Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The best identity management advice right now

Roger A. Grimes | June 13, 2017
We've never been closer to getting pervasive, global identities. And with 2FA/MFA, you get all of the benefit with less of the risk.

If the global identity mechanism you are using gets compromised at its source (i.e., the identity provider), there is a greater risk that the compromised identity can be used at more places. For example, if a bad guy compromises your Facebook account logon name and password, it is more likely that he might be able to access everywhere you logon using your Facebook account credentials.

But that’s why Facebook, and most other popular social sites and authentication providers are pushing stronger 2FA and MFA solutions, and you should use them. That way even if the hacker gets your password, he doesn't get (at least not immediately, if ever) the second factor or physical device required as part of your authentication.

Additionally, most of the global identity solutions don’t use a single authentication token on the participating sites. Instead, your “global token” is used to create separate site- and session-specific authentication tokens that are never used at other sites. This means if an attacker breaks into a particular site that relies on your global authentication token, it can’t be used elsewhere. It’s win-win. Much better than a shared password.


Biometric worries

I do worry about the casual use of biometrics and how they may one day be stored in everyone’s global identity account. Biometrics are never as great as they are purported to be. They aren’t as accurate as claimed, often easy to fake, and often don’t work (just have a little sweat or dirt on your fingerprint and try using your fingerprint reader).

But suppose you are a big biometric fingerprint fan and you want to be able to use them to access any website, so you pick a global authentication provider that accepts your fingerprints. It sounds like a great idea. But once we start storing fingerprints in global identities, attackers who compromise the identity provider will have your fingerprints…forever. They could possibly “be you” on all the other web sites that accept your fingerprints.

So far two things have saved us from biometric identity theft being a widespread problem (beyond the fact that biometrics just aren’t accepted in many places beyond phones and laptops). First, most biometrics are stored and used locally. This means the hacker has to access and compromise your device to get access to your biometric identity, and even if he gets access, the biometrics would not work beyond that single compromised device.

A second, and related issue, is that once you logon using your biometric identity, what happens authentication-wise from then on is that the authentication system uses one of the other previous discussed authentication methods. It is using some other authentication token besides your fingerprint. Your biometric identity (usually) doesn’t leave your local device. That would change if people started to overly rely on biometric authentication globally.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.