The digital landscape has become increasingly complex in recent years. Every day, more personal data is cached and, in response, cybercriminal attack methods have become more aggressive. Chances are, either you, a friend or a co-worker has experienced some form of identity theft in the recent past. Despite the complexity of some breach attempts, a great percentage still focus on weak or mismanaged passwords to achieve a breach.

But what exactly is a digital identity? What kind of data does digital identity contain? And most importantly, how can you protect yours?

What is Digital Identity?

Let’s start with the basics. At its core, your digital identity can be defined as a structure of data connected to you as an individual. A digital identity can also apply to an entity such as a business, school, or hospital – and can contain information pertaining to a device. 

You can consider your digital identity to be an electronic database of personally identifiable information (PII). Your PII can include data such as your IP address, location data, full name, credit cards, social security number, or passport number. Digital identity includes personal information like medical history, birth date and place, and even race and religion.

Obviously, this information is incredibly sensitive, which makes digital identity awareness especially crucial.

How is digital identity created?

Your digital identity is created over time as you submit data and navigate throughout the web. Your ID also may be tied to your unique IP address or even your device. That considered, more aggressive web users are likely to have a larger footprint and a more robust digital identity profile.

In a work context, your digital identity is tied to your work email and will often contain a mix of personal information (date of birth, social security number, etc.) and work information (title, pay grade, health insurance plan selection, etc.).

In the future, it is likely that work and personal digital identities will begin to merge. Think about Facebook, Apple, or LinkedIn. How many websites have you signed up to by using your social media account?

 

What is digital identity verification?

Because our digital identities contain so much personal information about us, they are massively tempting for cybercriminals seeking to steal and exploit data. With cybercrime increasing by over 500% since the start of the pandemic, it is now more vital than ever to secure our digital identities. Digital identity verification is a type of defense that can prevent cyber criminals from accessing our most sensitive information. Simply put, it functions to verify someone is who they say they are before granting access to an environment.

In the past, credentials such as usernames and passwords have been overwhelmingly used for digital identity verification. Passwords, however, can easily slip into jeopardy. Considering that 69% of workers choose passwords that are easy to remember and 25% have never reset their work passwords, it makes sense that cybercriminals target them as an attack vector.

With passwords under siege, passwordless authentication has begun to emerge as one of the most viable options to safeguard our digital identities. When operating correctly, a passwordless infrastructure can make a drastic impact when it comes to defending your digital identity.

In the content below, you’ll be introduced to the three fundamentals of passwordless authentication. These three fundamentals can help IT administrators secure digital identities.

 

The Three Fundamentals of Identity for Passwordless Authentication

1.   ENABLE MULTI-FACTOR AUTHENTICATION

From an organizational perspective, enabling multi-factor authentication (MFA) for all users that need access to your environment aids in protecting your digital identity. As an individual MFA bolsters your identity’s security as well and is critical to implement passwordless technology

Multifactor authentication works through several sources including your phone number, the authenticator app, and unique tokens.

The concept of multi-factor authentication includes three “must haves”:

1.     Something you know – for example, your password, username, or pin code

2.     Something you are – biometrics like facial recognition or a fingerprint 

3.     Something you have – An RSA token, FIDO2 key, or an authentication app

 

IF MULTI-FACTOR AUTHENTICATION IS NOT ALREADY ACTIVE, DATA SHOWS THAT 0.5% PERCENT OF YOUR USER ACCOUNTS WILL BE COMPROMISED EVERY MONTH THROUGH BRUTE FORCE ATTACKS. ALSO, CONSIDER THAT THE INCUBATION TIME FOR AN AVERAGE HACK IS 197 DAYS. THAT MEANS FROM THE TIME THE HACK OCCURS TO THE TIME IT IS DETECTED WILL LIKELY TAKE MONTHS. THAT’S A TREMENDOUS AMOUNT OF TIME FOR A CYBERCRIMINAL TO GATHER DATA.

 

2.   USE AN AUTHENTICATOR APP, FIDO 2 KEY, AND BIOMETRICS

Many people are now familiar with MFA and have likely come across a company that sends a code via SMS during authentication. However, SMS messages are a weaker form of MFA. Phone numbers and SIM cards can be spoofed, or otherwise compromised via social engineering. Authenticator apps and FIDO 2 keys are considered a more secure option.

By using an Authenticator Application, there is no way to compromise a phone number. Authenticator apps can be used to produce a time-bound pin code, can prompt an approval, or can present a list of options to choose from when authenticating into systems.

FIDO2 compliant keys are hardware that can be inserted into a computer or placed against the back of an NFC-compatible phone to provide a second factor. Some keys also have fingerprint readers in them, which provides a very secure authentication method.

Finally, biometrics are great because users cannot forget their face or fingerprint, and users cannot be tricked into giving them away. For Windows machines, Windows Hello for Business is an excellent solution for leveraging biometrics as part of authentication.

 

3. CONFIGURE CONDITIONAL ACCESS POLICIES

Conditional Access Policies are a series of IF-THEN criteria that are triggered by a policy engine each time a resource is requested. For example, if you want to open a Word document, then when you try to open that document, the policy engine can check whether your device is updated and has property security in place (e.g. drive encryption), it can check to ensure your account is active, it can check your location, your wi-fi, and many other things to ensure you are who you say you are.

Conditional Access policies provide real-time, time-bound access. They can block or approve access – sometimes with additional authentication – to resources. The checks occur in milliseconds and are invisible to users.

Conditional Access Policies act as a failsafe to block unwanted users by applying a specific set of rules established by administrators to keep out unwanted users.

 

Securing Digital Identity

The data that encompasses your digital identity profile is sensitive and the consequences of having it compromised are dire. Identity protection is important and will become increasingly more pressing as companies and individuals continue to move their data to the cloud. Going passwordless is just the first step to securing your digital identity, but it is a crucial step. You should consider making the move past passwords sooner than later to keep your identity secure.

 

 

Get in touch to learn more about passwordless authentication

 

MILTON CATO

Milton is a Modern Work and Security Engineer in New York City. He works with clients in the Microsoft 365 space elevating and optimizing Endpoint Solutions for scaled and sustained growth. Milton is a self proclaimed foodie and avid concert-goer. Prior to joining Mobile Mentor, Milton has spent almost 10 years in the IT space growing his skillset and the companies he worked for. With an eye for automation and a “people first” mindset, Milton is an invaluable asset to any project he touches.