Identity Based Authentication

Identity online is misunderstood and misrepresented. Organizations determine proof of identity through usernames and password. While it is believed that passwords prove identity on the other side of the digital connection, it actually proves is that someone knows the username and the password, and that could be anyone.

Let’s take a minute to look at how we think about identity in the physical world. When someone needs to prove who they are, they provide two factors: Something they have, such as a driver’s license or passport, and something they are – their face.

Their face is matched to the image on the credential, and the requesting party (i.e. a bank manager, police officer, or customs agent) approves the identity. The credential is trusted and difficult to impersonate. The same goes for the face match. Note how there is no “secret” involved in this transaction. This has been proven effective as billions of people prove their identity in person every day.

It was very difficult to utilize factors such as these for remote authentication for two reasons.

First, giving someone a trusted credential remotely was expensive and very difficult to use. The most common form of remote trusted credential was a smart card containing a chip with a cryptographic secret. These chips are nearly impossible to clone (like a good passport).

However, smart cards never achieved wide adoption because they are expensive and they require specific hardware attached to a computer to function. This made their use nearly impossible in commercial settings. How do you take a smart card reader with you from one location to another, and try to get it to function? Government employees have used smart cards (called CAC or PIV cards) for years but their use is not for the faint of heart.

Second, verifying someone’s face or fingerprint remotely was just as problematic. How do you enroll their biometric remotely? How do you prove who that biometric belongs to? How do you overcome the challenges of having a fingerprint reader or facial scanner in someone’s home or remote office?

The world we live in today is much different than that of 10 years ago. Advances in several standards and technologies now make remote Identity not only possible but cost-effective and have a marked improvement in user experience.

This is where Identity Based Authentication (IBA) comes into play. In order to make IBA widely adopted, the industry would need to standardize two important aspects of identity: 1) Identity Proofing, and 2) Passwordless Authentication.

Identity proofing can be completed from something as simple as an email to an existing employee, to verifying a user’s likeness against government issued IDs. Once a user is verified the path to a strong passwordless experience can begin because each access event is associated with a real, verified identity. This concept is the cornerstone for a zero-trust framework, as it enables high identity assurance for every user authentication attempt.

NIST 800-63-3 for Remote Identity Proofing
In 2017 the NIST government standards body released a standard called NIST 800-63-3. This standard defines strict criteria for the management and technical operations for how you enroll an identity and use that identity in a secure fashion. There are three “sections” in this standard.

The first section, “800-63-3A”, defines how you enroll an identity with various forms of identity documents such as a driver’s license or passport. This is often referred to as “Identity Proofing”. This standard has 3 levels referred to as IAL or Identity Assurance Level.

As previously mentioned, until recently it was very difficult to prove someone’s identity remotely. Now with billions of people having very capable smartphones and computers, users can enroll their physical identity documents with a high degree of security and accuracy.

A typical method is to have a user take a picture of their drivers license and/or passport and validate them via their overt and covert security features such as watermarks and holograms. They can also be verified with the issuing authority such as a DMV or state department.

Then, the user takes a live “selfie” photo or video that is used to compare the holder’s real face to the face on the government documents. This selfie can be used as an authentication factor called “LiveID™” that we will cover later.

When you enroll two forms of strong identity documents, you can achieve 800-63-3A “IAL2” or Identity Assurance Level 2.

Kantara NIST 800-63-3 Full-Service Provider Certification
An organization called Kantara conducts conformity assessments to the 800-63-3 standard and provides a grant of Trust Mark when all requirements of the standard have been met.

Banks, for example, as part of compliance with Know Your Customer (KYC) mandates would need to perform IAL2 identity verification at a minimum for remote new account creations. Certification to 800-63-3 by Kantara versus the lesser standard of conformity to the guideline would be required to support this requirement.

Remote identity proofing has many business applications. Generally, these fall into two categories: 1) Business-to-consumer, and 2) Business-to-worker.

We’ve mentioned the KYC requirements in banking, which is a legal requirement implemented in part to help fight the funding of terrorism and money laundering. There are several other industry use cases typically characterized by long-term B2C relationships where it is essential to establish trust with individuals interacting with the organization remotely before engaging in commerce. These include remote learning/higher education, telco, online gaming, government, travel, healthcare, utility, real estate, and legal services.

Businesses are also required to perform identity verification of workers during hiring. In the US this is knows as I9 Employment Eligibility Verification. As part of immigration and tax laws, organizations in other countries across the globe face similar requirements.

Whether performed for customers or workers, onboarding has traditionally been a cost center, representing administration overhead to process manual copies of personal credentials, match them to individuals, add individuals to HR or customer databases and then pass information to downstream IT systems by administrators or systems like Saviynt or Sailpoint.

Automating identity proofing fundamentally transforms these work processes, shifting administrative workload to the user endpoints and automating information capture, credential verification and document workflow. This results in a reduction of administration overhead, faster cycle times, and a more pleasant user experience. In the end, users are happier and get faster access to what they need, driving efficiency and, in the case of customers, faster time to revenue.

Note that strong identity proofing alone does not provide a way to authenticate in the future. It is a one-time activity that must be combined with an authentication mechanism to be truly effective for long-term identity. There are dozens of companies that do identity proofing, but very few that extend this into the life of the user’s authentication journey. That is where the second standard comes into play.

Covered in the second section of the NIST standard “800-63-3B” is how you use an enrolled identity to authenticate without a username and password. The industry term for this has become “Passwordless Authentication” and has been brought to market by a non-profit organization called the FIDO Alliance.

FIDO stands for “Fast Identity Online” and is backed by industry-leading organizations such as 1Kosmos, Google, and Microsoft. FIDO uses cryptography in the form of a public and private key to authenticate a user.

In this case, the private key is stored in the Trusted Platform Module (TPM), Secure Enclave of the device, or hardware token. That key (what you have) combined with a biometric such as TouchID, FaceID or LiveID (what you are) becomes the two factors that are needed to allow a user into an online service.

Similar to Identity Proofing, passwordless authentication alone does not prove identity. Many authentication companies simply exchange a username and password for a cryptographic key that is linked to one device. But strong authentication is not a strong identity signal, so this key is only as good as the username and password that it started with. In order to prove true Identity Based Authentication, the “genesis” of the identity must come from a trusted or proofed source.

It is the combination of these two functions, proofing and passwordless, that allow for IBA. Certified identity proofing to the NIST 800-63-3A and UK DIATF guidelines combined with certified FIDO2 authentication provides authentication with a high level of certainty of the identity at the other end of the connection.

This effectively brings identity into the security perimeter of the organization in a way that has not been possible for much of the past six decades since the password was invented, removing anonymity behind compromised credentials. With IBA, credentials cannot be borrowed.

This leaves two other threat vectors that need to be defeated. First, the biometric needs to be to the greatest extent possible, sophisticated and non-hackable. A “live selfie” with technology to detect depth of field, specific facial movements, and telltale signs of photo and video manipulation and that provides application-specific authentication (versus device-level) is an absolute must.

Second, biometrics among all other personally identifiable information are by nature extremely personal and represent a high value target for hackers. Anytime they are collected and stored they represent a target. Centralized storage and administration provides the biggest target of all, even if encrypted because administrators can be tricked and are under near continuous attack from all possible angles. This makes distributed storage and access via cryptographic private key a vastly superior model. Private blockchains (AKA distributed ledgers) are ideally suited to this use case. Private blockchains (AKA distributed ledgers) are ideally suited to this use case because the data is encrypted, only accessible via the user’s public/private key pairs, and it places ownership of the identity on the user.

The convergence of Identity Proofing and Passwordless Authentication results in a convenient user experience that is impervious to credential theft, removing significant threats posed by unauthorized users logged into the corporate IT network including data breaches, ransomware, commercial espionage, financial fraud, and more.

Modernizing customer and worker onboarding with identity proofing eliminates administrative overhead, reduces business process cycle time, eliminates data key errors, and drives downstream efficiencies for any business process where user information is required. Organizational agility improves to respond more quickly to change or to new user demands.

But, let’s circle back to basics. Only recently have our electronic devices become able to identify us by physical characteristics and true to the course of innovative technologies, standards bodies have evolved to help define the best way for those devices and the various technologies surrounding them to interoperate.

Without a doubt, authenticating with identity simplifies the IAM IT architectures that revolve around passwords and all that is required to store, protect and add 2FA security layers on top of them, but which still fail to protect the organization from catastrophic attacks. To some, this represents a threat. They want to continue to tweak the existing password-based approach.

But for organizations that are no longer willing to expose their operational plans to the threat of disruption that comes from identity-based attacks, Identity Based Authentication provides a path to unwind the highly complicated IAM IT infrastructures that has grown out of control over the decades.

They have come to realize that password-based authentication relies on the hope that the password is kept secret, but it survives because of fear, uncertainty, and doubt about how to change to passwordless authentication and out of sheer denial that the basic “shared secret” approach they represent is a deeply flawed and limiting approach. Identity Based Authentication gives the organizations a path to simplify along a journey that is easy to deploy, highly effective, and that users prefer.

Using Identity Based Authentication ensures legitimate new account creations, prevents account takeover (ATO), and secures financial transactions against fraud by servicing as a strong user authenticator, but it does this in a highly scalable way because the standards on which it is based (specifically NIST 800- 63-3 and UK DIATF) provides for a high level of off the shelf connectivity via APIs without the need for custom coding.

But, maybe most importantly, legitimate users generally like to be recognized. Criminals do not. And that seems to make all the difference for organizations who are deciding they will no longer be held hostage to threats posed by identity deception.