Identity and the ability to identify is the modern security boundary, this is something we’ve all heard for years now, the importance of which was highlighted by the Covid-19 pandemic. Gone are the days of a ‘castle-and-moat’ security strategy where you had all your data, apps, and systems on a corporate network with a big fat firewall sat between you and the wild west “untrusted” outside world. Today this model presents a very limiting approach to security because we have a ridiculous number of devices and need to be able to work from anywhere.
For some time now I’ve worked with customers on ‘IAM’ engagements (Identity and Access Management) where we talk about things like MFA, Conditional Access, Risk-Based automation, and policies. This week I was having a vanilla conversation about Zero Trust and forms of identity, and it got me thinking about the future of identity. I’ve collected my thoughts into this blog and split them into two areas.
1. Personal ownership of identity
2. The practicality of passwordless
Decentralised ID
If you think about all the websites and apps that you have an account with, they all have a similar method of identifying who you are. First, you’re asked to create an account (or use a B2B that they trust), you sign-up with your email address, sometimes you create a username but often, this is also your email address, and you create a password. Then we wait for an email to confirm we genuinely have access to the mailbox that email address is associated with. Later, we can login and add a second factor of authentication, this is also common practice.
We’ve been conditioned to accept this process but take a step back and think about it for a moment. All these systems and services that you use are pretty much exclusively dependant on that mailbox. If you need to reset your account because you forgot your password, you need that mailbox, and who owns the mailbox? What if your email address ends up on a spam list and you start receiving waves of spam emails? You could simply create a new mailbox but you have all these accounts that depend on the current address, you would have to update all those accounts manually to use the new mailbox. What if you can’t access the mailbox? You need another mailbox, or a reset code saved somewhere, or worse, written on a sticky note. What if the mailbox supplier decides to no longer provide the mailbox?
There must be a better way! The good news is that there is, but for some reason, perhaps due to complexity and additional layers of initial setup, it seems to be lurking in the shadows, rubbing shoulders with the likes of blockchain. I’m talking about ‘DIDs’ or ‘Decentralized Identifiers’ and don’t be fooled into thinking this a new thing.
Here’s a simplified graphic comparing how we typically identify ourselves and DIDs.
As depicted in the image above, instead of mailboxes at the root of our credentials we have a digital signature, based on real-world trusted forms of identity that can be verified by an organisation. Each time you use the ID, it builds a history in the form of a ledger to further strengthen its validity.
Most importantly, you have full control over your ID, you consent to which services may recognise and utilise the ID, you can even delete it, removing associated data and log files from the service provider.
It sounds wonderful, so why isn’t everyone switching to this tomorrow? Well, it’s not simple and change takes time, but there are some tools available to get started today.
Microsoft Entra
Before we skim the surface of Entra, know that Microsoft really know what they are doing in this space, in November, Gartner recognized Microsoft as a 2022 leader in the Magic Quadrant for Access Management for the 6th year running!
On the topic of Decentralized Identity and ID providers, in the Microsoft landscape we can’t avoid Microsoft Entra. Microsoft Entra is a trust fabric, described by Microsoft as a comprehensive family of identity and access products.
Entra can be applied to manage identity across clouds such as Amazon Web Services and Google Cloud. The group of capabilities are based around IAM and security, protecting apps and resources using three core pillars.
1) Azure AD = AAD-based verifiable credentials
2) CIEM (Cloud Infrastructure Entitlement Management) = Microsoft Entra permissions management
3) Decentralized ID = The verified ID (self-owned)
What does it do?
Protects access to any app or resource for any user.
Secures and verifies every identity across hybrid and multi-cloud environments.
Discovers and governs permissions in multi-cloud environments.
Simplifies the user experience with real-time intelligent access decisions.
How does it work?
Entra works with signals and verifying access attempts
Signals = User, location, device, application, real-time risk (UBA – User Behavioural Analytics)
Access = Allow, prompt MFA, limit access, password reset, monitor access
Using the Ion Blockchain, issuers publish credentials to the network and then those credentials are signed by the users and sent for validation to a verifier which uses a public key stored in the decentralized public key infrastructure.
Verifiable Credentials (VCs) are a type of digital credential that can be verified by a third party. VCs can be used to prove your identity online, or to verify that you have certain qualifications or credentials. Microsoft’s Entra Verified ID system will use VCs to help verify the identities of users for employee onboarding and access control scenarios.
How much does it cost?
If we’re focused on resources such as compute, container clusters and serverless functions, Entra is roughly $10 per resource per month. You can also enable this service for databases across Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Password-less future
About five years ago I took a position at a cloud consultancy that issued me with a Microsoft Surface device. Since then, my ‘daily drivers’ have been all kinds of devices, a Razer laptop, MacBook and a HP Zbook Firefly to name a few. Now, these are all decent work machines, but none of them have lived-up to my fond memories of that Surface Pro, not even in the same league. Apart from the Surface Pro being unbelievably lightweight and enabling the ability to draw, one of the features I’ve missed most is Windows Hello.
Windows Hello
The cameras in Surface devices (and others) are depth-sensing so you can literally sit down in front of your machine to unlock it, wherever you are. No more logging in and no more password changes! I thought the future of technology was upon us but as I’ve worked for larger and larger organisations, I’ve found that using Windows Hello as a primary authentication method turned out to be quite unique.
Facial recognition has been proven to be secure and Windows Hello will work with other biometric signatures such as a fingerprint. I would bet that most of us unlock our mobile phones with a thumbprint and/or our faces so why can’t work access be just as smooth? Unfortunately, I suspect this is common. Maybe the lack of adoption is because of device compatibility issues? Having lived the dream, I know it’s possible and using manually typed-in passwords is open to exploits like keylogging and event log entries. Please let me know your thoughts on Windows Hello and passwordless, I’d love to understand your challenges and successes stories in greater detail.
Device Enrolment
Another aspect on the topic of passwordless-enabling tech is device enrolment. Whilst not a password-less technology explicitly, it is helping users type in passwords less because integrated systems and services are recognising the device as a trusted device to compliment the user’s identity claims. If someone quite consistently uses the same managed device, in the same location, at the same times (roughly), should they be asked to input a password multiple times each day? There are much better user experiences available if the right tools are applied in the right way.
FIDO2
A couple of years ago I bought a YubiKey on the premise that it would be best friends with my password manager service and completely remove the need for me to remember hundreds of passwords for various systems and demo environments etc.
Yubico has done a great job of simplifying the implementation of FIDO2, which is basically the generation of a partial key that requires another partial key to make a complete key for entry to a system or service (sounds familiar to those who manage certificates). This is a simple and solid idea because without the partial key on the physical device, you can’t authenticate, which means it’s virtually impossible to hack. If the key isn’t present in your laptop’s USB port, even if you put the correct username and password in, you can’t login to your laptop which is a great assurance, especially if travelling with devices that need to go in a suitcase and you can just keep your keys with you, literally!
FIDO2 prompts make great second forms of authentication too, as an alternative to a code sent to you via SMS or email, which are notoriously easy to intercept and/or spoof.
For me the problem was the lack of third-party integration and support which made the experience and process slightly different for each service. In an ideal world, you would pop the USB device into your laptop, login with your face and then anything that didn’t trust your machine and/or ID would ask you to touch the YubiKey to prove physical possession. Whilst a handful of providers support this nirvana, most do not.
YubiKey
I've listed a few personal YubiKey use-cases below and how they work in the real world.
WINDOWS 10/11 LOGIN - You can add several YubiKeys which is nice. You still must type in your Windows username and password, if an enrolled YubiKey is not present in one of your USB ports, Windows 10/11 won't log you in (which is cool). However, it only works with local accounts, not domain accounts or Microsoft ID on a BYOD basis. If you login to your laptop or PC with your Microsoft Account (email address) then you'll have to convert your account to local (which is actually really easy, and it just means your wallpaper and stuff won't sync to other Windows machines). Secondly, you'll need to install the Yubico Login Configuration tool to set this up.
AMAZON SHOPPING/PRIME – Again, you can add several YubiKeys which is great, but you can't just login by having the key plugged into a USB port and touching the button. You still put in your credentials and then use an MFA code from an authenticator service, which to me is 2 parts of a virtual string use to confirm two parts of physical string!
PAYPAL - You can only add one MFA method at a time and have Mobile SMS as a backup. You have a choice, risk a single YubiKey and if you lose it, you're stuck. Or use a weak mobile secondary text message service as a recovery option!
LINKEDIN - You can only have one MFA method - Again, single YubiKey and it's not a case of plugging it in/tapping it on your phone via NFC. You still must enter your creds, unless auto saved/populated by the app or device or browser and then copy the MFA code from your MFA app.
FACEBOOK - The most accommodating and best experience, second only to Windows. You can enrol several keys and it's just a touch to login. You must have an MFA auth app setup as a backup. You're not forced to use a weaker mobile SMS as a backup/recovery option, and you're not asked for creds all the time.
RECOMMENDATION - Use in conjunction with a credential manager like LastPass or KeePass - Thank me later!
Summary
To summarise my thoughts around the future of identity, there appears to be a common theme running throughout the topics listed here and that theme is one of possibility versus practicality. It is possible to deploy a secure solution with an awesome user experience, but it takes the right culture, people, trust and understanding of the required technology. I think a great starting point would be to trial a better way of working, run a 'Modern Auth' proof of concept and see how these solutions function in your own environments. Expect consultative discussions to shift from ‘Zero-Trust’ to ‘Identity as a Trust Fabric’ in 2023.
I hope you found this information interesting, please share your experiences and real-world findings with me. I’d love to understand how others are approaching the future of identity in their own organisations.