Secure Your Distributed Workforce: Go Passwordless

To mitigate the risk, biometrics have been added into the mix: Touch ID, Face ID, iris recognition, etc.

A login page, a QR code to scan from a mobile application, a biometric-based authentication, and the employee is in. No more username and password required. The mobile phone is something the employee has and the biometric data is something the employee is.

Some levels of biometrics remain ineffective.

Financial Element:

Biometric technologies are available commercially in many different forms, but by far the most common devices are fingerprint readers and hand geometry scanners. Now, commercial retina and iris scanners can cost between $2,000 and $10,000, are considered highly invasive by users, and have a slow throughput. Whether fingerprint or iris scanners are required for both physical and logical access, deploying biometrics in the organization is extremally costly.

Biometric Element:

Whether it is voice recognition (Voice ID), facial recognition (Face ID), fingerprint scanning (Touch ID) or iris scanning, those types of biometric are falsifiable: Voice can be replicated, fingerprints can be copied, face can be spoofed and iris scanners can be hacked. Biometrics are used by most passwordless solutions is not enough.

Data Storage Element:

Most passwordless solutions store their users’ biometric data unencrypted inside centralized systems, which are highly prone to cyber attacks.

Per the National Institute of Standards and Technology (NIST), digital identity is the online persona of a subject engaged in an online transaction. Now, accessing a digital service may not mean that the subject’s real-life identity is known.

NIST has created the NIST 800-63-3 guidelines to establish 3 levels of assurance for ID-proofing and authentication:
Identity Assurance Levels:

IAL1:

There is no requirement to link the applicant to a specific real-life identity.

IAL2:

Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL3: Physical presence is required for identity proofing (address verification).

Authentication Assurance Levels:

AAL1:

Requires either single-factor or multi-factor authentication using a wide range of available authentication technologies.

AAL2:

Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.

AAL3:

Based on proof of possession of a key through a cryptographic protocol. Authentication must use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance. The same device may fulfill both these requirements. Approved cryptographic techniques are required.

Federated Assurance Levels:
FAL1: IAL1 + Any AAL, IAL2 + AAL1, IAL3 +AAL1 FAL2: IAL2 + AAL2, IAL2 + AAL3, IAL3 + AAL2 FAL3: IAL3 + AAL3

Most passwordless solutions store their users’ data in such a way that it represents a cyber criminal’s dream for 2 main reasons:

Users’ data stored unencrypted
Did you know what major organizations are still storing passwords in plain text? Unfortunately, there are multi-billion dollar companies out there that continue to minimize the importance of security. Some actually choose to compromise security in the name of (financial) convenience. Others do everything right when storing their employees’ password. They might add overzealous logging capabilities, which record passwords in plain text… Encryption is standard during the data transmission process, but many enterprises have failed at implementing the same for information held within their databases. That’s a hacker’s dream, because they are able to easily use stolen data in its rawest form.

Users’ data stored in centralized systems
First, the user of a centralized database has access to four data functions: Create, Read, Update, Delete. Logically, anyone with access credentials can utilize the Create, Update and Delete functions to compromise data. Read is only as good as the data which is read. Then, a centralized system represents a single point of failure. Naturally, the bigger firms which is associated with centralized systems can afford redundancy, but it is inherently expensive.

Identity Should Be Your Number One Focus At All Times
1Kosmos BlockID is the only passwordless solution that verifies a user’s identity. BlockID reaches IAL2, AAL2 and FAL2 per the NIST 800-63-3 guidelines, and store users’ data encrypted in a decentralized ledger.

Enrolling Your Workforce
During the enrollment process, BlockID creates a credential safe and the private key always stays with the employee.

Enrollment process:

Triangulating a given claim with a multitude of company or government-issued documents as well as sources of truth, including biometrics like a liveness test.

Each enrolled document is validated in the background:

AAMVA for driver’s licenses, issuing country for passports. By enrolling a driver’s license and a passport, for example, BlockID validates the employee’s first and last name, address, date of birth, and ensure, to the extent possible, that the photos on both documents actually match.

BlockID adds an extra source of truth to our ID proofing process:

a liveness test to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person.

BlockID accesses even more sources of validation:

a passport’s chip to validate the fact that the passport scanned during the enrollment process matches digitally signed data, for example. or external sources of truth like a credit card, a bank account or a loyalty program.

Authenticating Your Workforce
BlockID uses advanced, unspoofable biometric authentication as a security process that relies solely on the unique biological characteristics of a user to verify that he is who he says he is.

Authentication process:

A liveness test to eliminate any risk of facial spoofing, which is the task of creating false facial verification by using a photo, video, mask or a different substitute for an authorized person’s face.

Including Verifiable Credentials
The verification process leverages the attributes BlockID triangulates during the enrollment phase and digital verifiable credentials employees can share with third-parties and with explicit consent.

Verification process:

issuers create verifiable credentials, users can store some of them, and verifiers ask for proof based upon them. When identity needs to be verified, the user chooses those credentials that must be verified. The process involves data the user initially enrolled in BlockID, verifiable credentials in their digital form through API calls, or a mix of both.

The attestations that verifiable credentials make are backed by the Decentralized Identifiers (DIDs), a technology that enables verifiable, decentralized digital identity.

Securing Employee Data: The Blockchain Ecosystem
1Kosmos leverages a Distributed Ledger to securely store employees’ identity information, with access controlled by the employee (GDPR compliant) as well as a layer of privacy built around Ethereum to execute smart contracts. This is the BlockID Private Blockchain ecosystem.

Each user’s information is encrypted using their own unique cryptographic key pairs, with their private key stored securely on their own mobile devices. That means there are literally thousands of separate and unique encryption keys and mobile devices protecting the identity data, which makes it impervious to hacking (W3C compliant).

BlockID solutions automatically and seamlessly handle all interactions with the Blockchain — No Blockchain knowledge or expertise is required by anyone on your team to enjoy all of its benefits. It couldn’t be any easier.