Ditching the ‘Feds’: Why Decentralized Digital Identity is Key to Effective IAM
While Identity and Access Management (IAM) long ago gave IT teams tighter controls against unauthorized access to digital services, it hasn’t exactly been bulletproof.
Yes, IAM consolidated the management and storage of user data and enabled login credentials to be associated with user roles and permissions easily. But it also created a single point of failure that hackers have proven painfully adept at exploiting to gain access to all the resources a user is authorized to access.
Federated identity management was supposed to fix that by involving a third party in the management of IAM. Instead, it retained all the dangers of centralized identity while extending the potential blast radius of compromised credentials to vast, interconnected networks. Meanwhile, the global cybercrime economy now tops $7.8 trillion a year. The good news: Decentralized digital identity (DID) management has emerged as a superior approach to managing user identity — if you have the right architecture to support it.
IAM More Than Just a Password or a Pretty Face
In Part One of this series, we shared the contours of the 1Kosmos architecture, which employs automated, digitally verified identity to confirm user claims and credentials with up to 99.6% accuracy. In Part Two, we showcased how we go above and beyond mere logins by binding identity to a biometric stored within a digital wallet. Yet, as solid as these architectural pillars are, we know that decentralized identity models offer a way to keep these and other personal identifiers and information far more secure than traditional user stores — centralized, federated, or otherwise.
To that end, let’s look at why we designed our architecture to support a reusable identity wallet that enables users to securely gain access to corporate systems using identity details that remain under their own control instead of being stored centrally on servers where they can be altered, misapplied, become inaccurate over time—or be swiped, ransomed, or leveraged to commit fraud.
Decentralized Identity: What’s In Your Wallet?
In our view, decentralized digital identity isn’t just important to modern IAM. It’s essential because: 1) it replaces platform-specific user stores that are hard to integrate because of proprietary technologies embedded deeply within those very same platforms, and 2) it replaces incomplete user personal identifiable information (PII) scattered across multiple business applications to one version of the truth managed directly by the user.
By leveraging advances in smartphones, cryptography, and blockchain technologies, our BlockID solution leverages the 1Kosmos architecture to establish high-assurance trust online in a way that balances security, privacy, and convenience. This enables organizations to confidently accelerate user onboarding and activation of digital services, protect digital accounts from unauthorized access (AKA account takeover), prevent transaction fraud, improve the user experience, and more. Specific features include:
A Reusable Identity Wallet
End users gain secure access not just to corporate accounts and systems but also to digital analogs of verified government-issued ID cards, driver licenses, passports, social security cards, and more—anytime, anywhere, from any device. Users also control what personal information they share with digital services in a manner consistent with emerging Self-Sovereign Identity (SSI) frameworks.
Portability and Interoperability
1Kosmos offers the only solution certified to the highest FIDO, NIST, UKDAITF standards for interoperability and security and provides an SDK along with off-the-shelf APIs to simplify data sharing and integration.
Verifiable Claims & Credentials
A way to digitally present in real time claims for a virtually limitless number and variety of machine-verified credentials and safely store them so they’re ready to reuse on-demand with user consent.
These features produce enormous benefits for organizations and end users, including the following.
Rapid Remote User Onboarding
The 1Kosmos digital identity wallet organizes and stores information gathered, triangulated, and validated during the identity-proofing stage of self-service user onboarding. This includes attributes from multiple, proof-able sources—and enables a wide variety of applications that require identity verification without requiring physical, in-person presence. Think worker and contractor onboarding, applications for government services and documents, and compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) mandates.
Security Backed by Public Key Cryptography
Our digital identity wallet consists of a decentralized identifier along with the cryptographic public-private key pair. Personal information about the user and their credentials are stored within the wallet and require the user’s private key and biometrics to read data from it. Because the private key never leaves the Secure Enclave within the device and the biometric can be authenticated with the highest digital standards available, this approach vastly exceeds the security achievable through passwords, traditional forms of multifactor authentication, and unverified device-level biometrics. In turn, this reduces cyber threats related to credentials stolen through phishing attacks, data breaches, and more.
User Convenience With Just the Right Friction
When data from the digital wallet needs to be presented—during login or in the event of step-up authentication—the wallet holder must present their biometric and consent to share that data. When approved, the private key is presented as a credential to unlock the wallet and share the data. The private key never leaves the device and hence the risk of compromise is dramatically minimized. Best of all: There are no passwords to remember or clumsy OTPs to enter.
Verifiable Credentials for a Zero-Trust World
Verifiable credentials are a standardized means of issuing and presenting claims about one’s identity—driver’s license, passport, college qualifications, gym membership, etc. Other types of information, such as educational certificates and vaccination records, for example, can also be added to the wallet to make the user’s identity-proofing process indisputable in any number of use cases. The identity wallet can make assertions about identity or credentials that are cryptographically verifiable by the receiving party—without the actual data being revealed. The major cryptographic element used by decentralized identities is known as a zero knowledge proof (ZKP). Zero Knowledge proof measures an information request while protecting user privacy.
Blockchain: This Is Just The Beginning
In Part Four, we’ll click further into how the 1Kosmos architecture leverages distributed ledger technologies (DLT) to eliminate the centralized PII honeypot while increasing business ability and speed.
Learn how 1Kosmos can help your organization modernize Identity and Access Management—visit our Architectural Advantage page and schedule a demo today.