TechSpot

The digital identity dilemma

By Jos
Aug 9, 2016
Post New Reply
  1. On the one hand, the problem seems obvious. We all need some kind of consistent digital identity (think virtual ID “card”) that can identify and authenticate us not only to all our devices, but to all our online services, commerce and banking accounts, and essentially anywhere where we need to digitally, or even physically, verify who we are.

    Actually solving that problem, it turns out, is pretty hard. For one, any kind of digital identity solution needs to be platform and device independent. Sure, it’s fine to be able to swipe into your phone with a fingerprint reader, but most people own more than just a smartphone, for example and, in many cases, they run different on different platforms.

    Plus, merely logging into the device doesn’t transfer your credentials to all the password-protected websites you use, services you log into, etc. Sure, there’s been some useful improvement in this area over the last few years, but we’re still a long way from the nirvana of what I like to call a portable digital identity.

    Think of a portable digital identity as something akin to a digital passport that could not only identify you to known locations, but unknown situations as well. Want to be able to get immediate access to your Spotify account while using grandma’s PC? As long as she has internet access, no problem.

    One of the most obvious benefits of this type of digital ID would be the eventual abolition (at least, in theory!) of passwords. We all know how horrendously broken the concept is and the amount of money, time and effort wasted—not to mention the incredible amount of frustration they regularly generate—is now measured in extraordinarily large numbers, both for individuals and companies.

    Recently, there have been a number of important steps made toward achieving more universal digital identities. Key among them is the work done by industry organization the FIDO Alliance, whose members include Microsoft, Google, Intel, Qualcomm and Samsung, among many others, but noticeably lacks Apple. Last fall, the organization submitted their FIDO 2.0 Web APIs to the W3C internet standards body as part of an effort to allow digital identity and authentication credentials to be passed from device to device and device to website.

    Essentially, this will enable people to leverage technologies like biometrics—using fingerprints, face recognition, iris scanning (like on Samsung’s new Galaxy Note 7), and more—to not only identify you to the local device, but to other devices as well. Even better, it will enable apps, websites and other services to seamlessly recognize you via that same identity verification. Once it’s widely adopted, this could be the ultimate “friction-removing” technology. These Web APIs should be able to dramatically change how quickly and easily we use web services, make online transactions, and much more, all while dramatically decreasing the potential for fraud and identity theft.

    The Fido 2.0 Web APIs should be able to dramatically change how quickly and easily we use web services, make online transactions, and much more, all while dramatically decreasing the potential for fraud and identity theft.

    Microsoft provided an early version of support for these standards in the enhanced version of Windows Hello that’s built into the new Anniversary Update of Windows 10. In fact, Microsoft is supporting what they call the Windows Hello Companion Device Framework to allow external devices, such as wearables or other Bluetooth-equipped devices with biometric sensors, to enable biometric security not only to devices that don’t have it, but to extend that level of verification to any sites or services which support FIDO 2.0.

    Of course, the security questions about how this all works and how effective it will really be in the real world have been debated quite a bit. While it’s impossible to say that it’s hack-proof, the good news is that the entire effort has been built with worst-case scenarios in mind.

    The technology used to enable the security can be very complex, but there are a few basic concepts worth mentioning. To start, all these efforts begin with a hardware root of trust on any end user device, such as a TPM (Trusted Platform Module), or some other kind of digital security chip, that is physically isolated from the main processor and OS. Leveraging virtualization or similar software isolation technologies, the information used to identify and verify you is encrypted and kept separate from main memory, making it extremely difficult to get access to. In fact, in most situations, it would require physically tapping into the device, which greatly reduces the risk threat in most situations. Plus, that identifying information isn’t directly passed along, but instead is only used to start the process of verification.

    The net result is that highly personal biometric information is not only extremely hard to acquire, but can’t be used to directly tap into an account in the same way that a stolen password potentially can.

    Even with all these efforts, we’re several steps away from a truly standardized, universal digital identity, but it’s clear that we’re much closer to the goal than even just a year ago. By later 2016 or early 2017, the W3C is likely to approve the FIDO 2.0 Web APIs and that’s bound to create some strong momentum around these extremely important standards. Your portable digital identity is nearly here.

    Bob O’Donnell is the founder and chief analyst of TECHnalysis Research, LLC a technology consulting and market research firm. You can follow him on Twitter . This article was originally published on Tech.pinions.

    Permalink to story.

     
  2. BSim500

    BSim500 TS Guru Posts: 198   +272

    Outside of Hollywood movies, I'm really not convinced by the "infallibility" of biometrics. For all the faults passwords / bank code cards / Secure ID keypads / passports, etc, have (which are nowhere near "horrendously broken"), if they are compromised (usually not by yourself) they can be replaced whereas biometrics are "one shot security" for life. Not to mention face recognition is pretty cr*p for identical twins / "Doppelgangers" and has been repeatedly spoofed (even the more advanced version which looks for a "blink" to avoid being fooled by static photographs). How many "selfies" do people post publicly these days?... Likewise, even a theoretically "perfect" solution would only work if it's the only solution. How many credit cards are still being read out over the phone, or fed into handheld offline "swipe" devices? Two examples of many. And what kind of backup plan is there in case the biometric server goes down? It'll end up issuing biometric solutions alongside passwords rather than instead of...

    The biggest security threat is not you "losing" your password, it's having yours and thousands / millions of others password swiped all in one go from lax 3rd party server security who will lose unencrypted biometrics, unencrypted tokens / keys, unencrypted anything, etc, just as easily as unencrypted passwords. The only way of solving that problem is setting an example via significant fines against any company that loses data in an at least partly avoidable attack. Thing is the companies who are worst for such security are the same ones who will not only fight tooth and nail against such solutions but will continue to actively collate far more information about you than is necessary in the first place, which further highlights where the real problem lies - not with password vs biometrics at your end, but others server security and addiction to mass data harvesting / profiling...

    By far the best security I've seen when buying something online is the tickable box that says "I don't want an account, Don't remember my details".
     
    Godel likes this.
  3. Palebushman

    Palebushman TS Rookie

    [QUOTE="By far the best security I've seen when buying something online is the tickable box that says "I don't want an account, Don't remember my details".[/QUOTE]

    Very well said BSim500.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...