Regulations are driving innovation toward an identity layer on the Internet – Help Net Security
The security community often points to the inherent lack of an encryption layer on the Internet as a factor behind many of the related threat vectors. The decentralized nature of the web, which has driven its near ubiquity, also makes it a vector for crime and fraud. Not least because we have no way of knowing if we’re sending information to the wrong people or if the information we receive is from who we think it’s from.
The Internet itself is experienced through a multitude of content and context, and the lack of trust around digital identity impacts not just the owners of the content, who want to control who consumes it, but it also has a spillover effect in the digital and physical economy. Identity owners, credential issuers, and credential verifiers are all operating without an identity ecology, as it were.
Even the strongest encryption algorithms provide little benefit if we can’t trust the underlying provenance and integrity of data itself. While the problems of spam, election manipulation by Russian trolls, online identity theft, and other criminal exploits – whether at the hand of cybercriminals or state actors – are daunting, real progress is being made to finally make an identity layer possible.
Bringing identity to the 8th Continent
The scale of the identity problem was well demonstrated in a presentation given by Nat Sakimura of the OpenID Foundation at a recent identity-themed security event held in Tokyo. He described the virtual world as being the “8th Continent” populated by several countries such as the People’s Republic of WeChat, State of Apple Church, Republic of Google, and the GSMA Federation.
Given the important role the virtual world plays in everyday lives and the world’s economic engine, the idea of the 8th Continent makes sense. As an example of its economic vitality, Sakimura highlighted data representing the five years from 2011 to 2017, in which electronic commerce growth in the Japanese business-to-consumer sector ranged from 7 percent to 17 percent per year. In contrast, the entire sector ranged from 4 percent contraction to a positive growth rate of 5 percent.
With the 8th Continent cementing itself as a key part of the world economy, data is undoubtedly its currency. An identity layer is necessary to help control data flows much as currency flows are controlled now. In the analog world, currency flows without identity equals a flourishing black market. On the 8th Continent, data flows without identity contribute to the muddled mess we now see.
Regulations driving technology adoption
One driving force behind changing this situation is governmental regulations. Governments are increasingly looking to regulate flows of personal data through such mandates as the GDPR, which is now passing it’s one year anniversary, the California Consumer Privacy Act, and electronic Know Your Customer (KYC) requirements.
Two identity-related standards efforts, the FIDO Alliance and OpenID, are showing particular promise to become foundations for an identity layer. While still in a relatively early stage, increasing industry adoption of these technologies is encouraging. One of the reasons behind this adoption is that government regulations are helping to spur interest in these technologies.
For example, the GDPR includes several security requirements, such as an emphasis on the rights of data subjects in which storage of personal information is both permission-based and time-limited. It also requires reporting on data breaches within 72 hours of an event and sets up potentially draconian fines for violations. These and other provisions are factors driving data holders to strengthen their security regimes.
Moving beyond password security
The security challenges around the current and arguably outdated username/password regime are well known. The combination of FIDO and OpenID promises a platform for single sign-on, passwordless authentication. It also is meant to reduce the amount of sensitive information companies need to hold.
Within the FIDO and OpenID portfolios, the combination of Webauthn/CTAP pairing, a client-to-authenticator protocol, and OpenID Connect is particularly relevant for online services. On the client side, Webauthn/CTAP provides a method for authenticating the user on a device with a single sign on. Once the user has authenticated themselves, using a JavaScript API, OpenID Connect then allows the device to share user attributes stored on the device with multiple services for authentication purposes.
Currently, OpenID Connect only works with username and password authentication on the device side, but the organization is working on specifications to take advantage of Webauthn/CTAP’s capabilities to employ biometric signals such as a fingerprint or face recognition, or an external device like a USB key for authentication. By reducing the cognitive load on users and the amount of sensitive information held by online services, this emerging platform enhances user experience as well as cybersecurity.
Regulation is spawning innovation
Government regulation isn’t the only reason for adopting new ID standards and technologies. Online services are grappling with other issues that plague the current username and password regime. For example, a social media service particularly popular in Asia now emphasizes approaches to thwarting account hijacking, which often come through brute force attacks on passwords. As with the rest of the industry, the company is looking to make it easier to move accounts when users migrate to a new device and providing easier ways to recover an account when passwords are lost or forgotten.
Blockchain-based authentication systems are now being designed to identify and authenticate both data and devices. One of the use cases of this type of technology is storing authentication information on blockchains. For example, Intertrust recently demonstrated how a piece of video could be authenticated by querying a TIDALs-based blockchain where key information about the video’s creator and the creation, such as editing and distribution, are fragmented and stored.
The 8th Continent in our horizon
Distributed ledger brings and important dimension to identify verification, as it requires on a yes or no answer as to whether an individual is validated, or by way of example, if a video has been tampered with. The adoption of this and other standards-based trusted identity solutions can help us move to a truly digitized economy, and not just one where digital representations of paper-based systems are introduced.
The same can be said for the rest of the world that depends on the 8th Continent. With greater control and security, innovation toward an identity layer on the Internet will empower both people and commerce.
And while many of these innovations are in their infancy and have only scratched the surface of what is possible, it is becoming increasingly evident that we are on the road to finally realizing the full potential of trusted identity to unleash the promise of digital life.