Identity: the key factor when it comes to verifying who you are and what you can access. And the only true way to authenticate a user – whether it’s an internal employee or external customer – is to verify their identity against an identity that you issue to them.
And there are multiple authentication methods that can be used to verify the user’s identity when they are requesting access or verifying a transaction- which includes a combination of factors such a user name, user ID, a mobile smart credential, a physical smart card, a FIDO token, or an OATH based hard token and/or with biometrics like face, fingerprint, finger vein, voice etc.
So how do you define Identity and how does one get one?
Let’s take a look at a simple use case: A bank opens an account for an end user or client based on the verification of identity issued to that person by their local, state or federal government e.g. driver license, birth certificate , social insurance card or citizenship card. In the above use case, the primary identity issuer is the government. The bank trusts the government-issued piece of identity to create a secondary identification in their systems. Based on the secondary identity in their systems for the user, the bank issues a client card which has a card number embossed on it and is protected by a numeric passcode. The client card number identifies the user and can be used for accessing their bank accounts — online, ATM machines and the customer contact center.
Even with the secondary identity — the client card issued by their own systems — the banks may seek proof of primary, government-issued identity for certain transactions like exceeding certain denominations or if you are trying to conduct a transaction from another branch. The rules may change from bank to bank and/or country to country but the primary identity remains supreme.
The above is true for employers when they hire employees, universities while admitting their students and any business when enrolling end users to access their systems and applications.
A circle of trust is thus created with its epicentre being the government issued, primary identities.
Some government systems have started relying on certain financial institutions to allow users access to government systems and applications. I find it curious because the primary identity issuer is depending on a secondary identity issuer to assure them that the person is who they claim they are. The financial institution’s Identity and Access management systems still depend on client card number and password for authenticating their clients before passing back the authentication token to government systems and applications.
Breaking the Circle of Trust
Client card number and password information is relatively easy to hack. Security in the chain is as strong as the weakest link – thereby exposing access to government systems and applications. A primary identity issuer has trusted a secondary identity provider with weak authentication mechanisms. The circle of trust has been broken.
With the fast evolving business needs and speed of light digital businesses transformations, process automation and ease of doing business is at the forefront. The opening of accounts online — getting access to new services with minimal friction and enabling a smooth end user experience — are all part of competitive edge and stickiness for the new age digital business.
What is the solution?
If the secondary identities are to be allowed into the circle of trust then the secondary identity provider must implement an Identity Assurance mechanism that establishes trust, securely issues secondary identity and maintains that trust through continuous authentication, behavioral analytics and session monitoring. Some aspects of identity assurance are:
Identity proofing: To ensure that the user creating a new account is the person who they claim to be, the Identity Assurance system may compare a picture of primary identity (passport, driver’s license) and live selfies backed by AI-driven fraud detection technologies. And, as an added layer of security, you can verify the integrity of the user’s device by ensuring the device hasn’t been used or linked to fraudulent activity. This is known as device reputation. If the results of the comparison and device reputation are a pass, then the Identity Assurance system may issue a trusted identity by embedding a mobile smart credential dependent on PKI or block chain technology.
The secondary identity may then be used for authenticating and transacting. Identity Assurance Systems may use block chain ledger from social networks as an input to calculate trust levels in certain scenarios.
Forrester Research advocates to start with a zero trust framework and upgrade trust level based on the proof points gathered as the user transacts with the issued identity. A circle of trust with varying levels of trust that clearly define the type of information the specific identity is allowed to access, alter and delete is critical. Unless your organization is able and willing to use an Identity Access Management system that allows creation of multi-trust-level identity and issue such identity in form of a mobile and physical asset, you are opening your systems to online abuse and fraud.
Once such an identity has been issued, your system and other dependent systems in circle of trust, can start using the issued identities for access management.
Learn more from the Forrester Opportunity Snapshot: “Modern Authentication Methods Protect and Enable the Business." >>