The Future of Identity

Abstract

& BUSINESSES ARE MOVING rapidly from centralized systems behind corporate firewalls to Software-as-a-Service (SaaS) vendors spread across the globe. Many of these services help reduce costs, guarantee better availability, reliability, and offer advanced cyber threat prevention and detection so attackers have moved to a new attack surface: identity. Phishing attacks are the first step in over 90% of recorded data breaches. Through social engineering, clever faux webpages, and fake URLs that look similar to the genuine URLs, attackers can hijack a user’s credentials and compromise many associated accounts due to single-sign-on (SSO) federation. Multifactor authentication (MFA) via one-time passwords, tokens, or biometrics have greatly reduced such attacks because they require an ephemeral piece of information to supplement a password that is often used as the primary factor in most authentication sessions. But MFA is deployed at half of all websites using authentication and adopted by only 11–27% of users and is susceptible to attack via SMS hijacking such that NIST recommends against it. The situation will get worse before it gets better. Our digital identity is increasingly being used for critical aspects of our lives, including money, travel, healthcare, and education. It is estimated in 2018 that most users have over 90 separate online accounts. But by 2025, it is estimated that users will have over 200 online accounts. Past data breaches have yet to be fully exploited by identity thieves who will wreak havoc on this delicate system. As a result, online accounts will increasingly require identity proofing and verification (IDP&V) before issuance of credentials. The days of “signing up” in a few minutes will be far away in the rear-view mirror. IDP&V is already used globally by banks as a result of efforts to reduce money laundering and terrorist financing. Obtaining a bank account in most countries requires “know your customer” due diligence by the bank to vet applicants for past criminal activities and associations. In addition, banks are required to conduct continuous antimoney laundering to keep their records upto-date. Broader use of IDP&V will improve online identity management, reduce the risk of relying authorizing a request for access, and allow users to more safely employ SSO identity providers. An identity provider can help increase the trust that relying parties have in a transaction because it can be associated with an identity vetted to an actual individual and not a bot or identity thief. NIST 800-63-3 was published in 2017 and includes identity assurance levels (IAL): IAL1: self-asserted attribute IAL2: indirect evidence for veracity of attribute IAL3: in-person proof of veracity of attribute and authentication assurance levels (AALs): AAL1: single-factor authentication Digital Object Identifier 10.1109/MITP.2019.2912739