Securing Passwordless Credentials with Identity Verification

Securing Passwordless Credentials with Identity Verification

When an enterprise is offering passwordless authentication, they are offering convenience and usability without sacrificing security. The user’s phone becomes the user’s identity — this is smart because users protect their phone and protect its contents. It really is the user’s identity. 

Think about the three main authentication factors (what you know, what you have and what you are)….a password is usually the “what you know” factor, which is inherently the weakest. Passwords are re-used, written down, phished, stolen, and overly complicated or otherwise painfully easy to guess. Furthermore, with the growth of single sign-on (SSO), oftentimes, if the password is stolen, all systems are compromised. 

By utilizing the other two factors and going passwordless, security is increased while simultaneously increasing security. Win-win doesn’t even begin to describe this situation, it’s WIN-WINTo steal the other factors requires levels of felony that most hackers don’t want to do, stealing personal property and/or body parts. Tying the authentication to possession of a phone verified to be the user’s or a verified face biometric solves all of this. 

 

Vulnerability at Time of Passwordless Credential Issuance

But there is a fundamental vulnerability early in this process when pairing the phone with the user. It is during this critical phase that you NEED to ensure that the user pairing the device with the identity is the correct user. Identity verification during this phase ensures that the user pairing the phone is the correct user.  

Depending on the security needs, this can be a simple mobile match (the identity is the user who owns this phone) or KBA challenge (does the user pairing know what they should) or a government ID match (does the user pairing have an ID and matching biometrics for the identity). Ideally, a solution will step up a policy that checks each more secure method depending on the profile of the user or the ability to pass the earlier stages. 

When to Apply Identity Verification to Passwordless Credential Process

This verification process to pair the credential to the user happens during two lifecycle eventszero day onboarding and credential recovery. During zero day onboarding, the most stringent identity verification template should be used – MobileMatch and BioGovID Verify the user’s possession and ownership of the mobile device being used for the credential, then verify their identity with a government issued identification and matching selfie – you hit the two most secure factors in one flow. 

During credential recovery, you have already established the identity of the user during onboarding, now you can use a more streamlined template and just check MobileMatch. Determine that the user is indeed the legal owner of the phone, that it hasn’t been used for fraud, and that the user has actual possession of that phone. Then you can re-issue the credential. 

Passwordless is the wave of the future both for workforce and consumers. It is easier for the user, more secure for the enterprise, and intuitive and fast for authenticationThe important part is that you establish the match between the physical identity, the digital identity and the mobile device being used as an authenticator at the initial point of vulnerability. 

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Edward Killeen

Vice President of Marketing

Zero Trust Maturity: Knowing Your User

Zero Trust Maturity: Knowing Your User

Rooted in the principle of “never trust, always verify,” Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Every aspect of an organization’s security infrastructure is affected by a Zero Trust approach, from the access management system to the network edge to the end points. 

To be successful, the system needs to apply verification at all access points and all lifecycle events. Verifying the identity of that user and confirming risk during all access events is necessary to truly comply with the principle of Zero Trust. This requires a flexible verification system with the right tools for each step in that process. How do you know that the user is who they say they are from registration to access? 

Digitally Verifying a User on an Ongoing Basis

Identity verification and risk based authentication solve the one time and ongoing needs for Zero Trust access. To “never trust and always verify,” the identity verification system needs one time detailed verification and ongoing checks on the user and device risk. A flexible exchange with policy trees is required to adapt workflows that meet the needs of both of these methods of verification and risk assessment. The suggested steps are biometric identity verification at onboarding, ongoing device risk during authentication and while accessing critical resources.

In the “old days,” an HR representative would look at the new employee during onboarding, glance at their passport and confirm that IT could create a new account for the user. That has to be replaced with a new system to verify the user digitally during remote onboarding. During the account creation process, a user will take a selfie, scan the passport or appropriate document, compare the images and verify the address and date of birth attributes on the document. Being in the onboarding flow eases the process while allowing for even greater security. 

Similarly, when a user is accessing resources in a zero trust environment, you can’t just grant access because the user knows a username and password, that is very last century! You wouldn’t go to the same level of scrutiny as during onboarding, but doing a device reputation check to ensure that the device is owned by the user in question and hasn’t been used in fraudulent activities is a frictionless method to verify that is indeed the correct user. 

Manage Zero Trust Verification with an Attribute Exchange

All of that verifying seems like a good idea but it has to be easy for an organization to manage. To make Zero Trust work for you, you have to make it frictionless for the user but flexible and powerful for the administrators. The most important aspect is to have powerful verification workflows that can be customized for the appropriate need. ID Dataweb has built identity verification templates that are easy to configure for each use case, decreasing the time to security for your organization. 

To truly take advantage of these powerful workflows, an organization needs to tailor the data sources to their specific needs. A credit bureau provides triangulation on address data, DMV data verifies the current information, a fraud consortium determines if the device has been up to no good, a mobile carrier verifies that the phone is owned by the user – each of these scenarios is woven into the correct template. Managing those backend relationships is not your business, ID Dataweb has an easy to use identity attribute exchange to pick primary and backup providers without having to manage the 100+ relationships on your own. 

Zero Trust stands zero chance if you don’t start with the building blocks. Before you start building out policies with your ZTNA provider, be certain that the user is the user, verify their identity. Verify once thoroughly during onboarding and every time tactically with adaptive authentication. Zero Trust is achievable but you have to always verify! 

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Edward Killeen

Vice President of Marketing

Digital Transformation – From the Physical to the Digital User​

Digital Transformation – From the Physical to the Digital User​

As an enterprise digitally transforms, the connection between a user’s physical to digital identity is tenuous. How do you know that johnsmith@exampledomain.com is the John Smith that is applying for a checking account?  

In the old days, a person would go to the local branch, show a driver’s license and be off to the races. Today, most of these interactions are digital and, in fact, one analyst firm estimates that up to 80% of these transactions will use document-centric identity verification by 2022. So, same model, same goal, much different technology. 

This interaction has to be frictionless and secure and that’s why just scanning a driver’s license and snapping a selfie is not enough. 

 

Frictionless Security: Orchestration of Identity Verification 

Identity verification solves the link between a user’s physical and virtual identities. Employing a robust orchestration between the common factors of what a user has (phone), what a user knows (KBA) and what a user is (biometrics), establishes the connection between a user’s digital and physical identities.  

There are a million items an enterprise can verify before establishing the checking account we referenced above such as 

  • Scan of driver’s license photo matches selfie 
  • Address and date of birth match known records 
  • Device used for MFA is owned by user in question 
  • User knows the address of every house they’ve ever lived in 

But you don’t want to overwhelm the user to verify each of those attributes or even rely on a single one. The most secure results with the least friction will involve orchestration of what factors you verify. Employing workflows to establish the correct level of trust for that specific interaction guarantees the best blend of security and friction for an organization to know exactly who their customer is. 

Employ a policy workflow that escalates the verification only if the trust isn’t established initially. Send an OTP to the phone that is being registered to verify physical ownership, then determine if the carrier data on the phone matches the name and address of the account being opened to triangulate those details. If that fails (maybe for good reason, using a friend’s phone), then prompt for knowledge based answers (KBA) from a credit bureau. If that fails, then have the user take a selfie, scan their ID and match the photo. 

This workflow-based technique will involve the least friction with the highest degree of confidence and security. Very few good actors will need manual verification and you will catch the great majority of the bad actors (lawyers won’t allow me to say all but you know what I mean)! 

A Network of Attribute Providers to Orchestrate 

The key to orchestrating all of these attributes and verification techniques is to have a network of attribute providers, no one provider has all of the data you need. Hence the orchestration, and hello AXN. ID Dataweb’s AXN offers a single interface, a single contract and a single API to access over 190 attribute providers from the credit bureaus to risk consortiums to professional validation to background checks. 

The scale and breadth of the AXN network provides flexibility in data sources and dynamic failover across providers to meet the unique needs of each application. Tailor the attribute providers to your specific use case. 

The AXN policy engine allows an enterprise to build the perfect verification flow for the security and usability needs of each customer interaction. If transactions are involved, up the security, if brand interaction is prioritized, lower the friction. The policy engine allows for this. 

Consider the lifecycle of the user, checking risk at onboarding doesn’t negate the need for ongoing verification and risk assessment through the customer’s journey. AXN’s orchestration of one time and ongoing verification ensures the security of all transactions and customer interactions now and in the future. 

As more and more customer interactions happen digitally, ensure that you know who your customer is during the first and last mile. Tie their physical identity to their digital identity, reduce friction while increasing security, and enjoy the digital transformation of your enterprise and your user. 

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Edward Killeen

Vice President of Marketing