By: FIDO staff
The identity landscape is set to undergo tremendous transformation in 2023 as lawmakers and regulators alike struggle to help protect individual privacy and improve access to services and the digital economy. A primary underpinning for what will enable the new identity landscape is strong authentication.
On Jan. 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum in Washington, D.C. to discuss the challenges and opportunities of identity and authentication.
The full-day event included sessions loaded with data on the current state of data breaches, presentations by government leaders, panels on the state of passkeys and the path toward better identity in 2023 and beyond. A key theme that was often repeated throughout the day, by experts from government and industry alike, was the complexity of the identity landscape and the need for more collaboration and interoperable standards.
“A lot of our ability to make progress on the set of problems starts with a bigger issue, the recognition that identity is critical infrastructure and needs to be treated as such,” Jeremy Grant, Managing Director, Technology Business Strategy at Venable LLP and Coordinator, Better Identity Coalition said during his opening remarks for the event.
“Until we start to think about identity that way we’re going to continue to struggle to address challenges in this space.”
Identity risk continues to grow
In the opening keynote session, Jimmy Kirby, Acting Deputy Director of FinCEN (Financial Crimes Enforcement Network) outlined the identity related issues his agency has seen in recent years.
Kirby said that in recent years financial services have been increasingly migrating towards a primarily online environment. It’s a trend that creates new opportunities for abuse. As a result, FinCEN has been thinking about how it can leverage all of the data that financial institutions send to it to help stem the tide of abuse. He noted that identity related suspicious activity reports (SARs) submitted to FinCEN grew more than 15%, from 2021 to 2022.
According to Kirby, reports of threats at each stage of the customer identification process continue to grow from the proofing and enrollment stage to the authentication stage, including the use of compromised credentials, impersonation and artificial intelligence to conduct illicit finance.
While there are challenges, there are also opportunities.
“We see opportunities for digital identity to address customer identification breakdowns in customer onboarding, account logins, transaction monitoring, as well as in investigations,” Kirby said. “There are a number of features of a digital identity framework that, taken together, have the potential to address threats and spur innovation across all types of financial services.”
FinCEN isn’t the only organization seeing a spike in cybercrime. James Lee, COO of the ITRC (Identity Theft Resource Center) presented data from his organization’s annual data breach report. Among the top line highlights of the report is that there were 1,802 data breaches during the year impacting over 422 million victims.
Lee commented that a prevailing trend was an increase in supply chain attacks as a preferred attack vector over just malware. He also emphatically complained about the lack of information present in many data breach disclosures. Lee said that 66% of data breaches did not include information about the root cause of the attack which led to the breach or any victims details.
In a panel session, titled “Data Breach Notices Suck,” John Breyault, Vice President, Public Policy, Telecommunications and Fraud at National Consumers League (NCL) lamented the current state of password usage, which inevitably is a root cause for many data breaches.
“I have been doing consumer education work for 15 years now at NCL, and not a day goes by it seems that I don’t tell consumers to not use the same password across multiple accounts,” Breyault said.
Towards the U.S. Government plan on secure digital identity
In a lunchtime keynote, Congressman Bill Foster (IL-11), outlined his view on Congressional efforts to introduce a secure digital identity policy for the U.S.
Foster emphasized time and again during his keynote that secure digital identity needs to be a bipartisan effort in the U.S. Congress as it’s an issue that impacts all Americans. While he noted that there might be some concerns about the U.S. government having a database of user identities that it issues, he argued that to most people, the real life threat to their privacy comes more from having someone impersonate them online.
The lack of secure digital identity may have also been a factor in the massive volume of fraud experienced by the U.S. government over COVID benefits. Conversely, the fact there wasn’t a secure digital identity scheme in place may have made it more difficult than necessary for some to be able to get benefits. Overall, Foster said that he’s hopeful Congress can put something together.
“It can serve as a gentle reminder that the government does some good in your life,” Foster said. “One of the things that we could do a much better job with is preventing identity fraud, because that’s a real life pain for tens of millions of Americans every year.”
Bias and diversity is a requirement of digital identity
In multiple sessions over the course of the event, the topic of fairness, bias and diversity in relation to digital identity was discussed.
Jordan Burris, VP and Head of Public Sector Strategy at Socure commented that in his view, bias a lot of times comes down to the reality that an identity approach is taken that is solving for the majority of the population, and as such, the minority or those who operate on the fringes are being left out of the ecosystem.
Andrew Stettner, Deputy Director for Policy at the Office of Unemployment Insurance Modernization at the U.S. Department of Labor argued that his agency and the entire administration are taking equity in identity very seriously.
“We’re looking at equity in a much more conscious way, for us is a very key element of identification going forward,” Stettner said.
Why FIDO is critical for better identity
A critical element of secure identity is having strong authentication.
In a keynote session, Andrew Shikiar, Executive Director and CMO of FIDO Alliance, outlined the ways that FIDO is playing a role in helping to improve the state of identity today across multiple efforts. He also predicted that FIDO will become increasingly relevant in the year ahead.
“The average person on the street will start to understand what identity verification means, and actually start to understand what digital identity means,” Shikiar said. “That’s a net benefit because the more people understand what their identity means, and the importance of it, the more steps they’ll take to actually protect it.”
Among the FIDO efforts to help improve identity outlined by Shikiar are:
- Biometric performance criteria. This is a biometric certification program, where FIDO helps to assess the performance of different biometric components that are critical to identity verification.
- Remote Identity Verification. This includes the Document Authenticity (DocAuth) Certification for mobile document verification, with ongoing work into face verification for liveness and selfie-match.
Shikiar also talked at length about passkeys, which brings added usability to FIDO based strong authentication.
“FIDO Alliance’s mission is to reduce the industry reliance on passwords,” Shikiar said. “Simply put, passkeys stand to take passwords out of play for the vast majority of consumer use cases.”
The passkey future for authentication
In a panel session on passkeys, panelists discussed the benefits and opportunities that passkeys will bring.
Tim Cappalli, Identity Standards Architect at Microsoft detailed what passkeys enable, including the ability to take a FIDO credential and use it in a similar way to how password managers work today. Passkeys can also be synchronized with a cloud provider and are interoperable across platform vendors enabling better usability overall.
Panelists emphasized that the promise of passkeys is to more easily enable users to benefit from strong authentication. Christiaan Brand, Product Manager, Identity and Security at Google explained that Google has been supporting FIDO for years, including supporting security key based approaches. In his view, passkeys represent the usability necessary to actually make strong authentication with un-phishable credentials a reality for Google’s users.
Usability was also a theme that Paul Grassi, Principal Product Manager – Identity Services at Amazon emphasized, since in in his view, past efforts to get strong authentication adoption haven’t been entirely successful
“It breaks my heart to say it but consumers are not adopting security keys, they’re not adopting Google Authenticator they’re not adopting two-factor,” Grassi said. “We’re excited to see passkeys as that replacement, and to see the adoption numbers skyrocket, reducing friction while increasing security, which is, I think, the goal of any security practitioner.”
The recording of the full event is available here.