What’s the state of identity and authentication in 2024?
That was the primary topic addressed in a day full of insightful speaker sessions and panels at the annual Identity, Authentication and the Road Ahead Policy Forum held on January 25 in Washington D.C. The event was sponsored by the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC).
Topics covered included the latest data on identity theft, financial crimes involving compromised identities and the overall ongoing challenges of identity and authentication. The opportunities for phishing-resistant authentication standards and passkeys resonated throughout the event as well. In his opening remarks, Jeremy Grant of the Better Identity Coalition framed identity as both a cause and potential solution to security problems.
White House advances strong authentication agenda
In the opening keynote, Caitlin Clarke, Senior Director, White House National Security Council, detailed some of the steps the Biden-Harris administration is taking to improve digital identity and combat rising cybercrime.
“Money is fuelling the ecosystem of crime, but we often see that identity is either the target or the culprit of the cyber incidents that we are seeing every day,” Clarke said.
In a bid to help improve the state of identity and authentication, the administration is implementing multi-factor authentication (MFA) for all federal government systems. Clarke also highlighted that the administration strongly believes in implementing phishing-resistant MFA.
“We need to make it harder for threat actors to gain access into systems by requiring and ensuring that a person is who they say they are beyond the username and password,” she said. “That is why authentication is also at the heart of the work we are doing to improve the cybersecurity of critical infrastructure, upon which we all rely.”
The role of biometrics
Biometrics have a role to play in the authentication and identity landscape according to a panel of experts.
The panel included Arun Vemury, Biometrics Expert and ITRC Advisory Board Member; James Lee, COO of the Identity Theft Resource Center; Dr. Stephanie Schuckers, Director, Center for Identification Technology Research (CITeR), Clarkson University; and John Breyault VP, Public Policy, Telecom and Fraud, at National Consumers League.
Panelists generally agreed that properly implemented biometrics combined with other security practices could help devalue stolen identity data and strengthen security overall.
“Biometrics has the potential to affect fraud numbers,” Breyault said. “It’s not a silver bullet, it’s not going to stop everyone and, it may not be useful in every context, but it is something different than what we’re doing now.”
Better Identity at 5 years
Five years ago, the Better Identity Coalition published Better Identity in America: A Blueprint for Policymakers in response to significant questions from both government and industry about the future of how the United States should address challenges in remote identity proofing and other key issues impacting identity and authentication.
Jeremy Grant, Coordinator at the Better Identity Coalition, detailed the progress made in the past five years and also detailed new guidance for 2024.
The report assessed that while some progress has been made in certain areas like promoting strong authentication, overall the government receives poor grades for failing to prioritize the development of modern remote identity proofing systems or establish a national digital identity strategy.
The revised blueprint outlines 21 new recommendations and action items for policymakers to help close gaps in America’s digital identity infrastructure and get ahead of growing security and privacy challenges posed by issues like synthetic identity fraud and deep fakes.
“Our message today is the same as it was back in 2018, which is that if you take this as a package, if this policy blueprint is enacted and funded by government, it’s going to address some very critical challenges in digital identity and as the name of our coalition would suggest, make things better,” Grant said.
The year of passkeys
While there is much to lament about the state of identity and authentication, there is also cause for optimism too.
Andrew Shikiar, executive director of the FIDO Alliance detailed the progress that has been made in the past year with the rollout and adoption of passkey deployments.
“Passkeys are simpler, stronger authentication, they are a password replacement,” he said.
Shikiar noted that there are now hundreds of companies enabling consumers to use passkeys, which is helping to dramatically improve the overall authentication landscape. Not only is a passkey more secure, he also emphasized that it’s easier for organizations to use, than traditional passwords and MFA approaches.
“If you’re in the business of selling things, or providing content, or anything like that you want people to get on your site as quickly as possible – passkeys are doing that,” he said.
Shikiar noted that the FIDO Alliance understands that user authentication is just one piece of the identity value chain. To that end the FIDO Alliance has multiple efforts beyond passkeys, including certification programs for biometrics and document authenticity certification programs among other efforts.
Don’t want to get breached? Use strong, phishing-resistant authentication
The primary importance of strong authentication was highlighted by Chris DeRusha, Federal Chief Information Security Officer in the Office of Management and Budget (OMB), who detailed a recent report on a Lapsus cybersecurity gang that was released by the Cyber Safety Review Board.
DeRusha noted that Lapsus hackers were able to beat MFA prompts using a variety of techniques, including social engineering and even just mass spamming employees with prompts to get someone to act.
A key recommendation from the report is to move away from phishable forms of MFA, including SMS and instead embrace FIDO based authentication with passkeys.
The view from FinCEN
The U.S. Treasury’s Financial Crimes Enforcement Network, more commonly known by the acronym FinCEN, is a critical element of the U.S financial system.
FinCEN Director Andrea Gacki spoke at the event about the agency’s recent progress on beneficial ownership reporting and the FinCEN Identity Project. The FinCEN Identity Project refers to FinCEN’s ongoing work related to analyzing how criminals exploit identity-related processes to perpetuate financial crimes. As part of this, FinCEN published a financial trends analysis earlier this month that looked at 2021 Bank Secrecy Act data to quantify how bad actors take advantage of identity processes during account openings, access, and transactions.
“Robust customer identity processes are the foundation of a secure and trusted U.S. financial system and are fundamental to the effectiveness of every financial institution,” Gacki said.
Sean Evans, lead cyber analyst at FinCEN noted that the recent report examined over 3.8 million suspicious activity reports filed in 2021 and found that approximately 1.6 million reports, representing $212 billion in activity, involved some form of identity exploitation.. Evans explained that cybercriminals are finding ways to circumvent or exploit weaknesses in identity validation, verification, and authentication processes to conduct illicit activities like fraud.
Kay Turner, chief digital identity adviser at FinCEN, emphasized that strengthening identity verification is critical for security.
“We have to get identity right, it is vital to building trust in the system,” Turner stated.
CISA praises the push towards passkeys
Closing out the event was a keynote from Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, (CISA), Department of Homeland Security (DHS).
Goldstein emphasized that it’s important to note that while there are challenges, there has also been progress. Passkeys are now used by consumers everyday and increasing numbers of enterprises are moving toward passwordless deployments.
“It’s worth starting out just with some reflection on how far we have come in moving towards a passwordless future,” Goldstein said.”We are seeing more and more enterprises moving to passwordless for their enterprise privileges, their admin, their their employee authentication solutions and that’s a remarkable shift.”