Identity Based Authentication- Eliminating Passwords
In part 1, I provided some needed context for moving from passwords to identity for user authentication. Now, let’s take a deeper look, and we’ll start with identity in the offline world.
When we are asked to identify ourselves in person, we generally produce a credential. This happens in the TSA line at airports and during a traffic stop, for example, where either a passport or driver’s license with our picture would be used and compared to our likeness. The credential is then validated and if all works out we have an identification.
Creating a password and a user during provisioning seems far separate from anything resembling this, so where does the identity for authentication come from? The good news is that for most businesses this happens during hiring, it’s just typically not digitized or reused. It’s called Employee Eligibility Verification (I9) in the US.
This terribly manual process is typically performed by new hires scanning or photographing government issued credentials and then emailing, faxing (yes this still happens) or sending those via text message to the HR department which is then tasked with verification. The process tends to be heavy in administration, lacking in protections for personally identifiable information, and disconnected, making it an ideal candidate for transformation. Furthermore, the documents are not verified with the owner and the image quality is suspect at best.
Employee, Contractor, Third-Party Worker Onboarding & Compliance
Modernizing personnel onboarding is particularly important for remote hiring – so important that standards for digital identification have emerged. Specifically the NIST 800-63-3 guideline, which ensures end-to-end encryption of personal information as it flows from user endpoint to employer.
Another standard called FIDO2 by the Fast Identity Online Alliance provides a specification for cryptographically binding a biometric to an identifier using a public-private key pair, utilizing the secure enclave of the user device to store the private key.
In developing the 1Kosmos BlockID platform, we’ve been certified to both NIST 800-63-3 and FIDO2 to provide a high level of interoperability for both Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2).
A third set of standards (W3C VC) provide specifications for remote document verification, so we’ve followed those as well.
We’ve then stored user information in a distributed ledger following W3C DID specifications, eliminating centralized administration and moving access and control to the user endpoint. This is important because once captured, biometrics can also be a target for hacking. We’ve moved beyond fingerprints and selfies with our LiveID® facial biometric that includes numerous anti-spoofing techniques, and then stored them in a way impervious to hackers.
The results of automated identity proofing with 1Kosmos:
Reduction in administrative overhead via automated, self-service identity proofing
Automated data capture from government issued, Telco, or Banking credentials
Automated data transfer on user-granted permission to HR and any downstream provisioning systems that require it (e.g., benefits, payroll, 401k administration)
GDPR compliant user managed access and control of personally identifiable information
Elimination of a central “honeypot” user store – there is no central administrator and no database to attack for data breach of PII or passwords
Creation of a re-usable digital identity to authenticate user login to enhance the security
The same onboarding process for workers can be applied to customers to support a fully “Know Your Customer” complaint customer identity proofing process for new account creation.
The result in both instances is a digital identity that replaces the password and is certified to authenticate user logins at Authentication Assurance Level 2 (AAL2). This protects organizations against the types of data breach and ransomware attacks we have seen resulting from compromised credentials and facilitates a move to a zero trust environment in which identity is not inferred, but proven not just at login, but at every claim of identity once within the network.
So as industry stalwarts want to keep identity and authentication separate in a push to protect their ongoing annuity streams from paying customers, technology innovation has broken new ground. Transforming employee onboarding drives immediate business value by removing centralized administration overhead via automated workflow at the user endpoint.
Alongside that operational improvement we have created a user-managed, digital identity which can then be used to verify identity during login and secure digital transactions. This eliminates employee account takeover, substantially decreases the risk of PII-related data breach, and improves anti-fraud security for employees (e.g. changes to auto payroll deposits, 401k loans). But, it also comes with additional operational benefits such as eliminating help desk costs from password reset requests, improved user satisfaction, and faster provisioning of downstream services because the identity is portable when the user grants permission.
1Kosmos Identity-Based Authentication
At 1Kosmos, we didn’t start with passwords. When I conferred with industry-leading CISOs, former members of the National Security Agency and the Department of Homeland Security, we set out to know “who is on the other side of the digital connection upon login”. That led to formation of our advisory board and a user-centric path to reinventing passwordless authentication that linked to verified identity.
Our approach integrates identity with authentication to create a unified approach addressing workers and customers as well as logical and physical security. Users like it because it’s incredibly easy to use. CISOs reduce password-based vulnerabilities at the perimeter, but also gain better control of network security because they’ve identity-proofed their logins. Devops gain interconnectivity and fast cloud-based deployment.
In part 3 I’ll take a close look at the options facing organizations as they navigate their journey to passwordless authentication and visit a few key use cases for both workers and customers that should be carefully considered. In the meantime, I hope you will explore how our Customer, Workforce, and Verify solutions can improve security so you can stay focused on running your business!