1. Internet Identity.
The issue of Internet Identity is as old as the Internet itself:
2. Data Breaches.
IDC predicts that by 2020, more than 1.5 billion people, or roughly 1/4 of the world's population, will be affected by data breaches.
These data breaches are the major causes of Identity Fraud and Identity Theft.
For up-to-date info on Data Breaches:
3. Identity is the New Perimeter.
These breaches caused many cyber-security experts to promote the "Identity-as-the-New perimeter" paradigm.
But, given the scope of the breaches – Identity itself is not in better shape, than Cyber Security in general.
4. Digital Identity.
We, humans, do not possess Digital Identity. We need to acquire this Identity from the third-party (such as Government) and once acquired we must prove this Digital Identity in our day-to-day activities.
5. Identity Credentials.
In the physical world, our Identity credentials are stored in our Passports. Every hotel receptionist, making a copy of our Passport, have our Identity Credentials. But we do not make a big deal of it - for the simple reason: Credentials without a Passport are not valid.
Every time we pay with the Credit Card- we leave its number literally on the Street. We do not make a big deal out of it since a number without a Card does not buy you a Burger!
In Digital World our Identity Credentials are essentially the same as in the Physical World. These Credentials are no longer a secret, since they are, probably, already breached. We should not be worried about it if these Credentials are to be verified in Real-Time using Identity Verification.
6. Identity Verifiers.
Identity Verification is a process... It may include one or many factors. Its goal is to verify these factors. The attacker must not only possess these factors but must be able to present these factors in the process of Identity Verification: it is not sufficient to have someone's voice recording – one must be able to interact with the system of Voice Verification.
On the Internet, we do not have the infrastructure to verify our in-Passport credentials. Instead- current Internet infrastructure allows us to verify the following independent factors :
Something you have (possession),Something you know (knowledge),Something you Are (inherence).
New Verifiers were added: Geolocation and Behavioral Biometrics interaction with Browser and Smartphone.
None of these verifiers alone are uniquely-bound to the specific Identity. It is argued that their combination enables an adequate degree of confidence in verified Identity. More factors–better security!
7. Context.
Recently a new "player" has been added into the Identity domain: malware (malicious software).
The malware is capable not only attacking various Identity Verifiers but also capable of by-passing the Identity Verification to achieve its goals. For example, man-in-the-browser Trojan is capable of modifying browser-originated transactions. In other words: "What You See is Not What You Get!"
One must assume that a secure Identity Verification process should cope with potential malware. This will necessarily require that Identity Verification will be bound to the context. In payments (see EU PSD2 regulation)– authentication must be bound to payment and payee.
8. Current state-of-the-art: step-up verification.
Step-up verification adds to username (Identity Credential) & password (Identity Verifier), an additional code (One-Time-Password or OTP) to be received on the user's smartphone. The price users pay is extra latency: the overall login process takes about twice as long as username/password.
But this 2-step process can be attacked on each step separately:
Mobile malware can capture credentials and interfere with SMS-based 2-step Verification by intercepting and redirecting OTPs. This resulted in SMS-OTP to be deprecated. (US NIST, 2017).
9. Biometrics (inherence)- no silver bullet.
Any biometrics can be spoofed (including implicit behavioral biometrics): biometric spoofing is a method of fooling a biometric identification management system, where an artificial object or sample is presented to the biometric verifier that imitates the unique physiological or behavioral properties of a person which the system is designed to measure.
Therefore any stand-alone biometrics, used in step-up architecture, can be attacked straightforward, step after step.
10. Security vs. Usability.
One can add more security by providing additional steps, but these will result in increased latency and too much end-users friction.
11. Local vs. Remote.
Local system (using biometrics to login) use fall-back procedures that essentially reduce their security and, therefore, do not possess enough flexibility to match the application risk. Remote Identification enables flexibility to adapt the Identity Verification to the application risk.
Although mobile is growing faster, still billions of Internet users are using Desktop. One size does not fit all and we need optimized solutions for Web (browser) and Mobile (apps.).
13. An optimization.
In our search for "the best solution" for the Internet Digital Identity, we may conclude that :
There is no point trying to protect Identity Credentials – they are not a secret,Identity Verification has to be optimized to deliver maximum security in minimal time; this implies providing simultaneously as many independent Identity Verifiers as possible,Identity Verification has to be context-bound to prevent malware to bypass it,Identity Verification has to be risk-aware to allow for changing circumstances,Identity Verification process needs to be separately optimized for Web (browser) or Mobile (apps.).
Comentarios