A Case of Identity: A New Approach To User Authentication

Protecting Personal Credentials Remains The Weakest Link In Data Security

The weak link in data security continues to be protecting identity and personal credentials. Individual users continue to fall prey to phishing attacks and have their credentials stolen, putting personal & enterprise data at risk, even as InfoSec managers strengthen the wall around enterprise assets and implement new strategies to protect cloud data. Identity theft is still the most common cause of data breaches, and with the rise of work-from-home options following the COVID-19 pandemic, it’s more important than ever to protect personal information and avoid data breaches caused by human error. It’s time to reconsider how users are authenticated.

The number of cyberattacks aimed at stealing a person’s digital identity is on the rise. The number of identity theft cases doubled from 2019 to 2020, according to the US Federal Trade Commission, with a spike immediately following the coronavirus lockdown. Because employee credentials can both unlock enterprise access and enable identity theft, the new work-from-home business culture makes identity theft even more appealing. As a result, employers are experiencing an increase in issues involving stolen credentials.

With the arrival of the COVID-19 pandemic, businesses were forced to scramble to provide security to remote workers. Companies realized they needed to secure employees’ home networks, laptops, and mobile devices to ensure business continuity while maintaining system security. At the same time, more than half of employees said they had to find a way to work around security measures in order to complete their tasks.

Security strategies from the past are insufficient to support the new remote workforce and provide safe verifiable credentials. A new approach is required that makes personal security and identity authentication simple, reliable, and cost-effective. A digital trust ecosystem could be the key to securing your data. Organizations, on the other hand, must first learn from the pandemic and adapt to the challenges it poses.

Security Lessons Learned from the Pandemic

The new work-from-home culture is one of the pandemic’s emerging trends. According to Gartner, 82% of CEOs intend to make some form of remote work-from-home policy permanent in the future. What began as a scramble to support a new remote workforce has evolved into a permanent part of the business landscape. While firewalls and malware protection are still important, information security managers must focus more on securing home offices and validating remote worker credentials.

Individual employee authentication is a constant challenge for the company. While malware attacks are decreasing, phishing attacks are increasing, with companies reporting an average of 1,185 attacks per month, the majority of which are aimed at obtaining user credentials. User behavior continues to be a wild card, regardless of how resilient a company’s security measures are. A phishing attack can fool any employee, and they may unwittingly hand over their keys to corporate access to a cybercriminal.

Personal identity continues to be a weak security link. Cybercriminals can gain unauthorized access to business assets, personal finances, medical records, and more by obtaining the right personal information, or they can use stolen credentials to open fraudulent accounts. Because individual user authentication is a security flaw, a more secure identity approach is required.

The ideal solution is to create a one-of-a-kind, impenetrable personal identity or Digital ID that stays with the person. Personal information that can be used for identity theft, such as a social security number or even a mother’s maiden name, must be able to authenticate identity without revealing personal information that can be used for identity theft. Infosec must have little to no work managing these individual credentials while still having the ability to control access to enterprise assets. The ideal approach is to implement a digital trust ecosystem based on distributed ledger technology, similar to blockchain.

Creating a Digital Trust Ecosystem

The use of distributed ledger technology to support the creation of verifiable credentials has opened up new possibilities for digital identity management. Distributed ledgers, unlike traditional databases, record transactional or record details in multiple locations at the same time, with each node verifying each item to reach a consensus. Using a distributed ledger for digital identity management allows you to authenticate identities or credentials without exposing the credentials themselves. The only thing that is revealed is that the information has been verified by the distributed ledger system to prove identity.

As a SaaS platform, you can build a digital trust ecosystem using distributed ledger technology. This method can be used by a single entity, such as a company, or it can be set up as a private consortium in which multiple entities use the same digital identity verification system.

While the technology that underpins a digital trust ecosystem is complex, the practical approach is straightforward:

  1. It all starts with a trusted attribute authority that verifies personal data. It could be a government agency like the Department of Motor Vehicles or a private corporation.
  2. Users who want to take part must join the consortium. This allows them to maintain control over who has access to their personal information.
  3. Their identity is verified during the onboarding process. Individuals are validated by the attribute authority using whatever information is required, such as a social security number, birth certificate, or login credentials, and the data is protected by a distributed ledger. The person is then given a one-of-a-kind authentication code, such as a QR code.
  4. To authenticate user identity, any organization can join the same consortium. There is no risk of identity theft because none of the credentials are exposed, and there is no need to share passwords or log-in credentials.

The advantage of this method is that the unique identifier stays with the user, allowing the same code to be used across multiple applications for identity validation. Anyone interested in using the system can do so by downloading a QR reader to their smartphone. To secure enterprise users, there is no additional work for IT or InfoSec, and the same identity can be extended to partners, suppliers, and other parties without the need to create new credentials each time.

The future of digital identity and enterprise security must place a greater emphasis on secure identity authentication rather than passwords and biometrics for asset protection. Authentication credentials can be made secure while also providing users with a digital identity card that is impossible to forge and can potentially be used anywhere by using distributed ledger technology. Identity validation is only one of the many possible uses for a digital identity card. It can be used for a variety of purposes, including professional certifications, travel authorization, and even vaccine passports. Personal medical data can be protected in the same way that passwords and personal identifiers are. In New South Wales, Australia the technology is already being used to issue digital driver’s licenses and professional trade licenses.

By putting security in the hands of the user rather than using passwords or access keys, you put the user in charge of authentication while giving information security managers a way to authenticate employees without adding security overhead. This is a safe and scalable solution for everyone.

Have a question?

Find out how TrustGrid™ could transform the way you manage, verify and secure your data transactions.

*required fields