Moving Beyond Passwords
Hardware and biometrics are up next in the evolution of digital identity verification.
Powered by recent advances in artificial intelligence and machine learning, long-hyped technologies such as facial recognition and behavioral biometrics are promising frictionless identity authentication. In the near future, people will be able prove who they are without even trying and sometimes without even knowing they’re doing it.
Identity is big business, and the technology that verifies identifications is in the midst of its second revolution in as many decades. According to Gartner research, global spending on identity and access management information technology was $8.8 billion last year. Driven by regulations such as the EU’s General Data Protection Regulation as well as increasing business digitization and customer demand for convenience, spending should rise steadily to $9.8 billion this year and $10.6 billion in 2019, Gartner predicts.
Some prophets of the new era promise it will usher in an age in which the old trade-off between convenience and security will be eliminated. And there are Cassandras who predict new technologies will precipitate the emergence of a pervasive state of surveillance. But the surveillance won’t be done by a state; instead, the private sector will perform much of the oppressive watching.
For most of the 20th century, proof of identity in the United States largely was a government-provisioned business. Governments issued birth certificates to formally record people’s names; Social Security numbers (SSNs) to give individuals a unique personal identifier; and photo IDs such as passports and drivers’ licenses to prove the identity of individuals when inspected by officials.
The technologies that governed the paper-and-plastic domain featured anti-forgery characteristics and tamper-proofing techniques, and the government was on the cutting edge. But in the final decade of the 20th century, an online world began to emerge where Americans provisioned their own identities. They chose a username and a password to prove they were a specific user and no one else.
It was a wild west full of anonymity and pseudo-identity satirized in a now iconic 1993 Peter Steiner New Yorker cartoon: “On the Internet,” a large dog seated at a keyboard-screen combo says to a small dog, “nobody knows you’re a dog.”
It was true, but it didn’t matter. The consequences of a dog getting its own email account or even posting commentary on Reddit were trivial. “It was good for a chuckle,” says Jeremy Grant, director of the Better Identity Coalition, an industry group that advocates for secure identity. “Back then, the issues weren’t that serious.”
But as the 21st century progressed, significant portions of the economy and society began to move online, raising the stakes in the digital identity domain. And over the past decade, with the advent of smartphones and ubiquitous connectivity, these two worlds—the physical and the digital—have begun to merge, making users’ online identities as central to their financial and social well-being as their real-world ones.
Helping drive the convergence is consumer demand. Customers increasingly expect from brick-and-mortar institutions the same seamless convenience they’ve experienced from email providers and other online services. But digitization has often come at a price.
“In 2018, the fact that nobody knows you’re a dog on the internet has been actively weaponized against us,” Grant says. “We see it with attack after attack [by cyber criminals and others] using compromised passwords” to steal monetizable data on a vast scale. More recently, he notes, “We’ve seen it with Russia and other state actors taking advantage of our openness to operate under pseudonymity to sow discord and all kinds of mischief.”
The dominant technologies in this newly converging identity domain are biometrics, secure hardware components and cloud-based risk management engines that score confidence about identity. The government has arguably fallen behind not just technologically but also in its ability to provide truly secure digital identities.
Recognizing the challenge, the U.S. government’s top information technology official, Federal Chief Information Officer Suzette Kent, told AFCEA’s Federal Identity Summit attendees recently in Tampa, Florida, that expanding the availability of citizen services online also means “we have to strengthen our identity proofing … throughout the [citizen interaction] life cycle.”
But at the same time, many of the ways the government traditionally does digital identity proofing have been radically undermined. The IRS, for example, has long employed knowledge-based authentication (KBA). In this process, customers are asked about their past, such as previous addresses and cars or credit cards owned, which is information the IRS can draw from credit reports or public records.
The problem is the answers to KBA questions are often eminently findable, especially with huge troves of data about consumers available for sale on the dark web. The IRS learned that lesson in 2015 when scammers stole the identities of more than 330,000 taxpayers and filed fraudulent returns to steal refunds.
Grant points out Social Security numbers, for many years the basis of much government and private-sector identity verification, has been rendered all but useless as a means of ensuring identities. “The SSN works fine as an identifier. It distinguishes me from all the other Jeremy Grants,” he says.
The problem is when this number is used in the same way as passwords. This was never a particularly secure means of identity confirmation, but when the Equifax hackers stole millions of Social Security numbers, it basically rendered them useless for that purpose, Grant states.
“We can’t count on these numbers being secret anymore,” said Rep. Sam Johnson (R-TX), chairman of the Social Security Subcommittee of the House Ways and Means Committee. He spoke at a Center for Strategic and International Studies event in October.
To address this issue, Kent said her office would be “working with agencies to reduce the reliance that we currently have on Social Security numbers” in identity verification.
One alternative is to abandon altogether the reliance on a single data point to confirm identity. “You’re seeing new models of identity that work by drawing data from a lot of different sources and scoring them in a risk engine,” Grant explains. He cites cellphone provider records as an example. “I’ve had the same mobile number for 20 years. ... You can check that with service providers.”
Federally mandated cellphone number portability and the ubiquity of bring-your-own-device policies in the private sector make it increasingly possible to have a single phone number through changes of address and employment. Financial records, like credit reports, are another example of a data source to draw on, he proposes.
The results of such new techniques aren’t a binary declaration: This person is or is not the person they claim to be. It’s more like a score that indicates the level of confidence about the claim. And the data that’s being used to make the score is created and owned by the private sector.
“There are certainly other sources for identity these days besides just the government,” Grant concludes, and he should know because he helped to launch them. Almost a decade ago, as a federal official at the National Institute of Standards and Technology (NIST), he was the lead on the U.S. government’s big push to create trusted online identities. The National Strategy for Trusted Identities in Cyberspace used small grants to kickstart a private-sector-based identity ecosystem in which companies compete to offer secure identity services to consumers.
That ecosystem has blossomed. It now includes everything from big social media platforms offering single sign-on services to the secure USB keysticks used by Google employees to consumer biometrics to unlock mobile phones with a fingerprint or face match.
Hardware has helped drive much of the ecosystem’s development. The ubiquity of smartphones first enabled people to get beyond the simple username and password that secured most online consumer accounts, albeit only in a stumbling fashion.
Smartphones made possible a pseudo second identity factor through a one-time password sent via SMS text message to the phone number associated with the account used alongside the password. The problem is a one-time password also can be phished by a fake text message and stolen by hackers.
A true two-factor identification requires cryptographically secure hardware. For example, an encrypted certificate resides on a personal keystick or in a specially secure compartment of a smartphone chip and is nearly impossible to forge. Each time the keystick or phone is connected, the certificate makes it possible to verify the genuine device with mathematical certainty. Although devices can be stolen, pilfering would not occur en masse—and can’t be done from the other side of the world.
In addition to the technology, cryptographically secure hardware also requires open interoperable standards to ensure the keystick can both unlock an operating system from one company and log in to a web browser from another. The FIDO Alliance provided the open standards.
Most recently, advances in consumer smartphone technologies have begun to realize the long-awaited potential of biometrics. But biometrics also is the technology that arouses the most concern about privacy, the flipside of the identity issue.
“Privacy absolutely needs to be designed in on the front end” in any identity system, says Christopher Miles, deputy director, standards integration and application, science and technology division, Department of Homeland Security (DHS). Record keeping and policy reviews the federal Privacy Act mandates—both the System of Records Notice and Privacy Impact Assessment—helped focus the minds of policy makers, he relates.
Miles oversaw DHS’ effort to develop rapid DNA testing that could confirm identity within minutes rather than weeks. In his own privacy quest, he has an assist from Mother Nature: The genes that establish identity and familial relationships are different from those associated with privacy concerns such as susceptibility to cancer or Alzheimer’s disease.
Nonetheless, reported security problems with India’s controversial Aadhaar, an online biometric database, has fueled a Big Brother vision. “There is an extraordinary risk in allowing a government to compile huge databases of information about its citizens,” Blake Hall, CEO, ID.me, says.
That’s why many believe the most important feature of any identity system is diversity—the ability for an individual to choose an identity technology, or perhaps even more than one, for different contexts.
Shaun Waterman is an award-winning reporter and editor who has worked for the BBC, UPI and POLITICO. He is currently freelancing covering federal information technology, cybersecurity and homeland security.