a third-party SSO service; StrongKey FIDO Server (SKFS), an open source FIDO authentication enterprise solution for managing FIDO credentials; and PKI2FIDO, a web application that enables simpler, stronger authentication for enterprises and government agencies. Prior to joining StrongKey, Noor worked for industry giants such as Sun Microsystems, Citibank, and BASF Corporation, building a solid reputation as an experienced IT solutions architect and global PKI builder. His impressive track record and expertise have positioned him as an expert in the areas of data protection and digital identity, giving him keen insight into the transformative potential of these systems.
Source: Iiot-world.com
Global digital identity standards need harmonization
Speaking about the global identity system, Noor outlined its visionary architecture, emphasizing the existence of a multi-identity ecosystem that meets diverse needs. He explained:
“There will undoubtedly be many islands of identity ecosystems that meet different needs. There are standards that allow identity attributes to be shared today. Proof-of-identity can be trusted across borders. Passports are an example.”
He noted that commercial use of digital identity attributes requires a robust framework agreed upon across countries.
“Once these frameworks and the trusted foundations that support them are established, we can create schemas that enable cross-border use across diverse ecosystems.”
Arshad Noor added.
He also highlighted the potential for increased cross-border e-commerce and competition, citing the benefits and challenges associated with a global digital identity system. Noor said:
“The benefit of a framework for sharing identities globally is that it will increase cross-border e-commerce. It will also increase competition for products and services, but everyone will benefit except those who are not competitive.”
But he stressed that, similar to the harmony seen in global trade, harmonious security and privacy management is needed to ensure the robustness of the system.
“At a minimum, what’s needed to participate in such a framework is a global standard for security and privacy controls. While the EU has a standard like GDPR, the U.S. has no equivalent. Dozens of countries around the world have established their own versions of security and privacy rules. Just as global trade requires harmonization of the rules governing trade and logistics, so too must data security and privacy be globally harmonized. That means the group responsible for harmonization needs to have equal voting representation in every country to ensure long-term success. It will take time and will likely be messy at first, but it can be made to work.”
The Challenge of Passwordless Authentication
Emphasizing the numerous challenges facing implementing passwordless authentication, he highlighted several significant barriers, including corporate and government lethargy, integration complexity, groupthink in decision-making, IT “sinkholes” due to investments in failed technology projects, the missed opportunity of X.509 digital certificates, and the current focus on user experience (UX) over security.
The helplessness of business and government
According to Noor, passwordless authentication faces major challenges due to corporate and government inaction. He said:
“Authentication schemes have been invented since the 80s to address the weakness of distributed systems and passwords. Unfortunately, as large institutions invest in new 'shiny trinkets', the complexity of integration increases exponentially.”
He described how investments in failed technology projects had led to a “sinkhole” in IT, and a “herd mentality” as IT executives were always betting their careers on projects they didn’t understand.
He explained in detail.
“80% of the market will wait until there is a proven ROI after seeing how early adopters are doing. But measuring that ROI is very difficult due to the complexity that exists in the current environment. It leads to inertia.”
Missed Opportunities and Second Chance with FIDO
He also looked back on the missed opportunity in the late 90s and early 00s to introduce passwordless authentication using X.509 digital certificates, saying:
“The industry has killed the 'goose that laid the golden eggs' by pricing PKI too high and underoffering too little.”
According to Noor, FIDO has a second chance, but some big tech companies are focusing too much on user experience (UX) rather than educating consumers about security requirements and behavioral adaptations. He said:
“Now the world has a second chance with FIDO, but some of the biggest names in the tech industry are missing out once again by choosing to focus on user experience (UX) rather than educating consumers about the need for security. And as a result, they are focusing on behavioral adaptation.”
The transition to passwordless authentication is essential, but implementation details are important.
Discussing the future of PKI and passwordless authentication, Noor said:
“PKI, FIDO, and passwordless authentication are similar. They are just different styles of 'shirts' cut from the same 'cloth'.”
He stressed that there is no alternative to public-key cryptography, arguing that:
“The world needs to move to passwordless authentication to mitigate the data breach morass we're currently mired in. But implementation details matter. Just as a gun can be used to defend yourself against a looter, the same tool can also be used to kill yourself.”
A rational evaluation of blockchain and existing technologies is needed
As Nur points out, while blockchain technology can technically facilitate business operations, it can achieve the same goals with distributed databases and digitally signed transactions.
“Almost everything that can be implemented with blockchain could have been implemented with traditional databases utilizing public key cryptography in the late 90s. The market was unable to adopt these capabilities due to the post-dot-com recession and the collapse of real estate-related mortgage-backed securities.”
He explained.
“In the early 10s, blockchain captured the imagination of some in the tech industry. While blockchain can technically be used to implement business processes across companies, it can also be implemented similarly with distributed databases and digitally signed transactions.”
Pressing added.
But according to him, the hype and speculative investment surrounding Bitcoin has obscured the practical, technical applications of blockchain technology, leading to an enthusiastic, and sometimes irrational, embrace of blockchain without sufficient consideration of its actual value and implementation.
He said this.
“Once the hype subsides, blockchain solutions that offer a reasonable return on investment (ROI) will emerge to solve some of the problems.”
When discussing specific applications or innovations that hold the greatest promise for leveraging these technologies to address current and future challenges in data protection and identity management, Push highlighted business processes that require workflows involving multiple parties as natural problems that can be addressed with distributed systems and public key cryptography.
He concluded.
“Whether to use blockchain or an existing proven technology is an implementation detail that must be analyzed as with any other corporate finance investment.”
The Fed Should Automate Interest Rates for Smoother Economic Growth
Arshad Noor predicted that the introduction of a retail US CBDC would make financial markets more efficient over time and benefit consumers around the world. He admitted.
“There will be some implementation issues in the early stages, but once these issues are resolved (while consumers remain intact), the system will be productive.”
Noor also predicted that the Federal Reserve would shift its focus away from the current interest rate-setting process. He proposed setting up a system to automatically and transparently calculate the inflation rate periodically.
He said this.
“I imagine the Fed, instead of focusing on its current interest-rate setting process, paying an amount equal to the current inflation rate on any given day plus 2 percent. The efficiency gains from this strategy would be similar to the change from a manual to an automatic transmission in a car. Savers would always be rewarded with a reasonable rate of return, while spenders would have to pay a price for their profligacy. Once individual purchasing decisions no longer depended on a handful of central bankers meeting a few times a year, the economy would be able to “ride a little smoother” as interest rates moved automatically in line with the prevailing inflation rate in the market.”
Noor provided detailed comments to the Federal Reserve Board addressing cybersecurity concerns related to CBDCs, which can be found on their website. He said:
“Retail CBDC transactions will be transparent, with appropriate encryption and pseudonymization technologies and a new and transparent regulatory framework to decrypt these transactions, and law-abiding citizens can have confidence that their individual transactions are securely protected and kept private through appropriate technologies and regulations.”
But he warned that nefarious activity will not disappear from the Internet.
“It is inherent in human nature to be arbitrarily mediated by economic conditions and outcomes. The question society must answer is how much it is willing to spend to protect individual privacy.”
He concluded that in the pre-computer/internet era, it was relatively inexpensive to protect sensitive information, requiring only a small amount of money for locks, keys, and simple procedures. In the digital age, the costs will be significant, Nur emphasized.
“Open source technologies can provide significant cost savings, but establishing, operating and enforcing a regulatory framework to preserve privacy and the security controls that go with it requires significant long-term investment.”
Disclaimer: This article is provided for informational purposes only. It is not provided or intended to be legal, tax, investment, financial or other advice.
Investment Disclaimer
