The Gap Identity Service Providers Must Fill
Identity service providers create, maintain, and manage identity information for users and also provide authentication services to relying applications within a federation or distributed network. They bring a level of convenience to anyone who needs to access applications throughout the day to conduct business effectively and without having to enter credentials each time. So, it is not surprising that Okta, who’s the leader in the market, oftentimes uses the following tagline: “One-click access to all your enterprise apps—in the cloud and behind the firewall.” But, there is another slogan used by Okta that tends to leave me perplexed: “Okta is one trusted platform to secure every identity, from customers to your workforce.”
What does Okta mean exactly by securing every identity?
Identity service providers do not proof the identity of a user
The reality is that identity service providers do not prove a user’s identity in an irrefutable way. Okta Verify, which is the app that’s used to confirm a user’s identity when users sign into their Okta account, does meet the NIST 800-63-3 guidelines requirements in terms of authentication, but, it doesn’t verify an identity. Now, you may wonder what it entails to verify an identity. The only way of reaching the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3, is to leverage an ID-proofing application that enrolls users by triangulating a given claim with a multitude of company or government-issued documents as well as sources of truth, including advanced, unspoofable biometrics. Okta Verify does nothing like what I just described. This is why SSO platforms only reach the lowest level of identity assurance per the NIST 800-63-3 guidelines, or IAL1.
How secure is the authentication process on a SSO platform?
Since there is no certainty about who is on the other side of the communication there is really no security, since there is no way of irrefutably identifying who’s truly logging into an Okta account. The convenience factor, in terms of accessing all enterprise apps with one-click is there, however, the consequences can be dire. And, the use of a password at any point in time during the authentication process puts the user at risk of being the victim of an identity compromise. After all, 81 percent of data breaches are caused by poor password management… So, password-based single sign-on is a very bad idea –hence, the need for a passwordless solution to bypass the risks associated with the use of passwords. The identity service provider also needs to integrate a passwordless authentication solution. But, passwordless authentication is only reliable if, and only if, the process also includes identity proofing. You always want to know who is on the other side of the communication, when there is a request to access your organization’s systems and apps.
The IAM market is siloed
To reach the highest levels of identity and authentication assurance to mitigate any risk of identity compromise, identity service providers need to integrate an application that proofs an identity and an application that authenticates without passwords. Now, when you take a close look at the identity and access management market, you instantly realize that it is extremely siloed, or isolated. Identity proofing solutions like Onfido and Jumio, MFA applications such as Duo and RSA, passwordless solutions like Hypr and Trusona and finally single sign-on platforms such as Okta and Ping Identity operate independently from one another. In other words, those silos do not talk to one another. This is where 1Kosmos BlockID comes in to save the day.
Why 1Kosmos BlockID is the only solution to bridge the gap
1Kosmos BlockID is the only cybersecurity solution in existence that combines indisputable digital identity proofing with advanced biometrics, passwordless authentication, while storing user data encrypted in a private, permissioned blockchain. BlockID goes beyond all passwordless solutions on the market by bringing decentralized identity to an organization’s workforce and customers. And our indisputable ID-proofing process backed by the use of advanced, unspoofable biometrics ensures that you know for a fact who is accessing your systems and applications, always. What does it mean in terms of standards? In terms of identity and authentication assurance, BlockID reaches the (highest) levels of IAL3, AAL3 and FAL3 per the NIST 800-63-3 Guidelines. BlockID is also the only digital identity and passwordless authentication platform to be FIDO2 certified, which represents a true paradigm shift, since our solution brings identity-based authentication to FIDO in place of hope-based authentication. The FIDO2 standard indeed lacks details about how a user can be identified when the authentication process takes place. BlockID fills that gap by verifying a user’s identity, prior to providing passwordless authentication powered by advanced, unspoofable biometrics.
Contact us to continue the discussion.