The Role of Identity in Access Management and Web 3.0

When 1Kosmos came into being, the founders focused on a mission to provide individuals with a secure digital identity that gives them control of their credentials and enables service providers to use it, with consent, to fight identity fraud. 

They had a simple goal to help organizations know who is on the other end of the digital connection and implemented a “privacy by design” architecture in which blockchain and a cryptographic public-private key pair work together create an immutable, self-sovereign and portable identity, replacing passwords to secure access to online services.

Five years later, 2021 proved to be a breakout year for our fast-growing company. 1Kosmos’ solutions are taking root in the mainstream to eliminate password-based vulnerabilities, provide user convenience and return control of the network to organizations by preventing cybercriminals from logging in and executing ransomware, data breach and phishing attacks that continue to disrupt organizations worldwide.

As if we needed further proof, over 500m ransomware attacks and new all-time highs for phishing and data breaches in 2021 prove yet again that the real problem isn’t the password, it’s identity. Taking a closer look, it becomes perfectly clear. 

In a Web 2.0 world, we place the onus for secure access on users. We require them to select passwords, keep them private, avoid questionable links, adhere to good device hygiene, etc. We train them to avoid public wifi and not fall for the next endlessly creative and ingeniously crafted scheme to hack their accounts. And in doing so, have created friction and complications where users will look for an easier way to meet the security requirements, like reuse passwords.

But mostly by doing this, we’ve transferred significant responsibility for network security to end-users – customers, workers and citizens. We trust, blind to the identity behind the login, and in doing so we’ve lost control. Besides users hating MFA, as a solution it suffers the same flaw. Anybody with the one-time code can log in. Let’s get real – we require better proof of identity for the purchase of alcohol, let alone access to systems that expose organizations to millions in losses.

In 2013 when Apple introduced Touch ID, we launched into the latest incarnation of Web 2.0 authentication – biometrics. By offering users the convenience of first a fingerprint and then a face ID, we added a huge ergonomic improvement, but the pernicious flaw persists. Without identity backing the biometric, we are still trusting blindly. Whose biometric is it? Is the biometric safe from theft? Have we proven the identity of the user at every login? The painful reality is a resounding “No”!

For the most part, we’ve been doing our best all along. Traditionally, user identity could only be proven via a physical presence – like on the first day at a new job with a driver’s license and passport for employment eligibility. This, of course, is more complicated online and not particularly practical in our new found remote working environment. Fortunately, technology has evolved. The forward-looking founders and advisors at 1Kosmos were not alone.

Certification and standards bodies including FIDO (interoperability and authentication) NIST (interoperability and Identity verification/authentication), and iBeta (biometric spoofing) saw the future as well and created guidelines and certification protocols to support business in the virtual world – a world and a future more frequently being referred to now as Web 3.0.

To go passwordless in Web 2.0, we layer on top biometrics to hide the password. We store those biometrics centrally, and we continue to trust blindly in users we really don’t know much about when they log in. We hope they are all legitimate. We hope hackers won’t compromise an administrator.

But this much is true – IT administrators are human, and they are vulnerable. That’s an immutable truth. And, just as we know that as long as there are banks, there will be bank robberies, we know as long as there are centralized data stores containing valuable PII (including biometrics), hackers will try to exploit them. 

When you look closely, the conclusions are clear. Removing the password is not enough. Trust in users and user artifacts needs to be replaced by proof of identity at every login, or we really haven’t solved the problem of blind trust. Centralized administration needs to be curtailed. 

In Web 2.0, user authentication was an afterthought, layer upon layer added to solve problems not covered or created by the preceding layer. In Web 2.0 we have passwords, so we need MFA. We can add biometrics to hide passwords, but really don’t know whose biometric they are because we haven’t proven the identity behind them. As a result, our organizations remain highly vulnerable to spoofing, theft and impersonation.

Today and whenever Web 3.0 becomes of age, we have to stop looking at identity and access management (IAM) as an afterthought and event. We need to start viewing it as a continuous process integrated into an interoperable web architecture. This is the vision and the reality of 1Kosmos distributed digital identity and the spirit of the “Identity” pillar in a Zero Trust Architecture.

The combination of strong authentication with strong identity is transforming the way we used to think about logins. In my next blog I’ll explain what this means for the future of Identity and for network security.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More