We Practice What We Teach!

Return->

End-user security awareness implicit message: "We practice what we teach."

The typical user experience with security system enrolment gives a puzzling message. An access password is given to the user over the telephone by a system operator who has no acquaintance with the new user. The user is instructed to never share the password with anyone, but he just learned it from a support employee! So the user gets the implicit message that anything controlled by the password is accessible to this support employee. The notion of accountability of password usage somehow spoiled at its inception.

The picture is different with the SAKEM procedure:

• With the SAKEM procedure, the secret cryptographic key and/or password is established without human intervention, and only an ephemeral reference number (or "pass reply") is shared with the issuer agent responsible for the verification of the new user identity. Thus, the lasting secret is never shared with someone upon installation.
  
  
• Assuming proper database and application security technology is in use, the lasting secret might only be available in encrypted form (hence unusable) to insiders of the issuing organization.
  
  
• Moreover, arrangements can be made so that the verification of identity is done by a person in a good position to do it reliably, by virtue of proper training or particular relation with the new user. E.g. if the new user is an employee of the issuing organization, the verifier may be the person to whom he reports.

In summary, with the SAKEM procedure, the end-user detailed experience is consistent with the security precautions expected from the most well-behaved end-users.

Return->