Identity as the new security boundary
Not so long ago a PC was safe behind a firewall. The idea was that the physical infrastructure of a network would be enough. Anti-virus and anti-malware products sat on PCs to protect users.
Then hybrid working came along. Digital nomads who could connect to networks from anywhere. New startups had users connecting to web based applications. People were bringing their own devices, tablets, phones, projectors and so on into the workplace. Security has now started looking at people. Microsoft call this zero-trust. You don’t just trust someone because they can login. You have systems that secure identity itself.
There are three steps to identity security.
1.The credentials that give you authorisation. For most people this is an account identity and password. Often the identity is an email address or some public identity. This leaves the account secured by password. The strength and complexity of the password protecting authentication.
2. Authorization is the next step. What you can access with your authenticated identity.
3. Finally, continuous verification. Is your identity still valid and do you still need access to a specific service or resource?
Identity is now on the front line of information security. This is why multi-factor authentication (MFA), also called two factor authentication (2FA), has come to the fore. The weakness of passwords make them easy to hack or potentially easy to persuade people to hand them over. Not only is this bad for work but it also bad for consumers that are scammed by a variety of methods.
We now are heading for the age of passwordless. Not everywhere. Not for everyone. There are plenty of older systems out there that are going to need passwords for a long time. Users of systems are now the weakest link in security.
In a great fanfare Apple launched Passkeys. In the way that Apple do things it was presented as a technology Apple just invented. However, both Google and Microsoft have implemented it. It also needs to be supported by web browsers.
Essentially when you try to log onto a website or other resource you are met by a QR code. You scan this and a private key is created on your device and subsequently you will access that site without a password. Apple will be storing these keys in it’s keychain and Microsoft in its authenticator app. You can generate on device keys for Windows, MacOs, IOS and Android.
With passwords gone then security is now in the hands of users. There is also the move by governments to have secure digital identities to access government services. In the UK the GOV.UK Verify service. Some countries, like Estonia, align digital identity with national ID cards.
The security paradigm has moved from services just having passwords inside a secure network to now having complex keys that users don’t have to remember but are less easily hacked. Over the next few months web browsers, apps, services and operating systems will move to passwordless.