Digital Identity Needs Fixing, Speakers Share at Secure Technology Alliance Securing Digital Identity Symposium
PRINCETON JUNCTION, N.J., December 13, 2018 – Identity proofing is the weakest link in identity today, resulting in the creation of millions of synthetic identities perpetuating fraud every day, experts shared at last week’s Secure Technology Alliance’s Securing Digital Identity Symposium 2018. The symposium gathered expert speakers to cover the most pressing topics in identity today, including identity validation, strong authentication methods, standards and the future of identity.
“Identity security conversations often center around authentication, but the biggest takeaway from this symposium is that having a sound process for verifying identities before issuing accounts and access credentials is critical to solving our identity fraud crisis,” said Randy Vanderhoof, executive director of the Secure Technology Alliance. “We know now that the processes that we’ve relied on until now, like Know Your Customer (KYC), are simply no longer sufficient for identity proofing, and this symposium provided a call to the industry to come together and agree on a framework to fix this problem.”
KYC is no match for synthetic identities
Keynote speaker Richard Parry of Parry Advisory told attendees that with all the personally identifiable information (PII) available on the web, cyber criminals can easily create synthetic identities that can pass KYC and even have valid FICO scores. He said that while some vertical industries are willing to take on some risk around creating accounts for possible synthetic identities, other industries like healthcare simply cannot afford the risk. The whole onboarding process, Parry said, needs to be fixed.
Other speakers and audience members agreed and discussed options for stronger identity proofing including in-person proofing versus supervised remote in-person proofing, the latter of which has improved and can be conducted more cost-effectively. Many agreed that the industry needs to come together on a common solution, and that NIST’s SP 800-63-3 could be a good framework to follow.
Multi-factor authentication is not foolproof, but necessary
Speakers said that once a strong identity has been created, only then will strong multi-factor authentication (MFA) be effective for its intended purpose – validating that the same person who enrolled is the one accessing the account. But MFA is not foolproof. Computer security columnist, author, and Data-Driven Defense Evangelist Roger Grimes of KnowBe4 presented several ways to hack around MFA including endpoint attacks, subject hijacks, duplicate code generators, SIM swapping, account recovery, social engineering, biometric spoofing and more.
All things considered, he said that any MFA is better than none and businesses should require it whenever possible.
Speakers and panelists also discussed which authentication methods and factors could be embraced to provide security without creating added user friction. They agreed that knowledge-based authentication, where factors are based on a user’s biographical data, is now a risky approach because this data is no longer “secret,” and now as accessible to hackers as it is to the owners of the data. Other methods where authentication factors are more tightly bound to users and their devices such as hardware tokens, physical biometrics and behavioral biometrics were discussed as more secure solutions. The need for the industry to coalesce around a standard authentication approach, some examples including NIST’s levels of assurance (LOA) framework and FIDO standards, was also echoed across presentations.
“The identity fraud problem is reaching its tipping point; the tools are out there to combat fraud, but nothing will gain broad adoption if it adds too much user friction to the process. The Secure Technology Alliance plans to engage the industry in further discussions in 2019 and begin putting forward recommended best practices on identity proofing and authentication that the industry can adopt as a whole,” added Vanderhoof.
For continuing updates on the Secure Technology Alliance, visit www.securetechalliance.org, follow @SecureTechOrg on Twitter.
About the Secure Technology Alliance
The Secure Technology Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption and widespread application of secure solutions, including smart cards, embedded chip technology, and related hardware and software across a variety of markets including authentication, commerce and Internet of Things (IoT).
The Secure Technology Alliance, formerly known as the Smart Card Alliance, invests heavily in education on the appropriate uses of secure technologies to enable privacy and data protection. The Secure Technology Alliance delivers on its mission through training, research, publications, industry outreach and open forums for end users and industry stakeholders in payments, mobile, healthcare, identity and access, transportation, and the IoT in the U.S. and Latin America.
For more information, please visit www.securetechalliance.org.
Montner Tech PR