The future of identity expected to vary according to risk

News by Tony Morbin

There are changes on the cards for how we confirm identities, with most people happy to accept more risk if its lower value. Therefore use of multi-factor solutions with differential application is expected to grow.

In a discussion  with SC Media UK on ‘The Future of Identity', Stephen Mowll, director of identity, governance and lifecycle, RSA kicked off by looking at adaptive security - making things easier when the risk is low and accepting less convenience when the risk is higher.

Mowll noted that we moved from passwords alone some time ago: "Even bank log-ins have not just relied on user name and password for long time; they already incorporate the device used, its location, and a broader set of things when authenticating, and businesses are now starting to look at risk-based authentication." It was noted that or some circumstances, biometric solutions may be stronger, or a secure ID token preferred - proof of having that thing or knowledge.

Stephen Mowll

But beyond these, Mowll suggest that: "Another area of context that we need to look at is context of the thing the user is looking to do. If it is high risk, then authentication should be of high value - if its a low risk transaction, then maybe you reduce the authentication requirements.  It's the 80;20 rule, most activity is low level requiring convenience and you can reduce the burden there.  Most people are happy to accept more risk if its lower value. Therefore you can use multi-factor solutions with differential application."

Currently techncial solutions include identifying the device and the location of the device - but Mowll says we need to put this into more of a business context and understand the context of the process.  "We need to understand the full context across the entire end to end process. For consumers, services should be prioritised, so if they federate their identity to somewhere else, you are taking the trust from somewhere else, and different levels of security policy will apply. For adaptive security we need to look at how adaptable is the risk level? It is easier than authorisation, and it can change according circumstance. Currently its all about who you are not the access you are getting, and that remains static. In future will will need to look at how we adapt based on the level of risk."

From a consumer perspective, working in retail services, there is a lot of opportunity for authentication methods using biometrics to access centralised services.  Mowll suggests enterprises can run it in specific cases, then look at how to implement more broadly.  Previously identity was not taken so seriously as part of IT; it was a last thought when building an app, but going forward we need to think about id as part of what is being done at the development stage and not an add on.  

"Previously id related to the person and authentication was tied to the account, but we need to avoid this separation," says Mowll, adding: "We are now realising ID plays a bigger part in security -  including compromised ids, insider threats, and the convenience factor - to better understand the risk to businssess and provide more assurance to users."

Another issue is how adoption of cloud services has speeded up over last 18 months, including HR, sales, office 365, infrastructure as a service, and in general companies are seen as doing a good job of risk assessment of what they want to put in the cloud.  Mowll suggests that the challenge is that while they do those assessments, business users aren't necessarily going to adhere to their policies of controls and standards (needed to enable organisations to put sensitive data in the cloud) and gaining visibility of what is in the could that needs to be protected is difficult. 

There are good processes and standards for federating id into a company. Mowll  suggests that directories can be used to control access to use the infrastructure of a third party - whereas in the past companies often didn't know if they were in a third party service, or if the person using the service had left the company etc, so there is a lot of scope for providng services around that.

"He asks, is visibility there, business to business?" adding that there is a big visibility gap between the actual administrators and the people who service is relied upon.

What about the role of Blockchain in id? "Where digital identity is something that is absolutely needed to provide proof of who they are, it has a role.  Blockchain offers opportunities for people to prove who they are.  Oganisations are on-boarding block chain solutions now, where people need to prove who they are, including passports etc.  So Blockchain has foundations for what we need but it needs to adapt to provide what we need."

There is also the issue of the potentially liability of someone assuring that id.  Who should be the people to assure that? "A lot of people want to be the ones to do that and provide id, but that is not a holistic id. Governments are getting involved to some degree in various parts of world, and telcos are looking at how to monetise the id's that they understand, and other ways as to how you use the mobile device and other services.

"Blockchain could put all these components into a single id but then you have the challenge of what to do if that gets compromised.  Your financial id (Equifax) has been hacked containing information that even your closest relatives don't have.

"So there needs to be a whole series of independent proofs, to make up an id. A risk analytics component comes in, but its not an easy problem to solve. Enterprises could solve it in a simpler way if they adopted standards in the way they mange the access that they hold, but there are no standards around authorisation."

Authentication has long had standards built into apps, but when it comes to  a broader context of authorisation and how apps are set up to control access, Mowll says none have been successfully adopted.

He says that commercial options such as PCI DSS managed by financial organisations have their limits of the level of risk that  they will accept, and they have a financial limit of fraud, and the risk of  non-compliance; they can see a return on investment through reduction of fraud and organisations can quantify that risk.

The issue, says Mowll, is:"Whose standards, for whose benefit?"  From an organisation's perspective, they need to adopt id standards for the systems and apps and the data they hold. There are already a lot of directives such as GDPR, financial regulation, Sox applies, and there are other factors there - and there are ways to interpret those to provide convenient yet secure access to services - but Mowll says there's still a lot of interpretation going on. 

"Even when there is a penalty, its still about achieving a balance between risk versus convenience.  If it is government or locally enforced, it is more likely to be adopted. Businesses do understand protecting data, passwords and credentials; it is often not put into the process  if they can't find convenient way, but they understand the risk. Its not lack of awarenss of the standards, but failure to recognise the value they can provide."

And for the developers of an app or service: "Often they are not considering how they will manage id and underlying access, and they don't think of how they can do it in a standardised way, nor in relation to controls people need to adhere to - and as they don't understand the broader compliance requirements they just build out what is needed to deliver the service.

"Some do have a deeper level of knowledge and are being more successful in the roll out of id and access, around things they develop themselves, than services and apps that they bring into the business - but even here, id access of usually not thought about in a broader way, just these accounts, have this access.

Discussions moved on the the issue of whether we, as consumers, are giving away too much data.

An interesting example cited is the frequent need to prove you are over 18. You may provide a driving licence or passport and so you are providing more than is needed.  "You need to be able to just prove the question asked.  A lot of digital services operate the same way, using more contextual information than is needed to answer the question.  For a service provider its, the more information the better in a risk based situation, so the more convenient they can make it, but from a personal perspective, do we even know what we are passing over? The service holds a lot of information, but why does it want to know your location? Is it to make you more secure or to understand to send marketing information? We don't have a full grasp of how the information is being used. So while we may appreciate the convenience we rarely understand the context."

Examples inlcude Apple which updates trackng of where you park. Every element of data about you has value. A smart meter is good for burglers if showing a 4/5 day period of no use. All these elements can provide id proof and convenience, but the reverse is that they are all useful for some other purpose, even facial recognition.

As a civilisation, Mowll says the question remains,  if we have nothing to hide, and it ultimately protects us, do we share - or do we still want our right to anonymity - a balance has to be struck.  People may be happy to share medical data and dna, to get lower lower  insurance premiums, but they may also be refused a mortgage. 

Mowll suggests that to an extent, we are living in a  panopticon: "Everything you do, there's almost nothing you cant find out. If you put enough bits of information together you can get a picture of person.  People are starting to become more aware, but they still view tech as convenient to share and don't consider the repercussions of what they are doing, or understand what they are doing, eg on access."

So what about humble password? - it doesn't tell anyone anything about me. "As a primary form of authentication its just one factor and realistically we need to look at risk versus convenience - it can be inconvenient.  But too many are complicated, but it will always have a place, eg a pin as an authenticator, but other factors provide more convenient way of doing that. You can control the risk with multiple factors, with risk based approach toward them, but its never going to die as there are a lot of applications."

Asked for any final comments, Mowll summed up: "We need to treat id as a business enabler, and treat it in a standardised way or its open to interpretation."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews