By Mark DiFraia
As the Identity Ecosystem Steering Group’s (IDESG) Identity Ecosystem Framework (IDEF) seeks a better way to create more trustworthy digital identity credentials, we’re glad that the identity world is bolstering its security with a growing focus on strong authentication factors. We see the improvement every day, since fingerprints are now the dominant way of opening our mobile devices. We’re also seeing solutions emerge that add SMS, biometrics and other factors to the actions people are taking online.
These efforts and innovative energy are valuable, but how can we ensure that we’re getting our money’s worth if the identity credential the person is using wasn’t proofed at a high level of assurance? While we continue to enjoy a growing list of strong authentication methods, we should keep our eyes open to ensure that the strength of authentication is in some way proportional to the identities we are authenticating.
The IDEF speaks directly to this point by requiring sufficient robustness of attribute verification that’s consistent with the actual intended use of the attributes.
The authentication movement is bringing new security capabilities to bear at scale, especially through our mobile devices. We all benefit from that. When I am truly who I claim to be, and I can add a factor of authentication such as a fingerprint or “selfie” as an option, I gain both security and convenience.
This is especially valuable because our online environment is still dominated by self-attested accounts. Such accounts are the online credentials we use to access Websites and portals that we created by little more than completing an online identity profile. In the short term, we can enjoy some peace of mind by applying stronger authentication to these accounts, but their true value will emerge when we all have stronger identity credentials to leverage online than we do today.
Vetted Identity Credentials Are Expensive to Create
Highly trusted, well-proofed and vetted identity credentials are hard to come by at scale, and there’s a good reason for that: They are very expensive to create. To meet the criterion for a high level of assurance, identity providers must perform in-person proofing events with the kind of rigor seldom seen beyond the most trusted government credentials.
At this time, the nongovernmental market is showing a greater inclination to add strong authentication to weaker credentials than to spend the time and money needed to conduct in-person proofing events, which would produce a high-trust credential. So, if the credential isn’t high trust to begin with, how does adding strong authentication factors help? Beyond convenience and perception, probably not much.
What we need next is a set of online credentials that couple strong identity proofing and authentication for mainstream user populations. The IDESG has described exactly that with its IDEF, specifically with respect to third-party standardized credentials and credential issuance.
As noted above, the credential proofing’s strength determines the level of assurance we have in the identity underlying the credential. If that trust level is achieved at proofing time, we can unlock the full value of strong authentication methods.
This is especially true if those authentication methods (face image, fingerprint, etc.) are present and used during the proofing event. Doesn’t it make more sense to leverage factors such as fingerprints or facial recognition if we can compare them against those that were present when the credential was being issued?
In the meantime, we need to beware of having a false sense of security with lower-trust credentials just because we plan to add strong authentication methods to them later on. Let’s leverage these strong authentication methods as we drive toward creating user credentials that prove people are who they claim to be with a high level of assurance.
When strong authentication meets highly proofed identity credentials, we will fully unlock the power they both offer and take a long step toward a stronger identity ecosystem.
Mark DiFraia is secretary of the IDESG and Management Council Delegate at Large. He is also the senior director of market development for MorphoTrust USA.