Credit reporting services giant Equifax announced yesterday that it has completed an acquisition of privately-held security software company Anakam, whose identity management and strong authentication technologies will presumably enhance Equifax's solution set in the identity space, particularly with respect to online identity proofing and verification services. Equifax already offers a set of identity verification services to consumers and businesses, leveraging the vast stores of information it maintains on most U.S. citizens, so the addition of Anakam's products may enable the company to offer a single solution for online identity proofing, verification, and authentication. It will be interesting to see what level of identity proofing the company might be able to achieve with an enhanced set of products and services. In the government arena, where online services and applications are subject to federal e-authentication rules described in NIST Special Publication 800-63, the more sensitive the information is that is handled and made available by the application, the more stringent the user authentication requirements are, and the tougher it is to meet initial identity proofing standards (at e-authentication level 4, online in-person ID proofing is permitted).
Anakam's approach is notable for its ability to provide two-factor authentication without the use of hard tokens, instead leveraging cellular telephones or other devices that end users typically already have an carry with them. Eliminating hard tokens is seen as a practical necessity for managing strong user authentication across very large or diverse user populations, and alternatives to approaches that necessitate token distribution have been sought in banking, healthcare, government services, and other industries. Anakam was a participant and technology provider for the Nationwide Health Information Network (NHIN) Trial Implementations, working with a group led by southeastern regional health information exchange Carespark. Health data considered sufficiently sensitive that it should warrant protection using strict access controls such as strong authentication, but few public or private sector organizations want to take on the task of managing the distribution to customers of smart cards or other physical tokens often used to supplement usernames and passwords for user authentication.
What Does "Responsibility" Mean for Attribution?
5 hours ago