By Karson Kwan, Solutions Consultant, Forter
Although largely invisible to most internet users, the role of online identity is crucial in providing the services and experiences people value most online. Poor identity management (IDM) management or posture can lead to different types of pitfalls. A healthy and secure IDM creates a more enjoyable customer experience and, from an e-commerce perspective, protects valuable customer information.
The IDM has progressed several times since its inception two decades ago. Let’s take a look at the progress we’ve made and what’s to come.
Beginning of the millennium
In the beginning, Lightweight Directory Access Protocol (LDAP) became the framework for what IDM technology is today. It was created as an open directory service protocol standard that allows users to retrieve information about individuals, organizations, and resources such as files and folders stored on public Internet servers or private intranets .
Windows 2000 Server was then released in 1999 for Windows domain networks with Microsoft’s Active Directory included. Microsoft’s Active Directory harnessed the LDAP protocol and pioneered enterprise identity management in the early 2000s. After many releases and updates, Active Directory continues to be a mainstay for businesses around the world.
Later in 2003, Active Directory Federations Services debuted in that year’s Windows Server R2 release, which allowed users to use single sign-on with Active Directory while maintaining SAML and WS standards compliance. -FED.
The main IDM trend of the early 2000s was the idea that credentials served a single purpose. Credentials granted access without separate security measures in mind, such as multi-factor authentication (MFA). Most people usually store a list of websites/apps/usernames and their corresponding passwords in a single notepad to keep track of them. Using Active Directory, Access Management had a limited view and could only see which users had access to what specifically. Every day, users outside of the corporate identity context were exposed to fewer applications requiring authentication, so only one pair of credentials was required.
10 years later
The security market saw a flood of new cybersecurity technologies in the early 2010s as single sign-on (SSO) became the norm. Technologies included new and updated identity protocols such as SAML 2.0 and OpenID Connect.
Single sign-on technologies have prompted developers to improve and innovate web and cloud application security postures. Notable developers of the time include Okta and Ping Identity who foresaw the need to secure cloud applications and developed some of the first enterprise cloud identity solutions. On top of that, the formation of the FIDO Alliance in 2013 went further with a mission to “develop and promote authentication standards that help reduce the world’s overreliance on passwords.”
During this time, we saw a budding interest and awareness for AMF, as the number of adoptions was minimal. Specific methods that gained popularity were simple tokens like one-time password (OTP) sent via SMS or email and some apps going so far as to require users to opt in to MFA.
In the present
Today, MFA has become more widespread, and many apps now require users to set it up when creating their account. However, weak password security prevails. Understanding the security risks, developers have created new security measures to ensure identity security through the use of push notifications through mobile apps, hardware tokens (like YubiKeys), OTPs through apps. authentication, OTP (SMS), security questions or push notifications via mobile application.
The need for passwords together has now started to come into question. Passwordless authentication grants access based on a combination of factors and variables rather than a fixed password like biometrics, device ownership, or information only the user knows.
By creating different combinations of these factors or variables, the level of security of accounts – and the identities attached to them – is increased. Passwords can belong to “information that only the user knows”, making them the least secure option as they can be stolen or users can be manipulated into sharing this information. Biometrics like fingerprints or face scans are the most secure as they are difficult to replicate.
What the future holds
Password and identity management have recently become the Achilles heel of security in the age of ransomware, and the limitations of passwords are very apparent. Passwordless authentication seems to be the natural successor and next innovation in the IDM timeline as websites and apps adopt WebAuthn, a service that stores unique keys on personal devices and shares them across multiple platforms.
Big companies like Apple are also experimenting with passwordless authentication technology, especially with their passkeys. This feature allows developers to integrate Face ID and Touch ID into their services and authenticate users through these channels, as opposed to usernames and passwords.
State of the art, adaptive authentication is an emerging product that aims to fully understand the user to determine whether they should be granted access without causing friction to the user and that’s probably something which we will see more retailers adopt to ensure security and a seamless shopping experience.
By understanding where we are and the trends ahead, organizations can stay ahead and stay safe.
About the Author
Karson Kwan is a Solutions Consultant at Forter, the trusted platform for digital commerce.
DISCLAIMER: Biometric Update industry overviews are submitted content. The opinions expressed in this article are those of the author and do not necessarily reflect the opinions of Biometric Update.
biometrics | cybersecurity | digital identity | Fortress | identity and access management (IAM) | identity management | multi-factor authentication | authentication without password