For far too many organizations, Identity and Access Management (IAM) has become a study in locking the storm window while leaving the front door wide open. From MGM to Facebook to T-Mobile and beyond, 2023 has found a growing number of security teams forced to chase down data breaches, ransomware attacks, and phishing scams after network access has been granted. Without the architecture to support modern forms of identity verification, we can’t seem to prevent cybercriminals from exploiting compromised logins to infiltrate corporate systems. Here’s why this keeps happening—and how plugging the identity gap in your IAM architecture can stop the insanity.
IAM a Mess: Why Your MFA Can’t Keep the MOFOs Out
Hackproof IAM requires two things: Verifying the identity of a user at enrollment and confirming that it’s this same individual attempting to log into an account.
Most IAM systems are decades old and lack identity verification. Putting a checkmark to rudimentary identity verification for new users and then issuing weak credentials via email or Post-it note? Good luck with that. Password- and basic multi-factor authentication (MFA)-based IAM can only really ensure the person accessing an account knows the password or OTP. While basic forms of biometric authentication can confirm the person accessing an account is the same person who initially enrolled to do so, it can’t verify that person is who they claim to be. This is especially true for device-based biometrics, hardware tokens, and passkeys that assume but do not verify identity.
In short: That proverbial front door is left wide open to account takeover (ATO)—including growing numbers that lead to Active Directory (AD) and Remote Desktop Protocol (RDP) breaches. But it doesn’t have to be this way.
Modernizing IAM: Architecture is Everything
At 1Kosmos, we long ago recognized what’s needed is a way to verify and authenticate identity online the same way we confirm it in real life—with a valid credential that can’t be vouched for by mere password, OTP, or a static, spoofable biometric. So we set out to modernize IAM by combining strong identity verification and authentication within an architecture that gives IT unmatched identity assurance behind each device used to access systems—while delivering an account registration and authentication experience that is as convenient as its hack proof. This architecture is built on the following five core pillars to fully eliminate the failures of traditional IAMs.
The 1Kosmos architecture employs automated, digitally-verified identity exceeding stringent KYC, KYE, and AML guidelines. Identity verification via government-issued credentials (driver’s license, state ID, passport, certifications, health records, etc.) enables organizations to standardize the onboarding of workers, customers, and citizens to prevent the use of synthetic and stolen identity information at account enrollment—and seamless authentication that’s impervious to account takeover at login.
Biometric-based Strong User Authentication
Verified biometrics secured cryptographically with public-private keys vastly outperform passwords in both security and convenience. That’s why we built the first (and only) architecture to support and exceed FIDO2, iBeta biometrics–, NIST 800-63-3, and UK DIATF security standards. Passwords are replaced with a secure identity wallet and a liveness test to confirm the person attempting to log in is, in fact, the authorized user and not a bot, deep fake, or imposter.
Decentralized Identity With Privacy by Design
Once biometrics are digitized and stored, they can be stolen. In 1Kosmos BlockID, unauthorized access to personally identifiable information (PII) is prevented through a blockchain-based digital “chain of custody” for identity-related data. Because 1Kosmos is anchored by a Privacy by Design framework, organizations can confidently accelerate user onboarding, protect digital accounts from ATO, combat transaction fraud, and more. Fraudulent access attempts are detected, logged, and blocked automatically. And it’s all done in full compliance with GDPR, CCPA, CPRA, and other privacy mandates.
A Private, Permissioned Distributed Ledger
This immutable “chain of custody” provides tamper-evident identity verification and reusable verifiable credentials on demand. This enables the user’s digital identity wallet to securely store a wide range of information—personal details, legal and education credentials, financial accounts, digital health records, etc. With irrefutable proof of identity and an immutable audit log of all updates and access attempts, organizations can focus on building customer loyalty and capture market share from less tech-savvy rivals.
Reusable Verifiable Credentials
High assurance and cryptographically secure storage and sharing establish repeatable, high-trust re-verification across a wide array of use cases. This can range from establishing “inferred” identity based on an email address or device that’s adequate for the intended use, to cross-referencing biometrics with government-issued forms of ID or information from banking, telco, or corporate databases, to the very highest levels of Know Your Customer (KYC) and Know Your Business (KYB) mandates.
A Foundation for Future-Proof IAM
This is all just the beginning. In forthcoming posts in this series, we’ll take a closer look at each pillar and its role in enabling and supporting a consistent and secure onboarding and authentication experience into all apps, devices, systems, and environments—including existing privileged access management systems.