Identity Authentication – Everything You Want to Know
After years of identity management actually being a thing, meaning a process and even an entire ecosystem at most enterprises, there are still people who confuse two terms: authentication and authorization. Sometimes they think that authentication is the art of determining who an individual is, because “authenticating” is often associated with figuring out if a piece of art was actually created by a particular painter or sculptor. But in the identity and access management (IAM) universe, we have specific delineations.
- Verification is bringing you onboard at the outset. You register, you announce your presence, you say, this is me for the first time, and please recognize me every time I come back. This means that part of the verification process is establishing the credentials that the user will leverage going forward.
- Authentication means, maybe that’s you coming back to claim those assets, but please authenticate yourself. As in, present your credentials. If they match up with who you said you were at the outset, I’ll let you in.
- Authorization means, you’ve authenticated, so I now know who you are, and here are the digital assets you are authorized to access.
HOW IDENTITY AUTHENTICATION WORKS
For this discussion, we’re going to focus on Authentication. You say you’re that person coming back, but please present your bona fides so I can trust you and let you in. You are authenticating. This means you are asserting your identity, which, to a criminal, means presenting things that appear to be you. So it’s crucial to ensure that only you can present those things, whether it’s simple credentials or, better yet, something far less likely to be repudiated or duplicated.
Traditional authentication has long entailed the simplest of credentials, username and password. And this is still the way the majority of users announce their presence. But authentication can (and should) encompass so much more nuance, to ensure the safety of the individual as well as the enterprise.
At the end of the day, it’s this simple: authentication determines if the user being presented should be granted access to the desired resources or services. So while it makes use of the profile created at origination, it’s very different, and it’s in use thereafter. So before you research identity authentication technology, understand which tech does what, so that you’re attacking the proper use case.
THE BENEFITS OF IDENTITY AUTHENTICATION
It seems terribly obvious, about the benefits of authenticating oneself. You are able to get into your digital world, and somebody else with bad intentions cannot. They cannot prove themselves to be you. But authentication provides much more than just that.
Authentication can also be the starting point for the user journey. A user may authenticate as a consumer and is routed to the appropriate page for them to shop, bank, interact, or otherwise access what they logged in for in the first place. A privileged user, such as a database admin or HR staff member, may be routed to pages that are not accessible to the average user. Privileged access may therefore be subject to more stringent authentication requirements, which we’ll discuss shortly.
Whether you’re logging into a consumer site (retail, banking, social media, etc.) or your employer’s infrastructure, there are benefits to that other side, the enterprise. First, they protect their house as well. If you are an employee, you are working with corporate assets that the employer presumably wishes to stay in the family. These can be funds, intellectual property, proprietary information, PII, or other sensitive information.
Companies have literally been brought down by the theft of intellectual property that was enabled by stolen credentials. Recent ransomware attacks costing many millions were executed through social engineering that allowed criminals to authenticate as privileged users. Massive data breaches have been made possible through the use of stolen credentials, resulting in the exposure of PII as well as the costs of lawsuits and mitigation of the security holes. And so on.
Consumer sites naturally want only legitimate customers to execute transacts in their ecosystems. An unsecured site is not a desirable place to do business and can drive people away. They don’t wish to be staging areas for money laundering or other illicit traffic. And whether consumer or workforce, organizations worry about reputational risk.
Many organizations, both public sector and private, have strong authentication requirements which help them achieve compliance with a variety of compliance laws and standards, while many have either the obligation or the strong desire to follow technical / industry standards. Before doing business in the public sector, vendors must meet stringent requirements, especially when servicing federal agencies. These sorts of standards have become even more vital since the heavy adoption of SaaS apps.
Customers of large companies often perform their own audits of their providers, such as for ISO and SOC2. For example, you can’t enforce role-based access unless your users are authenticating to an identity which provides specific privileges.
Finally, authentication platforms allow organizations to measure their traffic. Large numbers by themselves may be something to advertise. But it’s useful to know how many people, and possibly even from which demographics, are accessing certain assets. More valuable destinations may indicate where a company will put their next efforts. Spikes in traffic can point to the need to scale operations.
THE PROCESS OF IDENTITY AUTHENTICATION
So what are the steps to identity authentication? There is no one-size-fits-all. The process largely depends on the types of users and the criticality of the assets being protected behind that authentication wall.
Regardless of that journey, it all starts with the user arriving at a login form or portal, and the presentation of their credentials, which can take many forms.
As a reminder, identity verification sets the user up on Day Zero by stating, I didn’t know who you were but now I do, and here is how you will now be able to log in everyday hereafter (meaning, let’s set up your credentials). So identity authentication leverages, on Day One and beyond, the work done on Day Zero.
TRADITIONAL IDENTITY AUTHENTICATION METHODS
Regardless of the full form of the credentials, the first component is the user’s basic identity, typically a username. This could be auto-assigned, or the user’s email, the actual name with the first and last name separated by a dash, a dot, an underscore, or nothing at all. Then there is always at least one other component, in the form of:
- Passwords. Once again, this is still overwhelmingly the factor for access, as well as the single most common attack vector. Stolen, guessed, phished, socially engineered, or illicitly reset passwords are the scourge of users and admins. Almost half of US employees have admitted to accessing a former employer’s email and other functions using their old passwords, and fewer than 14% have been caught.
- Hard tokens. These are fairly secure, in fact, as long as they stay in the right hands. But therein lies the problem. They are expensive and difficult to provision, distribute, and get returned. But yes, secure.
- Passkeys, otherwise known as FIDO credentials. These are digital passports comprised of a private and a public key, and they are typically site or application specific. They can be bound to a device and/or a biometric or other unlocking mechanism. They can’t be phished, and a thief cannot steal one key and use it, since the other key is also required. Passkeys serve multiple purposes, in that they assert not only identity but app-specific access. The issue with passkeys is their lack of widespread adoption. Major providers such as Apple, Google, and Microsoft support them, but they haven’t trickled down across many industries.
- Digital certificates. These used to be ubiquitous, and are still in use, but they can cause disruption with inconsistent expiration policies and the difficulty in updating.
- Biometrics. Voice, face, and fingerprint are good ways to identify a user, not just the possessor of a password or device. They can be challenging to spoof, although it happens. Voice is getting shaky because of deep fakes. Fingerprint is no longer widely supported on various hardware platforms, even compared to just a handful of years ago. Facial biometrics are still a solid method for authentication, and very difficult to insert into an authentication process.
- Device. The most common one is a smartphone, which can contain a passkey or other credential. The phone can be identified through several characteristics, and bound to the user’s identity. But when presented, the phone only asserts that somebody is holding it, not necessarily the correct someone.
- Multi-factor authentication. This entails a combination of two or more of the above factors. Password plus device. Device unlocked by a biometric. Passkey unlocked by a biometric. Password and certificate or token. It is definitely a far greater challenge for bad actors to spoof multiple strong factors. But not impossible. In many industries and public sector practices, multi-factor isn’t just suggested, it’s required.
There are also stepup methods that are employed when the risk of a transaction is elevated. Knowledge-based Authentication, or KBA, was once very popular. Mother’s maiden name, model of first car, amount of first mortgage, etc. Or sometimes the user is prompted to create their own security questions upon registration. But these have far too often been compromised through social engineering or use of the dark web. Criminals can pay to get PII which may be used against KBA, involving information that is so old, even the legit users don’t remember it.
Document verification, wherein a user provides a physical id, is also popular, but is far more user-friendly a method when used at verification, not at the inconvenient time of an actual transaction. Too many vendors use boiler rooms of actual people to validate ids, meaning complete strangers have access to those documents. This is also terribly slow, for obvious reasons.
Once the credentials are presented, the information is compared to what the expected values are. Passwords are hashed and compared to the stored hash. Biometrics are compared to the templates on file. Documents are reviewed, by people or by automation. Passkeys are validated through the private and public key pair. Digital certificates are validated by the certificate authority. Through whatever means, the credentials are approved, or not.
For many years, user directories have been employed. These are not mere databases, but rather highly indexed, very fast, and organized by branch or group. A user may be situated in one or more groups which grant them specific access, either to particular applications or levels of privilege. Once authenticated, the user’s binding to a group may be invoked, giving them the access appropriate to them as an individual or member of a group.
A secondary, but incredibly common, process under the umbrella of identity authentication, is account reset. This arises when a user forgets their password, ignores password reset warnings, or changes the device they originally registered with. Resets are a favorite attack vector for identity criminals. We’ll talk about this in detail shortly.
ENTERPRISE IDENTITY AUTHENTICATION SOLUTIONS
Companies host identity authentication platforms for 1) internal users and 2) external users. Internal users can be employees and partners. External users can be consumers. The level of security typically depends on the sensitivity of the sites being accessed. Informational pages require little to know authentication. Transactional sites obviously require more. Internal, corporate assets are usually strongly locked down (but not always).
Corporations most often employ enterprise identity authentication solutions that are multi-layered. There is a database or directory where the user identities live, and which is used for comparing the credentials presented with the credentials that were established on Day Zero. There is an authentication layer, which may also serve as the single sign-on platform.
In a consumer situation, most users are in the same grouping: they buy products and consume services. In a workforce scenario, there are many layers of users across many groups. Privileged users can be segmented into HR, finance, sales ops, engineering, IT, etc. They all have enhanced access, but in different applications and different sets of sensitive information. Therefore they may have different ways to authenticate. Enhanced access often means stronger identity authentication.
In larger organizations, there is an over-reliance on big name vendors for security. But these vendors are no guarantee. One such major vendor’s failures allowed a massive and very costly ransomware attack in Las Vegas just recently. Others have failed at perimeter protection, or suffered breaches that put millions of individuals’ data at risk. This is why redundancy and segmentation are necessary, to have a backup as well as to limit the damage if a breach does occur.
A particular attack pattern is called credentials stuffing, in which a bad actor determines a user’s password for a specific account, then tries that password on every other account. Users who employ the same password across most or all of their apps are particularly vulnerable to this attack. Some 35% of Americans use unique passwords for all their accounts, which clearly helps mitigate the damage in the event a single password is hacked. When this happens at the consumer level, there’s nothing an organization can do about it. However, at the enterprise level, randomly generating passwords that are managed by the SSO platform and which the end user actually can’t access mitigates the issue of stuffing. However, that also means protecting that initial login is paramount.
BEST PRACTICES FOR IDENTITY AUTHENTICATION
Common sense isn’t so common, as it’s said. And many best practices are just common sense. Most organizations employ that common sense for identity authentication to at least some degree. Whether you’re building, buying, integrating, or assembling, simple logic should guide you. Let’s review some best practices that really shouldn’t need review.
First off, authentication shouldn’t just be a simple set of credentials, except for the most basic access. Even Facebook accounts are used for nefarious purposes, even though the majority of users are just posting what they had for dinner, or pics of their grandkids. True authentication should be some combination of what you know, what you have, and in the case of biometric, who you are (sometimes called inherence). But even among those combo pieces, there are best practices at a granular level.
Passwords. They shouldn’t be the only factor vouching for the username or account number, even for consumers. In the US, we complain if airport security takes more than ten minutes, but the average air traveler would be horrified if they knew how many weapons are confiscated by the TSA each year, which begs the question, how many got through and were on my plane? So consumers should be happy to deal with an extra factor, although they often do not.
Passwords should be cycled, i.e. they can’t be allowed to live forever. They should also be strong. Why are “password” and “123456” such common passwords? Because somebody lets them be. Password rules and policies should be stringent. And passwords should be the sole factor only if the assets they protect are of low value or sensitivity.
Multi-factor authentication. If passwords do have to be in the mix, then they should absolutely be complemented by other factors, such as device, token, OTP, PIN, KBA, or passkeys. But if the key to the extra factor is still a password, what’s the point? Passwords should not be the way to circumvent or reset that other factor. Otherwise, that factor inherits the weakness of passwords.
Best Biometric Identity Authentication. While multi-factor authentication is a great hedge against the inherent weaknesses of passwords, the majority of these factors only validate physical ownership or knowledge. Biometric matching of face, fingerprint or voice validates the individual themselves.
Disallow faceless help desk resets. No matter how much somebody sounds like that guy from IT who’s lost his access and needs you to reset him over the phone, don’t do it.
ISSUES WITH IDENTITY AUTHENTICATION
Name and password don’t guarantee identity; they only guarantee that somebody is typing something in, regardless of whether it’s actually them.
Users continue to be their own worst enemies. Some 13% of Americans use the same password for every account, which puts them at risk for the aforementioned credentials stuffing hack. A Google poll indicates that 1 in 8 Americans drags the same password around for all their accounts. And more than half reuse the same password for at least some of their apps.
As stated above, even when multi-factor is employed, all too often passwords are the route to setting up and even resetting that other factor, greatly diminishing the security, and therefore the value, of the second factor.
Password resets and forgotten password links continue to be prime targets for criminals who leverage dark web data, social engineering, malware, and other tools to reset that password to something of their own choosing.
THE FUTURE OF IDENTITY AUTHENTICATION
Where is identity authentication headed? There are several targets on the horizon, but of course a lot of success in the IT world depends on adoption, meaning how many organizations will pick up the ball and run with it. There have been many standards invented by experts, for experts, and which died on the vine. But here are the candidates.
- Web 3.0. This is an under-development idea of a decentralized, bottom-up design for the web where users are connected by meaningful data and control their own data. In such a world, the web is not dictated only by major vendors. The decentralized aspect requires that it be built on …
- Blockchain. Here’s another technology that has never lived up to its potential, although it is slowly being adopted. Perhaps this slow pace is the result of bitcoin not hitting $100K, since blockchain is the backbone of crypto. Also, there were crypto coins designed specifically for identity, and their business model fell apart. With blockchain, users can control their own identity data, which cannot be repudiated by criminals or faulty credit hits.
- Passkeys, aka FIDO credentials. These are excellent constructs, based on private and public keys which cannot be phished or corrupted by thieves who cannot steal both sides of the equation. However, once again it is the lack of widespread adoption that has hampered their use, even though Google, Microsoft, Apple, and other industry leaders support them.
- Biometrics. They’re already here, with a large portion of major institutions using or planning on using them. But here are the hiccups. Deep fake voices are scaring people off of voice biometrics. And fingerprint capabilities have been dumped by several hardware vendors. Fortunately, facial biometrics are still a secure approach, and easily supported on desktop and smartphone.
SO WHO USES IDENTITY AUTHENTICATION?
There are use cases for secure identity authentication solutions in virtually every industry, every vertical. But why do they find it necessary?
Consumer banking needs to ensure only the right customers access the right accounts, while commercial banking entails far larger transaction amounts. Call centers have long been weak spots (including in a very recent and very massive breach in Nevada that was all over the news, and authentication can mitigate the human factor. In car rentals or drive sharing, it’s important to verify who’s picking up a car, getting a ride, or giving a ride. Online dating? As with rideshares, it’s a matter of personal, physical safety.
E-signatures typically only verify that somebody had an email link. Why not authenticate the signer? It’s a similar use case to online notary services. Financial services, with online banks, loans, stock trades, wire transfers, money services, and other platforms absolutely need security in the form of identity authentication, since the largest share of identity theft and spoofing have the objective of profiting at someone else’s expense. In the US, anyone engaging in financial transactions must first be compliant with the requirements for Patriot Act identity authentication (KYC, CIP).
Healthcare identity verification protects sensitive medical records, ensures that only eligible patients receive their meds, and (believe it or not) makes sure that impostors don’t get someone else’s surgery (because that happens).
Higher education. Student loans are rife with mules. College email addresses, which are easily provisioned yet not commonly deprovisioned, are often used in scams. Universities store all manner of sensitive personal, medical, and financial data. Therefore colleges have a strong need to practice secure authentication methods.
THE PROCESS OF FINDING SECURE IDENTITY AUTHENTICATION SOLUTIONS
Just like anything you might shop for, identity authentication providers need to be examined before buying. It’s a common myth that if you try something out for a while and it doesn’t work out, you can simply change your mind and swap it out later. But there are two problems with that. First, try this: “Hey boss, that so-called best identity authentication technology I got you to write a check for last year? Turned out to be no good. Can you write me a check for a new one?” Good luck with that. Before you can pick that next solution, you need to compare identity authentication technology options.
The other issue is the technical swap-out. Identity authentication is so critical in an infrastructure, so integral to the user experience as well as enterprise security, that it is not a trivial thing to drop one and add another. It may bind with the company directory, it introduces the user to the enterprise at the outset of every transaction, and it hands a verified identity to the downstream applications. It needs to be as trusted as the users themselves, in order to ensure that only the right people get in the door, with every request for a digital asset.
So it’s vital to put serious effort into searching for the best identity authentication technology. Analyst reports can be useful, but always with the caveat that vendors can pay for positive reviews or even writeups. The ability to integrate with single sign-on platforms is important, since once an identity s verified, it must be propagated downstream. If stronger verification is required in the form of facial, voice, or fingerprint, then it’s also important to read biometric identity authentication reviews. In the end, speed and user experience are crucial to the end user, which also helps the enterprise with retention, and accuracy is important to both parties.
Read the identity authentication technology reviews, read the blogs, read the data sheets, so that before you spend, you research all your options for identity authentication technology.
MAKE THE RIGHT CHOICE FOR THE BEST IDENTITY AUTHENTICATION
How did we become the best identity authentication platform on the market? authID began its life as the most accurate and trusted biometric authentication platform by aiding third world countries in holding free and fair elections. We accomplished this by registering legitimate voters, then authenticating them at polling time to ensure that only those legit voters were the ones casting their ballots. Since then we have rolled out our solutions to financial services companies, workforce management companies, banks, healthcare, and other organizations who wish for only bona fide employees or consumers to access their most sensitive digital assets.
authID verifies the validity of physical id documents (driver’s licenses, passports, state-issued id’s, etc.), supporting over 13,000 documents from over 200 countries and territories around the world. We use dozens of security checks and markers to ensure that the document was in fact issued by the authority it claims. We then verify the user by their selfie, checking for liveness. Whether it’s the document or the person, we make sure it’s really that doc, really that person, and not a picture of a picture, not a printout, but is indeed legit. We then match up the selfie to the document image. Document good, you’re good, and you’re good together.
authID provides the best user experience on the market, with an interface that literally walks you through the capture process with virtual frames and digital guidance. And we process that data in under 700 milliseconds. Nothing friendlier, nothing faster.
Once that facial biometric is registered, all you need is your face to authenticate, day after day, on your smartphone or your laptop. If you lose or upgrade your device, all you need is that selfie once again to instantly and seamlessly recover your access. So on Day Zero we verify it’s you, and on Day One and beyond we guarantee it’s still you, and come on in.
As stated above, you need to do your research. This means taking the time to compare biometric identity authentication solutions. When you do, you will find authID in the leader’s category.
It’s the greatest level of assurance with the least friction, meaning the best identity authentication option available. To learn more about the fastest, most seamless and most accurate biometric authentication solution on the market, please reach out to us at http://authid.ai, where our friendly faces will teach you how your own friendly face can be the key to secure access.