Five industry experts sat down together to discuss online identity proofing at the 2017 Federal Identity Forum. Moderated by ID.me CEO Blake Hall, the panel discussed why identity proofing has become a challenge and how organizations can work towards creating a more secure identity ecosystem.
1) Web Passwords are Broken and Not Enough to Protect Users
Users need more than a simple password to protect their digital identities. According to Dashlane, a leading password manager, the average user has at least 90 unique online accounts. In 2020, Dashlane estimates that this average will increase to 220. The sheer number of passwords to manage, many with their own specific character count requirements, forces users to reuse the same passwords, leaving their accounts vulnerable to malicious actors.
Christiaan Brand, Product Manager of Identity and Security at Google and member of the FIDO Alliance, said that web passwords are broken because they are easily phished. Aside from data breaches, Brand named phishing the number one threat vector for identity theft.
“Even today with all the education around trying to convince folks not click phishable links, it’s really hard to distinguish a legitimate site from the fraudulent website,” Brand said. “We found at Google that one out of every two people confronted with a sophisticated phishing scam or fraudulent scam ultimately revealed their credentials. I think with all the tools we have at our disposal, I think that statistic may be going up rather than going down.”
2) Strong second factor authenticators such as hard tokens protect accounts from phishing
To fix broken passwords and prevent phishing, organizations need to strengthen their logins with second factor authentication (2FA).
FIDO Universal Second Factor (U2F) hardware tokens are emerging as one of the best safeguards against phishing. In order to access an account enabled with 2FA, the user would need to input their password and touch their FIDO U2F security key to complete the login. If a user clicks on a suspicious email and their password is phished, their account remains protected by the hardware token, which must be physically stolen to be compromised.
Hardware tokens may be innovative, but they aren’t new. Yubico CEO Stina Ehrensvard said during the panel that many people ask whether her company’s hardware security token, the Yubikey, belongs in the past.
“A common question people ask me is, ‘Hey, why are you driving standards with something old like hardware authenticators? Isn’t that the past?’ The reality is that we never left these physical authenticators,” Ehrensvard said.
Consumers already use SIM cards and credit card chips as hardware authenticators offline. However, none of those options were actually made to protect identity, and they can’t be used to log into websites.
Ehrensvard’s solution, the Yubikey, is a security key made specifically for the web. A FIDO-certified Yubikey can be tied to any website that supports 2FA.
3) Authentication is getting easier. Identity proofing is getting harder.
It’s easier than ever to enable 2FA using security keys and biometrics. Most smartphones, laptops, and tablets support biometric authentication with cameras for facial recognition and sensors for fingerprint recognition. FIDO-certified security keys can work in tandem with almost any device. The advancement of security keys and biometrics means it’s becoming easier than ever to authenticate an identity. Identity proofing, however, has only grown more complex.
Whereas authentication rests on validating whether the user using the account today is the same person who set it up in the first place, identity proofing is intended to establish confidence that the identity used to set up the account is real and that the user is in fact who they claim to be. To prove identity, it isn’t enough to prove that John Smith of Dayton, Ohio truly exists; organizations need to know if it is John Smith on the computer or another actor pretending to be John Smith.
In the wake of the Equifax breach, Jeremy Grant, Managing Director of Technology Business Strategy at Venable, said wide-scale data breaches have put everyone’s personal data on display.
“In 2017, authentication is getting easier, but conversely identity proofing is getting harder,” Grant said. “How do we solve this identity proofing issue? You can’t just ask me four questions from a database anymore.”
Grant explained that knowledge-based authentication, or KBA, isn’t a reliable second factor for identity proofing because the answers to most questions can be found on the dark web. Organizations need to move away from KBA in order to truly secure accounts and protect user data.
4) Identity Proofing Relies on Dynamic Understanding of Identities
Approaching identity as static makes identity proofing more difficult. Keir Breitenfeld, Senior Business Consultant at Experian, explained that organizations must track how identities evolve in order to recognize when they have been compromised.
“Identities change over time. You may identity proof someone on day one, they may look fantastic on day 30, but then something happens and we see their identity on the dark web,” Breitenfeld said. “That’s a different person now. They should be treated from that point forward differently than they were 30 days ago.”
If organizations identity proof a user one time but do not continuously analyze how the credential is used afterwards, they won’t be able to recognize account takeovers or abnormal behavior that indicates fraud. Fraud and device identity networks track user spending patterns, locations, and even behavioral biometrics such as typing speed to identify if an identity exhibits a normal pattern of use.
5) Identity Proofing Requires a Next Generation Solution of Trusted Portable Logins
The challenge of identity proofing must be met with a next-generation solution that changes how identity credentials are established and produced online. Rather than forcing users to create multiple logins or enter data such as their name, date of birth, or social security number that is no longer secret, users should be able to take their identities with them from one site to the next with a single, secure credential. Organizations should also leverage remote identity document verification and Mobile Network Operator feeds instead relying on easily duped KBA.
During his segment of the presentation, Hall explained that current identity systems are fragmented due to a lack of trust and portability. For example, many sites allow users to sign in or create an account using Facebook or Google, but those credentials aren’t considered trustworthy enough to represent a user’s identity during a healthcare or entitlement benefit transaction. Meanwhile, credentials that are more trustworthy such as bank logins cannot be used across different sites.
However, digital credentials that are trusted and portable are absent in the United States.
“If someone challenges your right to a credit card at a grocery store, it’s your driver’s license that proves who you are. If you’re going through TSA at the airport, your driver’s license proves who you are,” Hall said. “There’s a trust gap in the Internet because state governments are the national identity providers for the United States of America, but they haven’t fulfilled that role for the Internet. ”
ID.me fills the trust gap by binding a legal identity to a shared login in a manner that meets the federal government’s most rigorous requirements for remote identity proofing and authentication — creating the digital equivalent of a driver’s license. After identity proofing a user once and securing their account with possession-based authenticators such as a FIDO certified security key, users can use their portable ID.me login to take their identities across multiple websites. ID.me’s credentials are currently accepted by three different federal agencies and over 200+ other relying parties in the public sector, healthcare, financial services, and e-commerce.