The Halcyon Days when nobody on the internet knew who you were have faded. Hackers and ne’er-do-wells now pollute the web by attacking people’s secret account credentials and the data their identities unlock, and stealing digital identities.
Last year alone, there were nine major breaches – each with more than 10 million identities exposed – a 21% jump in mega-breaches from the previous year, according to Symantec’s 2016 Internet Threat Report.
Hackers aren’t the true problem, however, because obvious holes in websites, e-commerce retail and big business continue to prove those entities can’t protect the passwords they issue and store. Their game is not security – it is data collection, personalisation and targeted advertising.
The solution perhaps rests on creating a limited number of trusted identity provider (IdP) hubs that vouch for users when other sites – known as relying parties – need their authentication credentials. These IdPs would count security among their core competencies, something that web sites may have a hard time matching.
But how do we get there?
Services like the recently opened Gov.UK Verify are building blocks for creating a host of IDPs that issue identities and act as trusted pipelines into a number of government services.
In the US, the National Strategy for Trusted Identities in Cyberspace (NSTIC) is attempting to build a similar identity framework that is hosted by private sector companies.
The idea is to create a uniformity that provides citizens with a strong digital credential that is valid across services, while excusing each government service – or business – from the security pitfalls associated with issuing and storing passwords.
Of course, the toughest challenge is converting end users who tend to hand over their data for any new shiny object or trendy service.
The UK Cabinet Office is offering Gov.UK Verify as an option on the start pages of connected government services and touting it as faster and more secure for users while being re-useable across an increasing range of services.
The idea is catching on as Digidentity is already working on identity services for use across the EU.
Other incentives for end-users and businesses to change the status quo for logging on could be helped by mega breaches that continue to sting enterprises and millions of online users, innovation focused on ease-of-use, and directives such as the General Data Protection Regulation (GDPR), which calls for massive fines for businesses with lax security.
Digidentity has partnered with authentication provider Yubico to use hardware-based key technology that takes advantage of FIDO U2F, the FIDO Alliance standard for scalable public key cryptography.
This ‘second factor’ for validating authentication ensures that a stolen username and password is useless without also having stolen the physical key. If an attacker is in Siberia, it is unlikely they could get their hands on a physical device in Sheffield.
Hurdles do exist. Critics have called the Gov.UK Verify system of validating a user overly burdensome and intrusive. There are also critics of the system’s hub-centric design, and its privacy and security features.
Some claim the system is completely unnecessary and will eventually result in end-users losing control of the personal information to the private IdPs that make up Gov.UK verify.
The reality is that digital identity, privacy and security are hard problems to solve. Success won’t be realised without end-users and businesses change their habits and attitudes.
But Gov.UK Verify and NSTIC are active in their development cycles and eventually will offer proof on what is possible. Building the model into reality and at scale is the tricky part.
Sourced from Jerrod Chong, VP solutions engineering, Yubico