Despite multiple shortcomings, passwords remain the most common authentication method for accessing financial, e-commerce, healthcare, and an array of other services. People generally prefer passwords over more secure authentication methods, due to their convenience and ease of use.
Despite the best efforts of security experts, passwords reign as the primary way for people to verify their identity online. “However, as we all know, passwords are easily compromised and forgotten, leading to both security issues and pressure on IT resources,” observes Ian Mulholland, an analyst in the security, risk, and compliance team at the IT research firm Info-Tech Research Group.
Security professionals know that username/password approaches to managing identity risk and authentication are obsolete or, at best, severely compromised. “So, these processes are [now] changing,” says Dan Barta, principal enterprise fraud and financial crimes consultant at analytics software firm SAS.
Digital Identification Technology
For decades, people have carried various forms of physical identification, such as driver’s licenses, health insurance cards, and passports. Emerging digital ID technology attempts to replicate this concept in the online world. “This could mean having digital versions of traditional physical documentation,” Mulholland says.
With digital ID, individuals are verified via an authoritative entity, such as a government body or global consortium, after proving they are who they claim to be. “The digital ID is then stored in some sort of ‘digital wallet,’ which may be accessed in multiple ways when permission is granted by the subject,” says Doug Saylors, co-leader of the cybersecurity unit of global technology research and advisory firm ISG.
Put simply, digital identity is a person’s online profile, Barta says. Digital identity is derived from web-accessible personal data that can be traced and connected to a given individual.”
Digital ID, when combined with a Zero Trust Architecture, aims to provide a strategic approach to cybersecurity that secures a user by continuously validating every stage of a digital interaction. A digital ID would move users away from simply typing in a password to validate identity. Instead, a combination of factors would be used to validate and continuously verify an individual’s identity throughout the duration of their interactions with a service. “Establishing additional methods and complexity to an online service or resource decreases an attacker’s ability to gain access to that system,” notes Matt McFadden, vice president, cyber, at General Dynamics Information Technology (GDIT).
The timeline for deploying a single, universal digital ID, one that would allow users to authenticate across any online resource, promises to be long and challenging. “While we wait for that theoretical state of digital ID, we will likely see a ‘survival of the fittest’ occur where organizations propose their own solutions,” Mulholland says. “Successful solutions may soon be replicated in other organizations, and eventually, we may start to see unification.”
A potential sticking point is that digital ID organizations will have to be careful not to unintentionally interfere with is multi-factor authentication (MFA), today’s leading security approach. MFA generally relies on a user supplying both a password and a second security factor, such as a fingerprint, facial recognition pattern, or code sent directly to an individual’s personal smartphone or computer. “For example, if a password, which is a ‘something you know’ factor is replaced with a digital ID that’s more aligned with ‘something you have,’ it may no longer be considered MFA,” Mulholland explains.
What’s Next On the Security Horizon?
It’s unlikely that digital IDs will replace passwords within the next three to five years, Saylors says. “The technology is complex and would require a minimal standard that could be used by everyone.” Meanwhile, the large disparity in technology access that exists throughout the world population remains a significant barrier to widescale adoption. There are global working groups focusing on standards, but they are in their infancy, he notes.
Privacy concerns present another potential major adoption barrier, particularly for people possessing digital IDs designed to be used across multiple services. “Some people will be hesitant to adopt a solution that would theoretically allow others to track their movement,” Mulholland explains. “Privacy laws could assist with driving up the adoption rate, as they could guide the development of Digital ID solutions to be more privacy-conscious.”
Technological disparity among global populations is also a significant concern. “Poorer individuals who are forced to use older technology will either be left behind or forced to use subpar solutions, which could lead to identity theft,” Saylors notes. The ramifications are potentially huge. “Think of a single credential that authorized an individual to access their work accounts, bank accounts, and government services being stolen,” he says. “Who bears the liability in that instance?”
In the meantime, there remains little doubt that fraudulent parties will continue to use online data to overtake existing identities and develop synthetic ones, Barta warns. “The challenge for the good guys, as always, will be to make these efforts as cumbersome and cost-prohibitive as possible.”