EXPERT PANEL: If we could reset the internet what would we do differently to improve identity?

Earlier this year it was widely reported that Russia was exploring plans to temporarily switch itself off from the internet. This got us thinking what if we could reset the internet, what could we do differently with regards to improving identity in this brave new digital world? Here is what the experts had to say in our latest ID Bulletin panel.

John Erik Setsaas, VP of Identity and Innovation, Signicat

The internet was never built to protect privacy – additional elements were bolted on as

John Erik 2017-04-b
John-Erik Setsaas

we realised the complete anonymity that it permitted and the potential for fraud, harassment and other cybercrime.

Now, as technology and regulation has evolved, the whole concept of your digital self online needs to be re-evaluated. Identity solutions putting users at the centre and making them responsible for their own identity simply won’t work. Users forget things and lose devices – it’s not a reliable option.

If we could turn the internet on and off again, we should look to an identity custodian – a trusted entity which securely holds and manages your identity information on your behalf in the same way a bank holds our credit cards and savings accounts. You would then be able to create an avatar with selected information – revealing no more than the necessary information – which your custodian would protect. If we could truly start from scratch with digital identity, the functionality of the ‘identity custodian’ would be built-in to the infrastructure as a new layer. For every connection to a new node, attributes of identity would be validated either granting or rejecting user access.   

Karl Barton, International Channels and Alliances, SecureAuth

Considering how much of modern life exists on the internet in one form or another, if SAlogo-stackedthe opportunity to reset the internet was presented, the first item would be to rehaul how we identify individuals. To complete any process on the internet – from sending an email to purchasing a product to making social media connections – a username and password combination is usually required to identify the digital self. However, passwords are notoriously insecure, providing little to no protection against advanced cyberattacks. A determined threat actor will easily crack a weak password, putting sensitive information at risk if it is the only line of defence. Ultimately if we had the chance to restart the internet, we would eradicate the password completely. 

Instead, identity and access management must take multiple factors into account. At the birth of the ‘new internet’, passwords should be binned and more secure authentication techniques (such as adaptive authentication) should be adopted by organisations to verify the identity of all individuals. The risk-based model layers concepts such as device recognition, geolocation analysis, IP reputation and behavior analytics, which is largely transparent to the user, so the technology has a rare quality of improving security posture without impacting user experience.

We can leverage this technology to support users and maintain a high level of security. As passwords will no longer be a factor, concerns around weak or reused credentials will be addressed. Additionally modern users are aware of the value of their personal data and can work with security teams to improve vigilance, forming a strong defence to keep data safe.

Emily Wilson, VP of Research, Terbium Labs

One of the most important things we can do for identity management is to provide Emily Wilson Headshot_1218people with the tools and the education they need to recognise and secure their sensitive data. We live in a world of constant data compromise and information exposure; defence is necessary, but it is no longer sufficient. We need to empower companies and consumers alike to understand their risks, think critically about data sharing, and take proactive measures to secure their information.

In a world with a hypothetical internet reset, I’d introduce a user-friendly, universal training session upon restart to help all users understand where and when their information is shared, how it’s used, and what they can do about it. I’d walk them through a comprehensive account reset process to create new, secure passwords, set up two-factor authentication, and recognise classic security issues and fraud schemes. These may sound like simple steps, but industry data shows as many as 80% of users repeat passwords across multiple sites, and adoption rates for two-factor authentication measures are still abysmally low.

For companies, I’d introduce additional training to help employees and executives recognise the links between unsecured or compromised data and the security risks they face day-to-day. The current disconnect between compromised data and corporate risk is dangerous at best, and negligent at worst. Companies need to recognise the weight and value of their corporate data, understand the impact that data compromise has on business operations, and begin to track and measure their data exposure over time.

Chris Adriaensen, EMEA Solutions Engineering Lead, Auth0

When we first started interacting with computers, the assumption was that onlyChris-Adriaensen1 technical people would use them and they would understand the machine. It’s easy for a machine to remember a random string of numbers and letters, but for humans, it’s totally unnatural. Thankfully connectivity and computing power was low, and we didn’t need a lot of characters for good security.

Today we have connectivity and computing power that people in the 80s could only dream of. Passwords have become more abundant and far more complex to provide the same level of security. As a result, we’re starting to reverse our thinking. Rather than humans adapting to technology, what if technology adapted to how humans work?

Naturally, humans recognise each other based on biometrics and context. Biometrics means I see you and recognise your unique set of traits. If I know you’re my co-worker and see you in the office context, I’ll know it’s you – but if I see you on the street, I might not be so sure.

Humans also assess identity continuously, rather than as a one-time transaction. During online chats, for example, we constantly assess if the person is who they say they are, based on a series of triggers.

The next wave of technology will adapt to humans, not the other way around. In identity, this means continuous authentication, where a user’s identity is constantly verified based on biometrics, context, and behaviours. Interacting with technology will be seamless – like meeting up with a friend.