This year’s Identiverse 2019 conference provided an amazing nexus of identity industry leaders, key technologies, and valuable insights for implementing current and emerging identity systems. It provided a valuable cross-section of current how-to’s plus emerging research that enables companies to deploy securely today, and learn what to plan for in their future identity roadmaps. With pages of notes and quotations, it was a challenge to distil it down, but here are my top 5 key takeaways:
1.Risk Analysis as an Identification Vector
Traditionally, we have built secure authentication systems from a combination of elements: something I know (passwords), something I have (hardware key), and something I am (biometrics). One very intriguing authentication mechanism is emerging that algorithmically profiles authentication access attempts using Risk Analysis techniques in order to determine if the user requesting access is really the authorized user – even if they can provide the required password. Several sessions presented these methods, including Stephen Cox (SecureAuth Masterclass) and Babbit & Andren (Ping Identity Presents: Open Business APIs).
One basic risk analysis metric might evaluate whether a successful login in the US followed by a login attempt 5 minutes later in Japan is a valid attempt. In this case, the risk analysis process would deny the second attempt, because the same user can’t get from the US to Japan in 5 minutes. A more complicated risk analysis method might determine that a given user logs in to their office VPN every weekday at 10 am from a Starbucks near their office. Deviation from a pattern of behavior might point to an invalid login attempt.
SecureAuth gave a great overview of their process method using a series of Risk Analysis layers, which are summarized:
-Recognition of device (e.g., fingerprint)
-Location the request is coming from
-Impossible travel event identified
-Group membership and attribute checking
-Check IP address reputation against lists
-Request coming from anonymous proxy trying to hide IP
-Absorb any 3rd party risk score in the authentication process
-Block access requests from unknown phone carriers
-Block access requests from varying phone types (e.g., VoIP)
-Know if phone has recently been ported (SIM Swap)
-Check IPs against real-time threat intelligence feeds of malicious IPs
-Identity abnormal behavior that could signal attacker presence
Using Risk Analysis methods to model behavior is a very intriguing concept with numerous tangible benefits. One concern with device and behavioral modeling techniques is what effect that might have on user privacy. As privacy becomes a greater concern and as privacy-oriented legislations (e.g., GDPR) emerge, these types of profiling techniques may need to evolve.
2. Usability is a Critical Element of Security
Years ago, I was on a team that developed an immersive Virtual Reality helmet for the US Air Force. While demoing this very cool tech for a General Officer, he replied “Generals don’t wear that, we have Lieutenants to use it for us”. I was a little put off, but the lesson was learned – if you don’t build systems with your customer’s needs and wants in mind, they won’t use them … or worse, in the case of security systems, they will find a way around them.
Contemporary authentication systems have started to employ passwordless authentication, which is often a biometric method that frees users from having to remember passwords. Today’s laptops and mobile phones often scan fingerprints to authenticate a user. As a leading example, Apple’s Face ID scans a depth map created by projecting and scanning 30,000 invisible dots on a user’s face. Apple closely guards access to the on-device subsystem, but they do provide a method for installed apps to authenticate using these biometric methods. Passwordless security is very attractive, because it can make it very easy for users to employ security methods much stronger than the common PIN of ‘1234’ or worse their figuring out how to disable requiring a PIN to access their mobile phones.
Security requires complex encryption, protected secrets, and standardized methods, but we can’t forget the human element. In his SecureAuth Masterclass, Stephen Cox (quoting Jared Spool) summed it up nicely, “If it’s not usable, it’s not secure.”
3. Lots of Authentication Standards to Choose From
The famous Computer Scientist, Andrew Tanenbaum, once wrote, “The nice thing about standards is that you have so many to choose from.” In this, the identity industry does not disappoint. Nearly every session presented one or more of the leading methods, such as: SAML, OpenID Connect, OAuth, FIDO, WebAuthn, two-factor authentication (2FA), multi-factor authentication (MFA), one-time passwords (OTP / HOPT / TOPT), hardware tokens, passwordless authentication (biometrics), risk-based authentication, etc.
So … what should service providers implement?
That’s a tough question, since security is a moving target and service providers usually don’t want to become security experts; they just want to be secure. If it’s not obvious, yet, password-only solutions are bad (although password managers help). 2FA is fairly easy for providers to implement and it mitigates password insecurities. Hardware tokens (e.g., Yubikey) dramatically increase security and can be left in a USB port, so they’re always handy. The current big push is FIDO2, which consists of the W3C’s Web Authentication (WebAuthn) standard and FIDO’s Client to Authenticator Protocol (CTAP). Service providers should be looking at implementing FIDO2, which answers the password problem by eliminating phishing attacks, password theft, and replay attacks.
4.Self-Sovereign Identity (SSI) Technologies
SSI technologies are quickly emerging as a very attractive way for users to create and control their own portable digital identities, rather than letting websites do that on their behalf. SSI enables users to establish a relationship with a new website or service by exchanging cryptographic tokens rather than requiring them to fill out a “create account” form and manage a new login method (e.g., username and password). It also provides Zero Knowledge Proof technology that enables users to prove they have specific credentials (e.g., a driver’s license) without having to provide the personal data details that those credentials contain. One very attractive use case is that users can prove they are over 21 without having to disclose how much older they are or they can even prove that they are a citizen of their country without having to disclose their street address.
Bjorn Hamel (Chief Security Architect at Workday) gave an excellent presentation called Adventures in Self-Sovereign Identity, wherein he walked the audience through a step-by-step overview of the process of setting up and using Hyperledger Indy. He used Indy to demonstrate how SSI Credentials are interoperable across different Human Resources, Government, and Banking systems. Bjorn presented actual message sequences, JSON messages, cryptographic methods, and code snippets used to build his own proof of concept. For those looking to implement Hyperledger Indy in their SSI solution, I would highly recommend reviewing Bjorn’s presentation.
5. Are the world’s governments prepared to legislate digital identity technologies?
In a lively and enjoyable keynote, US Congressman Bill Foster (D-IL) gave an engaging overview of his career in physics and his work in politics. Mostly ignoring partisan issues, Rep. Foster pointed out the unfortunate reality that he has often been the only member of the US Congress with a PhD in a technical field (presently there are 3) out of 535 total members of Congress…
Some estimates show the tech sector constituting a double-digit percentage of the US GDP with the fastest growing employment rate. Beyond typical technology products, the tech sector also impacts nearly every other industry from health care to transportation and manufacturing to energy. As technology migrates society into the world of artificial intelligence, cloud services, and the Internet of Things, both cybersecurity and identity management are two critical infrastructures that will help maintain law and order.
While the government legislators have distinguished themselves in their respective areas, the underrepresentation of technologists is alarming given that new technology laws will come from those largely without a formal background in technology. Rep. Foster’s personal technical interest was made obvious when he related how he waited out a filibuster by downloading and going through machine learning tutorials for Google’s TensorFlow. If we can elect a few more technologists with first-hand knowledge of the technologies they legislate, perhaps, our governments can craft better technology legislation … and introducing a few additional logic-based problem-solving skills couldn’t hurt, either…