The security community is continuously changing, developing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Troy Hunt, founder of Have I Been Pwned, info security author, and teacher at Pluralsight. In this blog, Troy shares his insights on the evolution of identity, from the biggest gaps in identity to modern engineering answers.
Natalia: How has identity evolved over the past 10 years?
Troy: There is so much identity-related data about other people accessible to everyone that the whole premise of having confidence in identity has fundamentally altered. A couple of years ago, I was invited to testify in Congress about how knowledge-based authentication has been impacted by data transgresses. The example I dedicated was that my father called a telecommunications company to change his broadband plan to another tier. He told them his name and they asked for his date of birth, as if that’s a secret.
The biggest switching is with this premise that identity can somehow be assured based on knowledge-based authentication like date of birth, mother’s damsel name, where you went to school, or, in the United State, Social Security number. That notion is basically flawed and is a big area of identity that needs to change. There are so many services that is definitely no reason to have your date of birth but do.
Natalia: What are the current gaps in identity answers?
Troy: The traditional approach in the United States, where someone says, “Just give us your Social Security number and then we’ll know it’s you and it will be fine, ” has always been inherently flawed, but it’s even more flawed now.
The bigger concern is what if other people try to prove my identity? I’m concerned about SIM swapping because there’s so much identity confidence that is done via SMS. The telecommunications companies will say, “You shouldn’t be doing that. You can’t be confident the person who owns the number is the right person.” And the banks will say, “This is kind of all we have.” I asked my telco, “Can we set a lock on my SIM so the only way someone can migrate my SIM is if they come into your office and prove identity with a passport or driver’s license? ” That would eliminate a lot of the problems. They said, “We can’t do that because it would be anticompetitive. Government legislation says we need to make it easy for people to transfer their number to another provider so that people have freedom of choice. Otherwise, they’re locked into the provider.” And I responded with, “The outcome of that–depending on the platform I’m using–could be that someone gets into a really important account of mine.” Their response: I shouldn’t have been using SIMs as a means of identity verification.
Natalia: How can organizations mitigate identity peril?
Troy: For many organizations, there hasn’t been a lot of forethought around what happens when incidents impact identity. One example is violate preparedness. For many years, many organizations would do disaster recovery planning–the annual entire-site-has-gone-down exercise. I rarely discover them drill into the impact of a data violate. Organizations rarely dry run what happens when information is leaked that may enable others to take on identities.
One organization that had a data breach and did exceptionally well with disclosure was Imgur. Within 24 hours, they had all the right messaging sent to everyone and cycled passwords. I asked the Chief Technical Officer, “How did you do this so quickly? ” And he said, “We plan for it. We had literally written the procedures for how we would deal with an incident like this.” That preparedness is often what’s lacking in organizations today.
Natalia: What’s the biggest difference between enterprise and customer identity technologies?
Troy: With internal, enterprise-facing identity, these people work for your organization and are probably on the payroll. You can make them do things that you can’t ask consumers to do. Universal 2nd Factor( U2F) is a great example. You can ship U2F to everyone in your organization because you’re pay them. Plus, you can train internal staff and bring them up to speed with how to use these technologies. We have a lot more control in the internal organization.
Consumers are much harder. They are more likely to merely jump ship if they don’t like something. Adoption rates of technologies, like multifactor authentication, are extremely low in customer land because people don’t know what it is or the value proposition. We also learn organizations reticent to push it. A couple of years ago, a client had a one per cent adoption rate of two-factor authentication. I asked, “Why don’t you push it harder? ” They said that every time they have more people utilizing two-factor authentication, there are more people who get a new phone and don’t migrate their soft token or save the recovery codes. Then, they call them up and say, “I have my username or password but not my one-time password. Can you let me in? ” And they have to go through this big spiral–how do we do identity verification without the thing that we set up to do identity verification in the first place?
Natalia: What should you consider when building systems and policies for consumers to balance user experience and security?
Troy: One big question is: What is the impact of account takeover? For something like Dropbox, the impact of account takeover is massive because you put a lot of important stuff in your Dropbox. If it’s a forum community like catforum.com, the impact of account takeover is minimal.
I’d also think about demographics. Dropbox has staggeringly wide adoption. My mothers use Dropbox and they’re not especially tech-savvy. If we’re talking about Stack Overflow, we’ve got a very tech-savvy incumbent audience. We can push harder on asking people to do things differently from what they might be used to, which is generally merely a username and a password.
Another question is: Is it worth spend money on a per individual basis? My partner, who’s Norwegian, can log on to her Norwegian bank use a physical token. The physical token is not just an upfront expenditure for every customer but there’s also a maintenance expenditure. You’re going to have to cycle them every now and then, and people completely lost. And you need to support that. But it’s a bank so they can afford to construct that investment.
Troy: I recommend some kind of strong authentication in which you have confidence that a username and a password alone are not treated as identity. That worries me, particularly given there’s so much credential stuffing, and there are billions of credential pairs in lists. There’s also the big question: How did we establish identity in the first place? Whether it be identity theft or impersonation or even sock puppet reports, how confident do we need to be in the identity at the point of registration, and then subsequently at the point of reauthentication? That they are able to drive discussions around what degree of identity documentation we need. But again, we come back to the fact that we don’t have a consistent mechanism in the industry, or in even in one single geography, to offer high assurance of identity at the time of registration.
Natalia: Passwordless is a huge buzzword. A plenty of people think of it as a solution to many of our identity troubles. What’s your perspective?
Troy: I first started doing interviews a decade ago and people would ask, “When are we going to get rid of passwords? Are we still going to have passwords 10 years from now? ” Well, we’ve get more passwords than ever, and I think in 10 years, we will have more passwords. Even as we get passwordless solutions, the other passwords don’t go away.
I have a modern iPhone, and it has Face ID. The value proposition of Face ID is that you don’t need a password. You are passwordless to authenticate your device. When the phone came, I took it out of the box and had to get on the network. What’s the network password? I’ve got no idea, so I go to 1Password and drag it out. So, there’s one password. Then, the phone asks: Would you like to restore from iCloud? What’s your iCloud password? We’re two passwords in now. Would you like to use Face ID? Yes, because I want to go passwordless. That’s cool but you’ve got to have a password as a fallback posture. Now, we’re three passwords in to go passwordless. Passwordless doesn’t necessarily mean we kill passwords wholly but that we alter the prevalence with which we use them.
Keep an eye out for the second part of the interview where Troy Hunt shares best practises on how to secure identities in today’s world.
To learn more about Microsoft Security answers visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post How far have we come? The evolution of securing identities showed first on Microsoft Security .
Read more: microsoft.com