Identity Based Authentication: Conflux of ID & Authentication
In parts 1 and 2 of this series I discussed the transition underway in the IAM industry to passwordless authentication and the reasons why 1Kosmos has taken the path to passwordless through the convergence of identity and authentication.
In this post I want to address passwordless authentication with and without identity proofing, and then introduce a few of the top use cases we have seen in our customer base for both business-to-worker and business-to-customer authentication.
Replacing Passwords with Biometrics
First, there is an argument to eliminate passwords, but also to look at identity and authentication as separate and unrelated challenges. This argument I feel is rooted in a desire to stay the course with only cosmetic improvements to user login … a point of view that essentially a new passwordless front end is all we need.
To address this I’ll start by saying that if we eliminate passwords with biometrics, the biometrics by definition need to be sophisticated, hard to spoof and difficult to hack. You’ll need advanced biometric capabilities that are resistant to spoofing. Like passwords, they will need to support application-specific authentication – not device level.
Storing them even in encrypted form in a central database still represents a target that needs to be defended. This is why at 1Kosmos we decided early on for a distributed identity architecture that removes any centralized, administrative access. No access equates to no viable target to attack for data breach.
But, where biometrics are involved, the question “whose biometric is this” needs to be asked. The purpose of the login and indeed the unique password itself is of course to prove identity. But, for example, a spouse or child biometrically authenticating into an iPhone and then accessing corporate email does not prove identity. Simply emailing a code or instructions to enroll an employee biometrically to their corporate email account that may already be compromised is no way to start a passwordless journey!
This is all just to say that substituting a biometric for a password removes the password, but still leaves organizations struggling with the fundamental question “who is accessing my corporate IT services?” It can also remove the password as an attack vector, but can add the biometric as an attack vector, or remove password user stores, but replace them with biometric user stores that serve as “honeypot” targets.
In a way, you have to decide what problems you are setting out to solve with a passwordless initiative, because the price of failure can be very high, especially when you ask users for highly personal information such as their biometrics. The brand damage alone from a breach leading to compromised user biometrics can be devastating. This is why at 1Kosmos we put them under sole control of the user.
But, the distinction to be made here is that simply eliminating passwords with biometrics that are not validated to a verified identity continues to place organizations at high risk of disruption from identity-based attacks. The closer organizations reside to critical infrastructure and financial services (or supply chains affecting either) the more vulnerable their organizations and entire ecosystems are to identity-based cyber threats, the likes of which we are all too familiar.
At the very least, if identity is not sufficiently verified at new account creation and subsequently at login, organizations should probably not assume identity is known behind each login by adopting a zero-trust model. Otherwise, repeating past behavior that has led to failure on a grand scale and expecting a different outcome is simply not reasonable.
This again gets back to the problem we set out to solve. From my point of view, it’s not a tactical password problem. We’re looking to fundamentally upgrade the security posture of the organization by eliminating passwords, eliminating honeypots, securing PII, and driving efficiency into the business at key leverage points including employee onboarding and provisioning, customer acquisition, multi-factor authentication of worker and customer logins, and protection against financial fraud with strong authentication.
1Kosmos Identity Proofing
At a high level the key innovation 1Kosmos has brought to market is easy and non-spoofable identity proofing at varying levels of identity assertion that has as its output an immutable, reusable digital identity bound to a biometric.
This means we have a quick and convenient way for users to self verify their identity using government, telco, and banking credentials. Then, once verified, workers, partners and customers use their digital identity to be recognized at login or transaction approval, providing them ease of use and organizations a high level of certainty for who is at the other end of the digital connection.
It’s my belief that by adding identity in this way as a key pillar to network security that we help CISOs regain control of their IT services from anonymous users hiding behind compromised logins. With identity based authentication organizations will no longer be held hostage to data breach, ransomware, and financial fraud perpetrated via identity deception.
From the beginning we developed 1Kosmos for cloud-based delivery. Our goal is to drive benefits that are accretive to earnings generally within the first 90 days of operations while significantly improving the overall security posture and substantially reducing the risk of identity-based cyber threats. We are currently doing this at scale.
Today the 1Kosmos BlockID platform performs millions of authentications daily. We have documented a few of the top use cases. I hope you will take time to explore them or reach out to my team of experts if they can help on your journey to passwordless authentication.
- Employee Onboarding
- Multi-Factor Authentication
- Passwordless Access
- Physical and Logical Access
- Remote Workforce
- Single Sign-On
- Zero Trust