Last week I attended and spoke at One World Identity’s inaugural event – K(NO)W conference in Washington, DC. It was three days of meeting with and listening to the leading identity, security and privacy experts share their thoughts on who owns identity, what the real problem is and how can we solve it.
It was an amazing inaugural event and I am proud and honored to have been a part of it.
Here are my three big takeaways:
1. Edward Snowden missed the point. Mr. Snowden thinks that too many organizations get caught up in identifying the real person attempting to access services or a particular site. He stated it is not important to truly know who the person is, but rather if they have the funds to pay for what they are purchasing. We don’t really need to know their DOB, just that they are above a certain age. We don’t really need to know where they live, just that the data entered matches that on file. We don’t really need to know their name, just that the credentials entered matched what is on record. While we agree with this premise for certain services – like Netflix or Pandora – where friction should be low because the risk of serious data or financial losses are low as well. It is just not the case for many other organizations and entities out there.
Banks lost $180B in 2016 to fraud. The SWIFT network attacks lost $81M in one day. That is a significant amount of money and the money lost to cybercrime funds very bad things – terrorism, weaponry, drugs, human trafficking and child exploitation. So knowing the person really is who they say they are DOES matter.
Last week hospitals and other organizations across the world were targeted by the WannaCry malware attacks. When a hospital’s IT systems are down, lives are in danger. In 2013, hackers attempted to infiltrate a dam in New York. If they had succeeded the number of fatalities would have been catastrophic. Hackers are testing the waters right now. Seeing what they can do, how they are caught and how quickly they are caught. It is only a matter of time before they are able to conduct a massive attack that will be successful and cost many, many lives. So, yes, it is critical to know exactly who is accessing a nuclear power plant or a city’s electrical grid. Simply knowing that the credentials match is not enough. We must do better. And the time is now.
2. The privacy, security and convenience conundrum continues. In my panel session, “But Can You Have It All? Reinventing the Privacy, Security, and User Experience Tradeoff” with Yubico’s Stina Ehrensvard, Connection Science’s Thomas Harjsono, globaliD’s Greg Kidd of and Constellation Research’s Steve Wilson, we discussed just this. Is it possible to have it all?
The user experience of logging in with Facebook is convenient for sure, but would you trust it to login to your bank account? There were excellent questions from the audience but the main question, to me, was missed. Who is liable? As we move to more convenient, user-friendly methods of identification everyone understands that security risks increase. Unfortunately many security features today create friction. But the question remains, as more and more organizations move to integrate social login and a financial loss occurs, who would be liable? Facebook certainly would not be. It seems the banks would bear the brunt. So is it really even feasible? Furthermore, Facebook is an open community. I can create an account and give myself whatever name I want, say I live where ever…Is that secure enough to access a person’s bank account?
3. Contrary to certain opinions, blockchain is not the answer. The sole purpose of blockchain is to ensure that a record is not tampered with; that an action is frozen in time and cannot be altered. While that is a technology marvel (and there are certain use cases for this) — it does not solve the identity problem.
Blockchain does NOT ensure a record is true or correct. It goes back to the Garbage In/Garbage Out (GIGO) principle. If a criminal steals your username and passwords and presents it at your bank that record is stored in blockchain. It cannot be edited. I cannot be changed. It is frozen in time. And there is no way to indicate or even tell that it was really not valid. So what good does it do in the end? What does it really help? We need to solve the actual problem. Blockchain does not solve the core identity and authentication issue that is plaguing so many organizations face today. And as long as we rely on static credentials, blockchain will never be the answer.
All in all, it was an excellent event and many important conversations were started. But they must be continued. Identity means something different to banks, to merchants, to critical infrastructure employees. We need everyone to take part of this important conversation and with cyberattacks we are seeing now, the sooner the better.