Who am I? Defining Digital Identity
By JIM DUCHARME
Developing a trusted standard for digital identity is one of the most important engineering challenges facing product designers, developers, manufacturers and security practitioners as we all work together to manage the growing digital risks of a hyperconnected world. But what is identity?
For people, there’s an existential sense of self. But also, social security numbers, drivers’ licenses, passports and usernames. Some of these physical forms of identity are already going digital in countries like India and Israel.
For a car, identity was once just a license plate or vin number. But today, what about a car that can make online purchases on behalf of its driver’s digital identity? Or an autonomous vehicle without a driver at all?
More and more we’re seeing our devices represent us. When SIRI logs into your email to check the day’s events or Alexa places an order via voice command – both devices are carrying your digital identity as they act on your behalf. This is even evident with autonomous vehicles. The systems are so advanced that when the car needs a software update to improve its braking system, it can receive it remotely instead of having to go the dealership.
However, how do you or your vehicle know that the update is coming from the manufacturer and not a threat actor that is accessing the car’s system?
One of the biggest risks to the future of digital identities is relying on a simple and often preset username and password. Sure, it’s one part of establishing trust, but as we’ve seen time and time again, default, weak or reused passwords are easy targets for cyber criminals to exploit. And today’s “passwordless” methods of authentication are frequently still rooted and reliant on a password and username for account enrollment, recovery or elsewhere along the digital access chain.
We need to think differently—more existentially to create a more secure sense of digital self.
It’s not just about who I claim to be and recalling what street I grew up on (which, spoiler alert, is easy to find online), but it’s about having a digital fingerprint that uniquely identifies what I do—especially if I require the kind of critical access that for example, can send remote commands or updates to millions of vehicles.
The good news is that these technologies exist.
- Behavioral analysiscan identify patterns that validate the identity of a user or device, as well as increase authentication efficiency. The more data we have on how a device behaves the easier it is to understand risks. Things like User and Entity Behavioral Analytics (UEBA) are increasingly common tools that use machine learning and AI to understand my need to access my employer’s HR portal, but raise red flags if my account is trying to access credit card numbers stored on a point of sale system.
- Public Key Infrastructure (PKI)can also help provide a trusted identity and we see the technology making a comeback. For instance, when we ship devices with an embedded certificate to automatically connect to others or make an SSL connection with an e-retailer, PKI is working under the covers to make a trusted connection between the two parties.
- Passwordless Authentication, while we are still on the journey to becoming truly “passwordless,” the technology today can also help. The key is that to mitigate the risks of poor cyber hygiene and unsecured cloud servers, it’s critical to design identity and access functions on “always on” products so that sensitive data, such as biometric fingerprint/faceprints, never leave the device to prevent unauthorized access. Data that does need to be relayed back to the cloud should be anonymized to further protect user privacy and destroyed when it is no longer needed.
Looking to the future, we are seeing more progress towards the creation of a single digitized identity that encompasses common broader forms of verification – such as passports, social security numbers, bank records, and so on to prevent our current system of siloed information. This way when presented with a verifiable claim, it can check its connected sources and provide a trusted response without reproducing these checks. The benefit is that it can help prevent these digital risks by allowing you, as an individual, to actually own one centralized identity that creates a complete picture.
Our digital identity is tied to so much more than just the data that represents us or the technologies that act on our behalf. With a deeper understanding of what it is comprised of, combined with technologies like PKI and behavioral analysis to add layers of protection, we can better mitigate the evolving digital risks of our connected world.