Employees face a challenge daily, actually multiple times per day, having to access multiple systems and applications throughout the day to do their job. They have to unlock their Windows desktop, log into internal and external web resources and apps, access a UNIX server, the employer’s VPN technology, or even a facility. And, often, they are not using single sign-on and each system and application requires different credentials for authentication.
Three main challenges pertain to workforce authentication.
Workforce Authentication Challenges
Challenge #1: Leveraging Passwords
Some employees have no problem remembering different usernames and passwords. And then some give it three tries before they’re locked out and start speed dialing the Helpdesk. Finally, a few choose to rely on the good old post-it note they stick on their monitor, openly and publicly.
To make matters worse, IT departments require employees to choose complex formats for their passwords: between eight and sixteen characters long with at least one uppercase letter, one number, and one special character. Moreover, IT also requires that it be changed every thirty or sixty days. For many folks, those requirements compounded by multiple systems can be overwhelming, resulting in a proliferation of the infamous post-it notes and Help Desk calls.
This ecosystem creates inefficiencies, such as loss of productivity and increased costs. Did you know, for example, that replacing one password can cost up to $70? Yes, that’s what it can cost in human capital and machine resources to handle one password reset request.
Challenge #2: Leveraging 2FA and MFA Solutions
To avoid accounts from being compromised because a password was accidentally "stolen" and to strengthen the level of user authentication, many organizations have implemented two-factor authentication or even multi-factor authentication solutions. That’s when you submit your username and password, and then you receive, for example, a text message prompting you to enter a code online.
Those solutions certainly make it slightly harder to compromise an account, however, they’re not foolproof. Ultimately, any hacker can steal a username, a password, and a mobile number stored inside a company’s centralized system. There are also MFA solutions that necessitate a piece of hardware like a security key, and that comes at a cost: Pay for each physical token and allocate resources for the hardware’s maintenance. The security key can also be lost or stolen.
Challenge #3: Leveraging Some Passwordless Solutions
To mitigate the risks MFA solutions incur, biometrics have been added into the mix. This is what passwordless applications offer with the following biometric features: Touch ID, Face ID, and, for some of the more advanced ones, iris recognition. A login page, a QR code to scan from a mobile application, a biometric-based authentication, and the employee is in. No more username and password needed. The mobile phone is something the employee has and the biometric data is something the employee is. The problems with those solutions are high implementation costs and heavy data storage. For example, facial recognition requires top-quality cameras and advanced software to ensure accuracy and speed. Moreover, the high-quality images required for facial recognition take up a significant amount of storage.
So, is there an alternative?
Workforce Authentication Best Practices
A robust contact-free authentication solution for the workforce should focus on identity proofing and therefore be built on three identity pillars: Enrolling, authenticating and verifiable credentials. Each pillar needs to interact with one another to ensure that identity remains the number one priority. This is the core architecture of the BlockID platform.
Best Practice #1: Enrolling with Claim Triangulation
An employee’s enrollment should consist of triangulating a given claim with a multitude of company or government-issued documents and sources of truth, including advanced biometrics.
For example, by enrolling an employee’s driver’s license and passport (government-issued documents), we are able to verify, in real-time, the validity of each document by querying the proper databases (sources of truth) and triangulate several claims (first and last name, address, date of birth, photos) simultaneously, prior to adding an extra source of truth to our ID proofing process: a liveness test. The liveness test is performed to verify if the biometric traits of the employee are from a living person rather than an artificial or lifeless person.
We leverage more sources of validation, such as passport’s chips to validate the fact that the passport scanned during the enrollment process matches digitally signed data. We can also introduce credit cards, bank accounts or loyalty programs, among others, to reach the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3.
Best Practice #2: Authenticating
BlockID uses advanced biometric authentication as a security process that relies solely on the unique biological characteristics of the employee to verify that he is who he says he is. Our advanced biometric authentication technology, using a liveness test, compares biometric data capture to stored, confirmed factual data in the BlockID Blockchain Ecosystem. A liveness test offers the added benefit of requiring users to capture a live video of themselves, which has a frightening effect on criminals who’d rather not share their face with the company they are targeting.
The BlockID authentication process reaches the highest level of authentication assurance per the NIST 800-63-3 guidelines, or AAL3.
Best Practice #3: Verifiable Credentials
The verification process leverages the attributes BlockID triangulates during the enrollment phase as well as verifiable credentials (in their digital form) that users can share with third parties and with explicit consent.
A verifiable credential is a credential that was issued by a trusted authority for, and only for, the user. It is a tamper-evident credential based on W3C standards and has authorship that can be cryptographically verified. Schematically, issuers create verifiable credentials, users can store some of them, and verifiers ask for proof-based upon them. When identity needs to be confirmed, the user chooses those credentials that must be verified.
The BlockID verification process eliminates all tedious back-and-forth communication between verifiers and issuers, since the verifier no longer has to contact the issuer to confirm the credential, thus reducing data verification costs in the process. This mechanism infers that the user remains in control and keeps ownership over his or her identity, by electing what they want to disclose, and to whom they wish to disclose it.
Best Practice #4: Employee Data Stored Encrypted in a Decentralized Ledger.
BlockID leverages the BlockID Private Blockchain Ecosystem to store employees’ encrypted data. The benefits of using a decentralized system are multiple, from being virtually uncompromisable to initiating peer-to-peer transactions while ensuring the immutability of the data stored. Such a system promotes transparency and consequently creates trust between employers and their employees who need to access corporate systems and applications. Employees own their data and choose to share only the information that is required to access a specific solution. And it is W3C compliant.
BlockID is the next generation contact-free authentication solution for the workforce that leverages advanced biometrics and distributed ledger technology. The application unifies physical and logical access, allowing all employees to use a single smartphone app for all forms of accesses, whether it is to enter a highly secure data center through a mantrap, to log into Unix or Salesforce or unlock a workstation without connectivity.
REGISTER for our upcoming webinar:
Breaking Silos : How to Identify and Authenticate an employee or customer, and Verify Credentials using a SINGLE solution?
Date/Time: Tuesday, September 15, 2020 | 11am – 12pm ET
Andras Cser, Vice President and Principal Analyst, Forrester
Michael Engle, Chief Strategy Officer, 1Kosmos