The K(NO)W Identity conferenced continued much in the same vein as day one. With a heavy focus on what identity is in today’s digital society, the sessions did shift to examine identity’s role in cybersecurity, and what the future of identity, and the ability to verify it, could be.
On day two, experts in identity and cybersecurity gathered to discuss the interplay between identity and security as it pertains to access management, social engineering, and insider threats. A quote that beautifully highlights the discussion came from Tom Kellerman of Strategic Cyber Ventures, who noted that “the Achilles heel of cybersecurity is authentication and identity.”
Kellerman’s statement brings the biggest threat to security to light, which is identifying authorized users, and securing the authentication process to ensure they can gain access to the tools they need.
The Importance of Legal Non-Repudiation
However, this access needs to come in such a way where their actions are still regularly assessed and secured. For any enterprise, security challenges can come from a variety of sources. Identity-based authentication provides a strong solution for combatting some threats, such as social engineering and stolen or weak credentials, but it doesn’t stop another serious problem ̶ insider threats.
Furthermore, the panel noted that digital insider threats, those caused by compromised credentials, are the biggest challenge facing cybersecurity today. If a hacker has the right credentials, a firm may never know there’s a bad actor inside their system.
However, the right authentication strategy, one based on biometrics, can provide a clear answer to insider threats. With any such strategy, an organization will always have a way to prove the identity of the person behind a transaction, be it a sent email or a financial transaction. This ensures that the true identity, proven with an incontrovertible identifier, is recorded and attached through transaction signing, often referred to as legal non-repudiation. Ultimately, this combats traditional and digital insider threats and provides a route to swift reaction when a red flag is raised.
Continuous Authentication Is Key
Another key part of building a stronger authentication infrastructure is behavioral biometrics. By analyzing typical user behavior in addition to single instances of strong authentication, the system can regularly challenge their identity in an unobtrusive way, maintaining high trust, and only re-requesting strong authentication forms, such as a fingerprint capture, when the behavior changes beyond acceptable norms. The assembled experts agreed that this tracking and assessment of end user behavior in a way that doesn’t compromise identity will play an incredibly important role in the future of security. The other critical steps are building the line of trust between the user and organization, and putting the right procedure in place to verify the user’s identity upon enrollment of their account and/or biometrics.
The Future of Identity Proofing
On day three, another panel of identity and privacy advocates gathered to discuss the critical role of remote identity proofing and the future of user verification.
From regulatory changes to the challenges of real-time and cross-border verification, remote identity proofing is proving to be a challenge for firms in the identity provider and identity management sectors. The concept of being able to prove a user’s identity in an incontrovertible way from halfway across the globe is difficult to grasp. We all have numerous potential identifiers, from our government-issued IDs to our social media accounts.
Kim Sutherland, senior director of fraud and identity strategy for LexisNexis Risk Solutions, delivered a compelling statement on the importance of remote identity proofing, and how technology makes it not only possible but better than on-site proofing.
Sutherland noted that identity proofing of all kinds needs to rely on multiple pieces of data. Simply presenting a government-issued ID, even when identifying yourself in person, should be enough. We need varying identifiers, from different levels of trust, to form a complete picture. Our mobile devices offer a power tool for this, which also support strong remote identity proofing. With a single smartphone you can gather a dozen or so identifying pieces of data, from geolocation to a biometric capture, and layer them together to get a complete picture of who the end user really is.
Identity is Evolving
If there is any single take away from the inaugural K(NO)W Identity conference, it’s that this industry is evolving at a rapid pace, both ideologically and technologically. We can’t limit ourselves to a single set of data, or a single route toward identity verification and authentication. Regulations are being developed and improved upon, the technology is allowing for new ways to identify, and spoof identity and all of the different sectors involved are creating new ways of building more secure and convenient ways to request proof of identity. We may not have the perfect strategy yet, but the constant improvements are helping us create a world that may not be free from fraud, but that’s growing steadily safer from it.