The identity verification arms race
- By Matt Leonard
Now that attackers have caught up with the tools we use to protect and verify identity, and it's time for government to play a bigger role in improving identity verification, one cyber expert said.
Jeremy Grant, the former leader of the National Program Office for the National Strategy for Trusted Identities in Cyberspace and a current executive at Venable, outlined his plan at a Nov. 30 hearing of the House Energy and Commerce's Subcommittee on Oversight and Investigations.
“I believe we are at a juncture where the government will need to step up and play a bigger role to help address critical vulnerabilities in our 'digital identity fabric,'” Grant testified.
Identity is increasingly being used by bad actors to get into accounts and systems. As evidence, several lawmakers and witnesses at the hearing cited an alarming statistic: 81 percent of hacking-related breaches were the result of a weak or stolen password, according to this year's Verizon Data Breach Investigation Report.
Much online authentication is knowledge based: What’s your mother’s maiden name? What was the first car you owned? What is your birthday? This is supposed to be information that you know and others don’t, but much of that information can be found on social media, Troy Hunt, an information security author and instructor at Pluralsight, told lawmakers.
And the amount of information that is in the public domain grows with every large breach. The stolen Equifax data compromised information for more than 145 million Americans, including their Social Security numbers and driver's license information, Grant said.
Currently, “authentication is getting easier, but identity proofing is getting harder,” he said. Authentication is getting better because there are more non-password options -- like biometrics -- than ever before. But when people are creating accounts it is “harder than ever” to prove who they are.
This is where the government should step in, Grant said, because the market realizes the need to move beyond knowledge-based verification, but it has yet to develop its replacement.
“This might actually be the most impactful area where the government can help by allowing consumers to ask agencies that already have their personal information -- and have validated it, in many cases with an in-person process -- to then vouch for them with other parties they seek to do business with,” he said.
Agencies like the Social Security Administration, the State Department and the Department of Motor Vehicles would be logical places to start, he said.
This recommendation was included in the final report issued last year by the Commission on Enhancing National Cybersecurity.
“This action would enable government agencies and the private sector to drive significant risk out of new account openings and other high-risk, high-value online services, and it would help all citizens more easily and securely engage in transactions online,” that report said.
Grant explained how he envisioned such a process working in his written testimony. It could rely on the use of a Universal Second Factor USB security key from the FIDO Alliance -- an organization that works on interoperable authentication standards -- that strengthens password authentication by adding a physical token.
Grant described how he recently had to appear at his Washington, D.C., bank in person to validate his identity.
“Which -- in 2017 -- seemed a bit ridiculous,” he testified. “I would have much preferred to simply log into the DC [Department of Motor Vehicles] with my FIDO security key and asked them to let my bank know who I was – in this case by sharing several attributes about me that the DMV had already validated. But that sort of system does not exist today in the United States," he said.
“If it did, it could solve many of our problems with identity verification in a post-breach world.”