In the physical world, proving identity is straightforward. First, you present your driver’s license or a physical identity card, which is compared to your likeness and verified. Then, you put your identification card back in your wallet, which allows you to retain control over your identity.
In the digital world, this process becomes more complicated. Let’s look at a user who makes payments online. Typically they would “verify their identity” by entering a username, password and maybe entering a two-factor authentication code.
Not only does this process sap workers’ productivity and alienate customers, it’s also not very secure. This is because logins based on passwords and one-time codes are not bound to proven identities. This allows anonymous (and sometimes malicious) users to operate behind legitimate logins.
As passwords get shared, hacked and stolen, the risk of business disruption by impostors posing as legitimate users increases. Eric Snowden, for example, logged in as his co-workers. If the login verified his identity, authentication would have failed and his scheme would have never succeeded. Mr. Snowden had the credentials, but not the identity. Systems checked the former, not the latter.
This is what Edward Amoroso, CEO of TAG Cyber, and Mike Engle, CSO of 1Kosmos, discuss in their Identity-Based Authentication and The Journey to Passwordless on-demand webinar. They cover how the key vulnerability in passwords is not the password itself, but rather not knowing who is on the other side of the digital connection.
Do passwordless authentication solutions verify user identities?
If you have moved past password-based and 2FA solutions, are you safe from password-based attacks? Passwordless solutions do not inoculate the enterprise against credential compromise.
Ensuring the employee, customer, or citizen is who they claim to be is the gap in most passwordless solutions today because while passwordless only eliminates friction in the user’s journey, it does not make the journey more secure.
What is needed is to mitigate identity theft and to ensure the individual is exactly who they are claiming to be? Companies ask for government-issued identity documents to prove an individual is who they are claiming to be, but that does not prove that the individual logging in to applications is indeed the same person in real-time.
Authorization is another added requirement for onboarding an existing user to new applications and services. Risk is minimized best when there is continuous authentication as well as transactional authorization in place. To do so, an organization checks for the identity and authentication assurance level of the individual in real-time before granting them access to critical service and application assets.
Simplified access to legacy systems using passwordless sign-on improves productivity, no doubt about that. Even better, enabling quick password resets to legacy apps after the individual has completed a strong identity-based authentication roundtrip using live biometrics enables faster and frictionless access to legacy applications.
Another strategic benefit of deploying an identity-based passwordless solution is to reclaim 2FA spend on migrating legacy systems to passwordless. Why not re-use the identity from a secure digital identity wallet for onboarding new employees and customers to modern and legacy services?
1Kosmos Identity-Based Authentication
All these goals can only be achieved if an organization starts with identity and not just authentication. The traditional approach to passwordless authentication is to focus on MFA or passwordless login.
While 1Kosmos is passwordless, we bring identity-based features to an authentication method. This flexibility may be used to enhance the identity verification process using strong biometrics-based identity and verification of user credentials via industry standards.
What’s unique about 1Kosmos is that we start with identity, instead of starting with authentication, as the basis for strong authentication and this enables us to solve many of the same challenges for both employees and customers. Our biometrics engine allows for continuous identity verification of the individual at login-time, and continuous transactional authorization at access-time, while remaining aligned with the company’s risk policies. It is no longer acceptable to identity-proof an employee or a customer once – for example during onboarding or new hire – and let them use services indefinitely.
By combining authentication with true Identity (NIST 800-63-3a principles and modified versions for corporate applications), you have a much higher identity assurance to know who is truly at the end of a digital connection every time they authenticate.
These principles apply to customers especially in the banking industry where strong KYC is needed. 1Kosmos is a member of the FIDO alliance, DIACC, The DIF foundation, Linux Foundation (for Trust over IP), W3C, and the COVID Credentials group. This ensures that you will have a partner with a product that is not only open, preventing vendor lock-in, but is on top of the latest trends in identity.
Are you interested in learning more about understanding who is on the other side of your digital connections? Listen to the on-demand webinar by Edward Amoroso, CEO of TAG Cyber, and Mike Engle, CSO of 1Kosmos, today.