A digital identity consists of information collected about a person, device or application. For a human, this could include everything from a Social Security number to online web searches. For a device, it could be an IP address or unique identifier, for example.
Because every business relies on verifiable and high-integrity authentication of its human end users, devices and applications for it to function efficiently and effectively, it is critical to include digital identity in its identity and access management (IAM) strategies. However, in this era of constantly changing privacy regulations and increasing consumer awareness, gaining and retaining customer trust when it comes to digital identities are challenging.
The digital identity concept is increasingly becoming intertwined with the daily lives of humans, devices and applications alike. Making sure the proper security, privacy and hygiene of these identities are implemented is existential.
The following digital identity management steps will enable organizations of all sizes across all verticals to rise to the challenge of ensuring digital identity security and effectively gain and retain trust in the three core digital identity categories.
1. Human digital identities
The hygiene and integrity of each of these authentication methods need to be maintained -- for instance:
- Mandatory time-based password changes must be enforced.
- Multifactor authentication should be mandatory.
- Biometrics, which involve authentication of both measurement of physical characteristics -- e.g., fingerprint, iris, facial characteristics -- and behavioral characteristics -- e.g., typing cadence -- need to be routinely updated to consider changes in physical and behavioral changes.
One area in human digital identity management that has not been given much attention is ensuring digital obliteration once the human has ceased to exist. For instance, stealing the identities of recently deceased individuals to create synthetic identities to commit fraud is becoming prevalent. To safeguard against this, businesses must verify liveliness using, for example, real-time video selfies and periodic reminders to customers to close digital accounts once a person passes away. On the enterprise side, businesses need to have processes in place to revoke authenticators once a subscriber ceases to exist or when potential fraud is detected.
2. Device digital identities
Device trust must start at the time of manufacture. Techniques like hardware root of trust establish baseline identity. However, once a device makes its way into the cloud or a consumer's home, it will be subject to software updates, configuration changes and even location changes. These changes must be factored into the evolving digital footprint and associated authorization for that device.
To reduce potential security risks and ensure device integrity, it is recommended to use secure, standards-based tokens instead of hardcoded usernames and passwords or thousands of individual public key infrastructure certificates.
3. Application digital identities
When users access applications after the initial authentication phase, sessions can be reestablished without the need for reauthentication using the right cookies or session secrets. This is often for a predefined period to ensure seamless UX. However, unauthorized bindings due to interception or malicious code are increasing, threatening application security and user trust.
To prevent these issues, developers should use man-in-the-middle-resistant protocols to provision authenticators and associated keys. In the case of malicious code, developers can prevent endpoint compromise resulting in session hijacking by keeping software-based keys in restricted access or using hardware authenticators that require physical access by the end user.
Finally, a quick note on APIs. Businesses use APIs to connect services and exchange data. Badly written APIs or hacked APIs are a major cause of data breaches. What data is exchanged via the API is the first step to good digital hygiene. For example, the now infamous Facebook and Cambridge Analytica situation is an example of an improperly vetted API. A more contemporary IoT example could be a connected refrigerator talking to the local online grocery API to order produce, providing inventory levels of the fridge's contents. If a hacked refrigerator results in location and visual data being shared, however, then the original digital identity parameters have been compromised.