Identity can be both simple and complex. When identity is important, how accurate and foolproof does it need to be?

Online identity can be confusing. Our online lives have created a need for a different paradigm to prove identity. Protecting our data and accounts must be more secure and less annoying than a User ID and a Password. Different levels of veracity are needed for different kinds of interactions. The risks associated with an interaction must drive the mechanisms used and the relative security of those mechanisms. To better understand how online identity works (or could work), it is essential first to lay out the elements of any online identity system.

The first element is identity verification. This can be as simple as reciting an account number and verifying an address and birth date. While this might not seem very secure, it is perhaps surprising to learn how many institutions will accept this simple and easily duplicated information as identity verification. In fact, this may be okay if the interaction is for a relatively innocuous exchange, for example, verifying an appointment. However, it would be quite unacceptable to access personal banking information with such a weak authenticator.

Another common identity verification technique is to reuse an identity like an email address where the institution leans on another service like Gmail to authenticate a person based on that email. Again, this is fine if no other personal information is needed, and the only goal is to give the user unique access to an online (non-financial) account. Risk is still involved if that user puts sensitive data into that account. It might be acceptable for online services like video conferencing and others.

More sophisticated and higher veracity identity verification uses advanced cameras (mobile cameras have high resolution these days) and AI to look at official government documents and match facial biometrics to the photo in the ID. They may also do online checking of the document veracity and run AI to detect any document tampering. This could be further enhanced by demanding more than one document and by adding sophisticated liveness detection to ensure the person being identified is not a photo or a mask. This approach reaches the highest veracity possible today, except for using actual DNA (still problematic for identical twins).

The next important element in identity is authentication. Once an identity has been verified (and depending on the level or veracity of the verification), an equivalent quality of authentication is needed. As with identity proofing, there is a range of authentication tools, and, in most cases, some enrollment mechanism is required for subsequent authentications.

The simplest, oldest, and most prevalent method is a User ID and Password. If lightweight identity verification is enough, then this lightweight authentication is also enough. Once the identity verification is complete, creating a User ID and Password is a simple step. Of course, strong passwords will be forgotten, so folks tend to use the same memorable passwords repeatedly. “123456” is the world’s most common password. The history of Internet commerce and, more so, internet banking has proven unequivocally that this form of authentication well …. sucks. ”Improvements” have been made to remedy this situation by adding MFA, which is most commonly an SMS. This has been defeated so soundly (SMS for MFA is not encrypted and is easily hijacked) that it has become illegal for banks to use this technique in Europe. Moving MFA away from SMS to “push notifications” while more secure has also been hacked using the MFA fatigue attack described on the website “Bleeping Computer”.

“When an organization’s multi-factor authentication is configured to use ‘push’ notifications, the employee sees a prompt on their mobile device when someone tries to log in with their credentials. These MFA push notifications ask the user to verify the login attempt and will show the origin of the login attempt. An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials repeatedly, causing an endless stream of MFA push requests to be sent to the account’s owner’s mobile device.

The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts. In many cases, the threat actors will push out repeated MFA notifications and then contact the target through email, messaging platforms, or over the phone, pretending to be IT support to convince the user to accept the MFA prompt.”

The problem with any authentication technique that depends on something you know is that things you know can be stolen through data breaches or hacked through software attacks. MFA helps but has also proven to be easy to defeat.

A second form of authentication requires a physical device (something you have). This could be a mobile phone, a USB device for a computer, or even a physical fob you hang from your keychain. Phones can be SIM swapped and hijacked, and fobs can be stolen or duplicated (not easy, but doable). Significant improvements have been made in mobile tech, including device-based biometrics (assuming a pin code back door is not provided) tied to registered certificates for specific accounts. Tied to a robust identity verification process used at enrollment, this is a positive step forward from userIDs, passwords, and MFA. 

The third form of authentication is cloud-based biometrics. The rich sensors on mobile devices continue to drive higher veracity authentication. This amounts to something you are. Facial biometrics and liveness verification have claimed up to 1 in 125 million false acceptance rates. Even higher veracity can be achieved by adding location biometrics, voice biometrics, and behavioral biometrics. 

The key factor to consider with any authentication is the user experience and creating an authentication mechanism proportional to the risk. For example, asking for an account balance may be fine using a mobile device and biometrics. Transferring large sums of money may demand higher veracity of cloud-based biometrics and perhaps several different ones.

There are also other factors to be considered, especially around user experience. The use of cloud-based biometrics mitigates the loss of passwords. Users never stop being who they are (except maybe in the movie Face Off). It also mitigates the loss or theft of devices. 

On the other hand, device biometrics are fast and provide a pleasant user experience. The pushback on the collection of biometrics centrally can also drive more adoption of mobile-based biometrics, which never leaves the device.

Despite the drive for the best possible identity verification and authentication, it is not a one size fits all world. Risk and associated user experience are important factors to consider. A framework (for example, Journey Elevate) providing verification and authentication flexibility is fundamental to delivering suitable veracity and experience for the applications involved.

Michael Frendo Headshot

SVP/GM High End Security BU Juniper, EVP Engineering Polycom, VP Engineering & Advanced Product Development Cisco, Founder VoIP Forum. Executive leadership roles at: Infinera, McData, Avaya, and Nortel.