What I am
Identity in the digital world has always been a point of contention for information security practitioners. What started out as an easy system—choosing an ID or username (“something you have”) plus a secret known only to the individual (“something you know”) —quickly spun out of control as digital usage grew. Back in the 1990’s when the internet started to become mainstream, no one could have predicted the vast number of credentials every person, and the associated systems used by businesses would have to maintain for daily existence. Once trustworthy and reliable, prevailing industry practices for identity and access management (IAM) became the target of threat actors’ attentions. With so many credentials floating around the internet, stored (sometimes insecurely) in companies’ databases, and reused across sites (so that people could more easily manage access), attackers followed the patterns—and vulnerabilities with increasingly harmful and destructive capabilities.
For years, security researchers and organizations have been trying to improve IAM and do away with passwords, proposing alternatives, or adding factors on top of the something you have+something you know concept. In many cases, where some of these processes and technologies have been enforced, it works…OK. Credential-stealing is still, by far, cybercriminals’ entry method of choice when it comes to gaining unauthorized access to organizations and individuals and their data. It’s just too darn easy.
From a usability perspective, individuals requiring access to various information across disparate systems (for work or personal purposes) are often roadblocked by the systems themselves, having to log in one by one, gather the necessary information, and then pull it all together. In certain situations, like during an emergency, this scenario is too time-consuming, challenging, and may create the insecure exchange of private information.
I’m not aware of too many things
As a result of the IAM dilemma, many organizations have been working on alternative identity solutions. Add to that list the Department of Homeland Security (DHS), which just awarded $2.4 million USD in grant funding to the Kantara Initiative, a global consortium whose mission is to improve “trustworthy use of identity and personal data through innovation, standardization, and good practice.” Through Kantara’s Identity and Privacy Incubator (KIPI) program, three companies will receive funding for projects to advance mobile identity and privacy. Though data security isn’t the number one goal of these projects, it’s by no means an afterthought.
The premise behind this Kantara program is smartphone ubiquity. Though not every person on the planet is equipped with a smartphone, it’s estimated that between 72 - 77% of Americans, and a majority of users in countries around the world, are. Putting aside any concerns about the security of smartphones themselves (for just a moment), the three projects include mobile device attribute verification, mobile authentication, and physical access control.
I know what I know, if you know what I mean
Lockstep Technologies was awarded the first grant to fund development of a mobile device attribute verification (MDAV) technology which could be used to certify credentials for first responders, as mobile drivers’ licenses, to anonymously validate proof of age, and serve as travel papers or electronic health records. MDAV uses a system of digitally-signed certificates to validate and secure attribute information.
Lockstep did not immediately respond to a request for information. This post will be updated as further insight becomes available.
Philosophy is the talk on the cereal box
Gluu, Inc. is working on an Emergency Responder Authentication System for Mobile Users (ERASMUS). The idea behind this project is that emergency situations frequently require coordination among disparate emergency services, such as fire departments, police, EMT’s, and hospitals, both in person and online and occasionally across jurisdictions. The Gluu technology is mobile-enabled identity federation which would allow decentralized organizations to share up-to-date information in real time about a responder’s identity, skills, and authorizations. This would ensure that the right people are given appropriate access to manage high-risk situations.
Currently, the identification system for first responders is driven by smart cards, says Gluu’s Founder and CEO, Mike Schwartz. While secure and widely accepted, “smart cards are expensive to issue and not easily updated. By design, they’re sort of static.” ERASMUS strives to solve this problem, along with the challenge of adoption; only 1% of responders currently carry smart cards, says Schwartz, meaning that emergency teams could have trouble identifying individuals who show up, validating skill sets, and knowing if the person has the authorization to participate.
When it comes to security, Gluu supports FIDO U2F, a cryptographic protocol, which travels with the smartphone. OpenID Connect, an identity layer that sits on top of the OAuth 2.0 protocol, helps prevent leaking of tokens. On the back end, says Schwartz, each user’s PII is encrypted with a different key, making the data less valuable to attackers if any vulnerability in the system should be exploited.
Religion is the smile on a dog
Exponent, Inc. is developing a smartphone application that is Near Field Communications (NFC) enabled. John Fessler, Principal Engineer at Exponent, says that the app was “developed for people who have smart-card based identity credentials with a contactless interface, such as Federal employees with next-gen Personal Identity Verification Cards, or Department of Defense employees with next-gen CACs [common access cards].”Using a credential derived from a trusted identity, the smartphone acts as the employee’s PIV card. To ensure data security, each new derived credential is digitally signed using the original PIV/CAC card, which binds it to the original credential and provides a way to verify the authenticity of the signature via the public key.
Instead of carrying around a separate access card to enter a secure physical area, the app on a user’s phone acts as the ID control, which means one less thing for employees to carry. If a phone is lost or stolen, the credential can easily be revoked, and temporary credentials can quickly be issued to non-PIV holders, such as visitors or contractors. As with Gluu, the Exponent’s app is especially useful for first responders during emergency situations. “Think,” Fessler explains, “of a FEMA-controlled perimeter at an emergency location; this mobile-to-mobile authentication could be used to validate whether first responders are authorized to enter the area.” The app makes the entire authentication process quicker and easier.
As for infosec on top of convenience, the project uses the Opacity protocol, specified in NIST Special Publication 800-73-4, to achieve full cryptographic authentication and enhanced privacy.
Before I get too deep
These projects all look very promising in terms of enhanced identity and access management, as well as improved collaboration. The concern, of course, is smartphones, themselves, since the security of the device varies depending on carrier, manufacturer, and even device model. Because of this, it’s of prime importance that the data, itself, is secured in transit and at rest on the technology providers’ back end systems.
Digital identity has proven time and again to be overly cumbersome for the user and gnarly for organizations to manage. It’s high time for innovation. Jeffrey Ritter, digital trust expert and Visiting Fellow at Kellogg College, University of Oxford, observed, “Kantara illustrates how ‘regulation’ can be developed by a global consortium rather than by nation-states. Their focus on building great standards will minimize the pressure on governments to write localized rules for global technologies.”
If these technologies, above, demonstrate ease of use and collaboration along with data security, perhaps more traditional companies will start seeing the value in moving away from the historically ineffective user ID/password combinations that currently govern system access.