Businesses face growing pressure to maintain continuous substantial assurance levels amid stringent compliance requirements and escalating risks of fraud and theft to user integrity. Two options emerge: navigating complex, costly end-to-end processes independently, impacting user experience, or partnering with an external authentication app. This app should seamlessly integrate identity proofing and continuous authentication, ensuring robust security with pre-configured safeguards.
TL;DR
- Identity Proofing and Authentication Challenges: Businesses face increasing pressure to maintain high assurance levels in compliance with regulations while preventing identity fraud. Balancing security with user experience is crucial as complex processes can deter users.
- Cryptographic Software Authenticators with MFA: NIST standards emphasize the need for robust authentication solutions. Cryptographic Software Authenticators, ideally with built-in Multi-Factor Authentication (MFA), use FIPS 140-2 certified modules on smartphones to prove possession of cryptographic keys, enhancing security and compliance.
- Role of Authenticators and Identity Proofing: Authenticators ensure that users can securely authenticate themselves across platforms. Identity proofing processes must verify the integrity of authenticators to prevent spoofing and maintain trust between users and services.
- Partnering for Assurance: Businesses are encouraged to partner with external providers offering comprehensive identity proofing and authentication solutions. This approach reduces complexity and costs associated with in-house solutions while meeting user expectations for simplicity and security.
- Looking Ahead: Achieving substantial assurance levels is a critical step, but managing identity data, privacy, consents, integrity, and compliance with regulations like GDPR remains ongoing challenges that require attention.
Unveiling Identity Proofing and Authentication Challenges
Understanding user authenticity is essential for services to comply with legal obligations and prevent digital identity misuse.
However, implementing complex access management processes can negatively impact user experience, leading to drop-off rates. Achieving a Substantial Level of Assurance entails both solid identity proofing and authentication processes, as defined by eIDAS and NIST standards.
- Despite this, many businesses prioritize identity proofing over authentication, leaving them vulnerable to identity fraud targeting the authentication process.
- While security and compliance are critical, businesses must balance these with user experience, as users prioritize simplicity and ease of use in authentication processes.
- Thus, reaching AAL2 should not significantly increase complexity compared to the baseline.
The Case for Cryptographic Software Authenticators with MFA
NIST, just as other standards and regulations, are pretty clear upon what conceptual options there are - and by just a quick glance it is obvious that we need something referred to as a Cryptographic Software Authenticator - ideally with built-in MFA.
Other options are disqualified since an authenticator must allow users to authenticate themselves in apps on their hand held device. One cannot expect users to keep anything but the phone in their pocket and SMS/E-Mail doesn’t qualify as an additional MFA factor, since it hardly ever fulfills the criteria of being out-of-band (and honestly, even if we could enforce out-of-band it would not be very user friendly).
With a Cryptographic Software Authenticator, authentication is accomplished by proving possession and control of a cryptographic key managed in a FIPS 140-2 certified module. The Trusted Execution Environment (TEE) on all modern smartphones are FIPS 140-2 certified - hence the authenticator can be (and is ideally) made available through an app.
The TEE typically holds a private key, and the corresponding public key is used by the device to identify itself. Proof of possession can then be achieved through signed messages.
How to ensure that no one else has taken control of the authenticator? The cryptographic software authenticator is “something you have” and access to the cryptographic key must be additionally protected with either “something you know” (memorized secret) or “something you are” (biometrics) in order to achieve MFA - hence reach AAL2.
The Role of Authenticators and Identity Proofing in Digital Security
How to ensure that the authenticator belongs to the same person as was originally onboarded? The public key of the device must be securely associated with the digital identity, either at an IdP/CSP or as an immutable credential in the “digital wallet” of the user.
Identity Proofing is best achieved after the authenticator is registered and inside an authenticated session. It is crucial that the identity proofing process has safeguards in place to verify the integrity of the authenticator - to protect both users and services from spoofing and other fraudulent threats.
Services do not benefit from engineering this themselves! Although it likely includes facilitating third-party software and provided services - the service provider will become the asserting party of the digital identity. This covers the full responsibility of compliance including engineering and maintenance around all technological, data and cryptographic challenges needed to reach Substantial level of assurance.
Further, the users need to go through a service-specific identity proofing process and they likely need to maintain at least a service-specific memorized secret.
The only feasible and user-friendly option to reach Substantial assurance level for digital identities on the internet is to partner up with someone who takes the full responsibility around identity proofing and authentication. Someone who can take the user through the (often quite extensive) identity proofing flow only once - and where they can seamlessly authenticate themselves towards all integrated services through a user friendly cryptographic software authenticator - all packaged in one app.
We have learned how to authenticate users with optimized user experience without in any way compromising security and compliance. Businesses need a partner - it is simply too costly and complex to maintain an inhouse solution, and there is no other way to achieve the level of simplicity expected by today’s internet users.
And before picking a partner, be aware that we have just scratched the surface of identity management as a whole. Substantial assurance level is a good starting point, but then we also have to manage identity data. Privacy! Consents! Integrity! Quality! Monitoring! GDPR! - but those are all topics of their own.