The Immutable “Chain of Custody” – Why Distributed Ledger is Critical to Modern IAM
In the wake of the hack at MOVEit and far too many other organizations this year, the secure, user-controlled, privacy-preserving benefits of distributed ledger technology (DLT) make it a critical component of a modern identity and access management (IAM) architecture.
That one breach alone has impacted 2,620 organizations—including Genworth, antivirus providers Avast and Norton, and the US Department of Energy—and 77.2 million people worldwide. The sheer volume of credentials and personal information compromised through downstream attacks is yet to be determined. But the incident and so many others like it drive home one of the biggest challenges of the digital age.
While centralized IAM consolidated the storage and management of identity data and enabled login credentials to be associated with user roles and permissions easily, it also created a single point of failure that cybercriminals continue to exploit to gain access to all the resources those credentials are authorized to access. Call us crazy, but at 1Kosmos, we believe a big part of preventing threat actors from stealing and weaponizing credentials and personally identifiable information (PII) is to avoid centrally storing them in the first place.
IAM Private & Permissioned: Why DLT Is a BFD
In Parts 2 and 3 in this series, we look at how the 1Kosmos architecture provides a reliable and secure way to verify the identity of users and biometrically authenticate them via decentralized digital identity (DID) mechanisms in our BlockID solution—including a reusable digital identity wallet. The next pillar of our architectural advantage is distributed ledger technology for providing a private and permissioned blockchain that eliminates the centralized PII honeypot for good.
Blockchain technology has several security features that provide a proven way to manage and maintain digital property rights. Think user-controlled data, peer-to-peer, cryptographically secure sharing without an administrative intermediary, and an immutable digital “chain of custody” containing a detailed digital audit log of all user authentications. That makes it an ideal technology for managing and protecting users’ digital identity wallets, which can store a wide range of information—personal details, legal and educational credentials, financial accounts, digital health records, and more. The private and permissioned distributed ledger within BlockID delivers several key advantages, including the following.
Privacy by Design
Without a centralized administration authority, our private and permissioned blockchain technology gives individuals sole access and control of all personally identifiable information. This privacy-by-design approach enables end users to view and approve or reject the sharing of any and all information requested by online services or systems they seek to access. All PII is encrypted end-to-end, so it’s never exposed. Users approve or reject sharing requests directly with the applications and systems they connect to—without a third-party intermediary accessing their data. No external public key server, host messaging server, or other entity can access the keys or plaintext messages.
An Immutable Audit Trail
Like a public blockchain, our private and permissioned ledger retains a detailed, immutable audit trail of all events, enabling visibility to all logins, access attempts, information updates, and shared information related to a digital identity. This private ledger acts as a closed network where information from separate organizations or lines of business can be stored separately—each with its own private ledger. This extraordinary level of audit and visibility helps prevent unauthorized access and fraudulent transactions, providing a high level of assurance for the identity behind the device.
Industry Certification for Unrivaled Performance
We built the first (and only) architecture designed to support and exceed the industry’s strictest standards for security and convenience. Because BlockID follows the W3C specifications and is certified to NIST 800-63-3, UK DIATF, and FIDO2, it uses public-private key cryptography to record and access all information. The private keys are stored in the secure enclave or TPM chip of the endpoint or the user’s device, which can be secured to the very highest digital standard of IAL2/AAL2 supported by NIST—ensuring credentials never leave the user’s device and are never stored on a server, eliminating the risk of credentials theft, replay attacks, or even user tracking. The next highest level of IAL3/AAL3 is generally reserved for human verification but can be achieved via agent-assisted authentication through 1Kosmos partners.
Security That Gives the PII Honeypot the Heave-Ho
In addition to the public-private key security used for encryption, signing, and making relationships with other parties afforded by the certifications above, 1Kosmos LiveID biometrics are certified to iBeta ISO/IEC 30107-3 specifications, providing assurance of liveness and achieving a false match rate of less than 0.1% at 95% confidence interval. Best of all, our private and permissioned ledger ensures there’s no central honeypot of user PII for hackers to target—further defeating the risk of ransomware and data breaches.
Support for a Wide Array of IAM Use Cases
With irrefutable proof of identity and an immutable, tamper-proof audit log of all updates and access attempts, our private and permissioned blockchain gives organizations the speed and agility they need to focus on building customer loyalty and capture market share from less tech-savvy rivals. In the conclusion of this series, we’ll look at how the 1Kosmos architecture enables reusable, verified credentials across a variety of IAM use cases—from “inferred” identity based on email address or device, to cross-referencing biometrics with government-issued forms of ID, to the very highest levels of Know Your Customer (KYC) and Know Your Business (KYB) mandates, and more.
Learn how 1Kosmos can help your organization modernize Identity and Access Management—visit our Architectural Advantage page and schedule a demo today.