2PM Services’ Technical Business Analyst, John Robinson, explains the role of digital identity and access, and how they can be used to increase your cyber security.
The concept of identity has been around for thousands of years, in the form of jewellery, tattoos, and other decorative goods. These methods communicated not only identity but social status, ancestry, and memberships to groups.
While the concept has stayed the same, the methods we use today have changed drastically over the years, with the introduction of fingerprint-based ID, and 2 Step Authentication. It’s easy to prove who you are in a physical context, but it can often be a lot more challenging virtually!
The Thales Group states: “The last three decades have seen the steady transformation of the way we live and work from an analogue world to a digital one. More and more, the services we rely on are provided in a completely digital form, making the multiple digital identities we use to access them as important to protect as our physical ones.”
However, as our reliance on technology has increased, so too have the risks of online fraud, identity theft, and data breach. But let’s not get too ahead of ourselves…
Firstly, what is digital identity?
Digital identity is the digital representation of an individual in an ICT system; otherwise known as your ‘User ID’. It is a set of validated credentials for the digital world, like a person’s ID for the real world. It’s proof that ‘you are who you say you are’ when logging into an ICT system.
Your digital identity may have attributes such as demographic information, including sex, date of birth, name, and photo. A common form of digital identity is your email address and password used to access different services online. Your Digital Identity is also referred to as a ‘credential’.
So, what’s digital access then?
Digital access is an entitlement to a digital resource. This mean it gives you ‘the right to do what you want to do’. Examples of digital access include your laptop or your user account on a website. These may have attributes such as start time / end date for access, geography, and IP address.
Although they are different, identity and access tend to go hand in hand. You can’t really have ‘access’ without ‘identity’ and ‘identity’ doesn’t make much sense without ‘access’.
How can I increase my ‘identity’ and ‘access’ security?
Authentication vs. authorisation:
- Authentication is the process of validating an identity – checking the user is who they say they are.
- Authorisation is the process of validating access – checking the user has the right to do what they need to do and / or enabling certain levels of access to certain users.
It’s common for the authentication and authorisation processes to be done at the same time, for example when logging on to a Windows system. Occasionally, you may need to be authorised after being authenticated, for example if you are wanting to access privileged functions.
The most common method of authentication and authorisation is the presentation of username and password. Improved complexity of passwords reduces the likelihood of them being compromised.
Another way to improve security beyond passwords is by using Multi-Factor Authentication (MFA). MFA is a method where a user is granted access to a website or application, after they have provided two or more pieces of evidence to an authenticated mechanism. This can be a password or fingerprint and can sometimes be called Second Factor Authentication (2FA).
Commonly accepted as three types of authentication:
- Something the user is (fingerprint or other biometric)
- Something the user knows (password or PIN)
- Something the user has (phone, token, RFID card)
While we’re on the subject, remember when we told you not to use personal details for your password? Never interact with social media memes asking you to comment with personal details such as your childhood pet’s name or the name of the street you grew up on. These can often be clever phishing techniques used to answer your security questions on certain websites!
Ok, so you’ve enabled multi-factor authentication and created unique / complex passwords, but how do you keep track of them? Short of writing them all down in a little notebook (we don’t recommend this. If you’re anything like us, you tend to lose things easily!), a password vault is a great solution. A ‘password vault’ or ‘password manager’ is a software program that keeps passwords in a secure digital location. By encrypting the password storage, it offers the ability to use a single password for accessing multiple passwords used for different websites or services.
Why is this important?
Trust is everything. Verified digital identities are required to ensure people and devices can trust other individuals, businesses, and devices, and vice-versa.
While most organisations have benefitted from advances in modern technologies, the risk of cyber-attack has also increased considerably. Attackers are continually looking for weak points in an organisation’s online presence. One tactic commonly used is the impersonation of identity. If there’s no method established to verify that a person or device is who they claim to be, how can businesses expect to distinguish between an attacker and a legitimate user? Therefore, digital identity is essential to ensure security and strengthen trust!
Here at 2PM, we are utilising many of the digital identity verification strategies to ensure increased security. Remote working practices may be with us for some time, so it’s important to assess your organisation’s digital security and mitigate any risks.
What does your organisation do to help keep its online information secure? Or maybe you just enjoyed this article? We’d love to hear from you! Click here to reach out!