Mastodon

Is your authentication future proof?

April 2022
Curtis Middlehurst - Click to Follow!

We all know someone who will reset their password every time they log into a service or an email, if you don’t, it’s you.

Many won’t be too bothered by having to do this, however what happens if that option goes away? If suddenly you have no access to the critical recovery email or phone number?

Nowadays what was once just an email or phone number can be the key to your entire online presence and more than a minor inconvenience if lost or stolen. Your authentication is becoming more important and will have to be maintained for a lifetime, but just how future proof is it?

How do we currently manage authentication?

The most common way of authenticating who we are online is through email, various services rely on a recovery email to gain access to accounts in cases where a password is forgotten. Two of the biggest providers of email accounts are Microsoft and Google, their Outlook (previously Hotmail) and Gmail services are 25 and 18 years old respectively.

Both services are relatively young yet are relied on very heavily to authenticate who we are online. As much as it is plausible that these companies will continue to exist can we count on Microsoft and Google lasting for the next 50+ years and onwards?

Another common way of authenticating is with a phone number, this is often the last stage of multi-factor authentication to unlock an authenticator app or an email that you don't have access to. What's the guarantee that your mobile provider will be able to keep running or be able to keep providing you with that phone number?

Email and phone numbers are currently the backbone of our authenticating who we are, however both methods are not sustainable for the amount of time that we will need to keep them, these methods also rely on private companies.

A solution, digital identity

Being able to authenticate who you are online is becoming much more important than in previous decades, we need to look to a more centralised solution, rather than relying on various big tech companies to stay afloat and keep their services running.

Digital identity is not just a set of authentication credentials, but a set of attributes that can be combined to allow stronger identification of a user.

According to a UK government publication on digital identity:

“Attributes are pieces of information that describe something about a person or an organization. You can use a combination of attributes to create a digital identity. You must ‘bind’ an attribute to a person before you can do this.”

Attributes supplied by governments, such as national insurance numbers and physical passports could be potentially used to authenticate who we are. These attributes are more robust than an email address or phone number provided by a private company.

Using sensitive PII (personally identifiable information) will bring its own challenges but may be needed to establish authentication that needs to last.

Digital Identity Innovations


BankID

Whilst still developed by a privately held company, BankID in Sweden is a step in the right direction.

This service relies on a government issued personal identity number and the Swedish Banking System to provide a digital identification for users. This is used to authorise payments and as a general multi-factor authentication method.

According to their webpage, if a BankID is inaccessible, a user must order a new one from their bank using their personal identity number and sometimes a physical visit to their bank, this removes the reliance on emails and means that users can prove their ‘digital identity’ using the same information as their physical identity.

This makes multi-factor authentication easy to recover yet hard to steal by linking recovery to government issued identification and interaction with a bank, rather than just a backup email or phone number.

The UK Digital Identity and attributes trust framework

The UK government are working on a concept for digital identity called ‘The UK Digital Identity and attributes trust framework’ this framework is a set of rules and standards for digital identity providers.

More information can be found here

Securing your Authentication

  • Close old accounts/emails, make sure to tie up any loose accounts that could compromise security.
  • Create a personal disaster recovery plan. Ensure that you have a solid way to recover all email accounts, most email providers will provide backup codes which can be printed or written down. These codes can be used in disaster situations to recover an account.
  • If using email as a method of authentication, ensure that the company providing it is reputable and not likely to shut down operations in the near future.
  • If you need to get a new phone number, make sure any accounts that rely on it for multi-factor authentication are switched to a new method or number to ensure availability,
  • Use a password manager to organize accounts and keep track of credentials used for different services. This also provides the added security of being able to use strong random passwords for each account.
Further Reading

https://www.gov.uk/government/consultations/digital-identity

https://www.gov.uk/government/publications/the-uk-digital-identity-and-attributes-trust-framework/the-uk-digital-identity-and-attributes-trust-framework

https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual/how-to-prove-and-verify-someones-identity

https://support.bankid.com/

https://www.nist.gov/itl/applied-cybersecurity/tig/digital-identity-individuals