Authentication is Outdated: A New Approach to Identification

854

Identity security is the greatest weakness in enterprise security. As any infosec manager will tell you, no matter how secure your infrastructure, anyone with the right credentials can walk through the front door. Identity and user authentication continue to be a concern for IT managers. It’s still entirely too easy to steal someone’s credentials, which is why identity theft continues to be a primary cause of data breaches. It’s time to take a closer look at alternative identity management and authentication strategies.

Cyberattacks designed to steal identity are on the rise. The Federal Trade Commission says the number of identity theft cases doubled between 2019 and 2020. Thirty-three percent of Americans have experienced identity theft, which is twice the global average, and one in 15 have been the victim of identity fraud. With the new work-from-home culture it has become easier to steal enterprise credentials. While corporate malware attacks are down, phishing attacks are up, averaging 1.185 per month. In March 2020, the start of the pandemic, phishing emails targeting remote workers rose 665% as cyber criminals tried to steal login credentials.

The old security strategies don’t offer an adequate protection of enterprise resources. Organizations are looking for new strategies to strengthen both cyber and physical security without disrupting operations. The emergence of digital trust ecosystems offers a new approach to cyber security that is easy, foolproof, cost-effective, and that extends beyond enterprise security as well.

You Are Your Identity

The vulnerability of personal identity is an acknowledged weak point in security. With the right personal information, cybercriminals can access personal finances, medical records, and business assets. They also can use stolen personal information for identity theft, opening fraudulent accounts.

Rather than asking individuals to surrender personal information every time they need to log in to a digital account there needs to be a different form of personal identification. For example, a QR code provides a unique identifier that stays with the user and can be used for both secure enterprise access as well as personal identification. To secure personal information, the digital badge  proves identity, but the credentials that authenticate identity are never exposed so they can’t be hacked or stolen.

Distributed ledger technology is ideal for creating the kind of digital trust ecosystem that makes it easy to provide secure authentication without revealing the personal information, such as a social security number, date of birth, or mother’s maiden name, that could be used for identity theft. With a digital trust ecosystem in place, the user retains control of their credentials while being issued a unique identifier for authentication. Managing authentication using this system gives individuals control over their personal data and creates little or no additional work for IT security managers while still giving them total control over enterprise access.

Adopting a Digital Trust Ecosystem

Distributed ledger technology, similar to that used as the foundation for blockchain, presents new possibilities to securely manage digital identity. Where a traditional database centralizes information, distributed ledgers record store transactions and authentication details in multiple cloud locations. Using data encryption, each node verifies its part of the user credentials when needed. Creating this type of trust ecosystem for identity management allows you to authenticate identity without having to access the user credentials themselves. The distributed ledger system verifies the information to prove identity.

A digital trust ecosystem can be created by a single company or organization, or a confidential consortium can share the same technology so the same secure user identifier can be used for multiple purposes. For example, a unique QR can be used as your driver’s license and to prove you have been vaccinated for COVID. It’s a matter of having the government agencies share the same digital identity verification system.

While the technology used to create a digital trust ecosystem is sophisticated, the practical application is simple. You start with a company, organization, or group that maintains the authentication ecosystem. Users would be onboard to the ecosystem, inputting their confidential information only once for authentication; none of the personal data is stored in the system. The distributed ledger system then issues a unique QR code the user can carry on their smartphone. Any time they need to authenticate their identity they provide the QR code.

With this approach, the identifier stays with the user. To maintain security, the QR code is updated every minute, but other organizations that want to use the same digital trust ecosystem can use the same system and code reader to verify identity.

We are already seeing the adoption of similar technologies. New York’s Excelsior pass to prove COVID-19 vaccination is one example. In Australia, for example, TrustGrid is working with government agencies in New South Wales to apply the same type of secure ecosystem to issue digital driver’s licenses and commercial licenses.

Expect to see enterprise and other types of security rely less on passwords and two-factor authentication and start relying more on digital security cards. This new generation of identifiers will not only be used for corporate data security but medical records, professional certifications, travel authorizations, and other applications. It’s impossible to counterfeit, easy to use both for individuals and security managers, and places control of personal information in the hands of users. Imagine a scalable, foolproof approach to security that meets every need.

Benjamin Kiunisala is Head of Customer Engagement for TrustGrid Pty, Ltd., in Sydney, Australia.,

For more information, please visit:  http://trustgrid.com