enterprisesecuritymag

Identity X.0

By Chema Alonso, Chief Data Officer, Telefónica

Chema Alonso, Chief Data Officer, Telefónica

Identity is intrinsic for humanity because of our need to differentiate ourselves from those with whom we relate. Nature helps us in this purpose as it provides different physical traits to the millions of people that allow us in achieving this differentiation such as the physical constitution, the color of the hair and eyes, the shape of the face, our voice or even less appreciable traits directly such as the fingerprint or our iris.

During our lives, we also develop behaviors that allow us to differentiate ourselves from others, such as the way we write and sign, our way of speaking (including the lexicon we use), the way we walk, and many other examples.

I like a research paper that details a new way of recognizing a person based on the way the person plays Guitar Hero. Is not it great? Yes, maybe it’s impractical if you want to authenticate yourself on a website, but you have to admit that as an authentication system it’s super-cool. Inspired by that, we at Telefónica have created an authentication system based on the way a person solves—or tries to solve—a Rubik’s cube. Yes, we do those things when we’re investigating the future.

Throughout history, we have used these traits to identify people and more recently record them through an image or photo. Since these traits and characteristics are challenging to describe without a visual channel, it is common to choose assign numbers or alphanumeric strings that allow a much quicker and easier identification. Examples of these are the national ID number, the employee number of the company in which we work, or the telephone number assigned to us by our telecommunications company.

In addition, with the advent of Artificial Vision models, once AI-based cognitive services are able to recognize people in photographs with greater accuracy than human beings, in many parts of the world, facial recognition is beginning to regulate. In the case of Microsoft’s personalities recognition services, you can see how Kevin Mitnick and I are not able to fool the algorithm even if we change my cap and his glasses. People worry that an AI will be able to do this not only with celebrities but with everyone in the world.

The emergence of the Internet and digital economies has displaced a large part of our interactions from the physical world to the digital world of the Internet. On the Internet, we can no longer see whom we are dealing with and therefore cannot identify them by their differentiating characteristics, making it even more necessary to have mechanisms that allow people to prove their identity when accessing services or carrying out transactions.

We want to know with certainty who we are dealing with without the need to follow along with verification work, so we must rely on a mechanism that is sufficiently reliable, but at the same time easy to use and prevent people from refusing to use it for the effort or time needed. At the end of a day, we have access to hundreds of services and just a few seconds dedicated to demonstrating who I am translate into many minutes dedicated for a monotonous and repetitive task.

Not only is the robustness or legal compliance of authentication systems important, but also we have to consider the universality of the chosen mechanism and the usability for the people who have to use it.

A few decades ago, it was decided to add a secret (password) as the user’s identity that the person had to memorize so that they could use it to prove their online identity. This solution is still commonly used today but has demonstrated multiple weaknesses that can be exploited to perpetrate identity theft by malicious third parties. To mitigate these weaknesses, it is necessary to complement this mechanism with additional authentication factors that do not only depend on remembering passwords but involve the possession or analysis of some morphological trait or behavior of the person (biometrics).

The Holy Grail of people authentication is to be able to use all three factors, based on something you have: a physical token, something that you are: some biometric trait, and something that you know: such as a PIN or a password. But it’s not enough when we talk about today’s Internet.

Through the Internet, we not only interact with other people but also with objects, computers, and companies on a daily basis. That is why we also need to provide them with an identity and mechanisms for accrediting them. Since they do not have physical traits that differentiate them, we choose to certify this differentiation either during their creation process (e.g., serial number, tax identification number) or later (e.g., digital certificate) after having physically verified who they are.

The current number of objects connected to the Internet is already greater than the number of people, and its size is in the billions, so the challenge of maintaining these identity mechanisms is very complex and requires tools and algorithms to help us in this task.

A popular saying states that “information is power,” but in the case of identity, it could be adapted to say that “information is identity.” That is why the collection all kinds of information from the people we want to identify is an increasingly widespread practice on the Internet. It collects thousands of attributes of people’s interactions with services and associated devices (smartphones, laptops, wearables, sensors, intelligent speakers, cars, smart TVs and other home devices) with the aim of creating a precise profile of people containing their tastes, habits, beliefs, convictions, friendships, places they frequent, and many other personal data.

To manage such an enormous amount of data and be able to generate these profiles we use optimized storage systems (Big Data) and algorithms that turn our profile into a complex mathematical formula with the aim not only of being able to identify ourselves in any interaction without using authentication mechanisms but also of predicting our actions.

When we authenticate a person for how they behave, we can develop advanced security systems that find out the identity of the person using the device without requiring them to perform any specific action.

The management of all these amounts of data has sparked a huge controversy over who should be responsible for its custody and how it is used because of their enormous potential and value. Some argue that if data belongs to individuals, they should be solely responsible for keeping it and authorizing access to it, thus creating the concept of sovereign identity. This sovereign identity is based on technologies based in turn on distributed networks and the intensive use of cryptography as in the case of blockchain. But it also has its detractors, as blockchain still has challenges ahead to prove itself as the system to be used in the future to enable this identity management.

Identity in the digital world is continually evolving, trying to adapt to the ongoing changes and needs that are arising in order not only to simplify interactions but also providing a high level of security. The aspiration is that this identity is transparent to people and can be applied not only to people but also on all objects connected to the Internet and help prevent malicious use, minimize fraud, and identity theft. Can we do it?

Check out: Top Identity and Access Management Consulting Companies in Europe

Read Also

Not Your Father's Identity and Access Management

Not Your Father's Identity and Access Management

Martin Ingram, Product Owner, Identity and Access management, Royal Bank of Scotland (RBS)
Balance between Opposite Forces / The Pursue for Trust

Balance between Opposite Forces / The Pursue for Trust

Paulo Moniz, Director - Information Security and IT Risk, EDP
Beyond the Traditional User Accounts Management

Beyond the Traditional User Accounts Management

Arun Raghavendra, Head of IAM Technology, Visa
Creating a Digital ID Ecosystem

Creating a Digital ID Ecosystem

Hugo Rousseau, Programme Manager, Financial Services & Payments, techUK

Weekly Brief