In earlier blogs, we’ve discussed data breach trends and how the merging of of enterprise and consumer identities creates a large attack surface for hackers. Now, we’ll drill down into the different ways enterprise and consumer identities are becoming even more similar and what we as a security community should do about that.
In earlier blogs, we’ve discussed data breach trends and how the merging of of enterprise and consumer identities creates a large attack surface for hackers. Now, we’ll drill down into the different ways enterprise and consumer identities are becoming even more similar and what we as a security community should do about that.
Multi-factor assimilation
While some two factor authentication methods were created for consumers and then adopted by businesses, others were created for the enterprise and adopted by individual users.
- Biometrics include fingerprint scanners and iris scanners built into native apps for consumer or enterprise authentication. The Nymi band which uses your heartbeat rhythm to authenticate you to resources when worn on your hand is a great example of this.
- Context-based authentication is best known by consumers as a “Remember me on this device” checkbox or as your Verified-By-Visa (VBV) and MasterCard SecureCode (McSc) password. When logging in form an unfamiliar device, the user is asked to validate his or her identity with an additional factor (such as an OTP).
- Single-tap push authentication lets users authenticate with a tap of a button on a mobile device, and is offered by both consumer services and enterprises.
Single sign on at work and at home
You’ve heard of password fatigue, yes? We’re all required to remember so many passwords as part of our daily routines now that consumers experience a sort of existential dread when logging into poular applications. Implementing Single Sign On (SSO) solutions, wherever possible, can eliminate this frustration by providing the capability to authenticate once, and be subsequently and automatically authenticated when accessing various resources.
In the enterprise world, an SSO experience is created using password vaults or identity federation protocols such as Kerberos, SAML and Open ID Connect. In the consumer world, federated authentication, a predecessor to SSO, dominates, though consumer-facing password vaults are available, too. When you click the “Sign in with Google” button to login with your current Google identity, that’s the Open ID Connect protocol extending your Google identity to a new, unaffiliated website, removing the need to create a new identity and log in with a new username and password set.
What’s the key to a universal identity?
If I start a new job tomorrow, can I start accessing the network, VPN and cloud applications using one of my social media accounts? If my new job has implemented an identity broker, then the answer is “Yes!”
Similarly, with an identity broker, you could let your business partners log in to your partner portal using a social identity they already have, saving them the trouble of maintaining a new identity for that service—a worthy cause considering that many breaches are perpetrated by leveraging suppliers’ and partners’ login credentials, as in the Target breach.
An Identity Broker is a system that can support Bring-Your-Own-Identity (BYOI) schemes by taking a user’s existing identity and allowing them to authenticate to unaffiliated websites using that identity. With identity brokering, a single user account can be linked to identities from different identity sources. This is done using protocols such as SAML 2.0 or Open ID connect specifically set up for a brokering scenario.
In the future, we may see an increasing number of identity providers that not only support isolated enterprise identities, but rather providers that increasingly support numerous external identities, such as social media accounts, healthcare smart cards, commercially acquired identities, as well as identities created with off-the shelf wearables that are embedded with smart card chips.
This kind of identity brokering will make our current identity – a universal one – that is interoperable across our consumer and enterprise lives. This is exactly what the FIDO Alliance is aiming for. Led by industry leaders like PayPal, Microsoft, Google, ARM, Lenovo, MasterCard, Bank of America, and American Express, the alliance hopes that by leveraging PKI authentication, we’ll be able to use the same USB dongle, biometric eyeprint, or mobile device to login to our bank accounts, access cloud apps and sign in to our social networks.
The need for better protection
Unfortunately, the idea of a universal identity also raises a number of red flags for the average consumer. While credit cards can be easily replaced and fraudulent charges covered, the damage from stolen identities and sensitive personal information is much longer lasting – you end up with cross-the-board risk between your user and business life. Unless implemented correctly, it could be a key target for attacks. Again, this ties back to the need for secure breach strategies – like granular access controls and policies – that better defend data.