How far have we come? The evolution of securing identities

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Troy Hunt, founder of Have I Been Pwned, information security author, and instructor at Pluralsight. In this blog, Troy shares his insights on the evolution of identity, from the biggest gaps in identity to modern technology solutions. 

Natalia: How has identity evolved over the past 10 years?

Troy: There is so much identity-related data about other people accessible to everyone that the whole premise of having confidence in identity has fundamentally changed. A few years ago, I was invited to testify in Congress about how knowledge-based authentication has been impacted by data breaches. The example I gave was that my father called a telecommunications company to shift his broadband plan to another tier. He told them his name and they asked for his date of birth, as if that’s a secret.

The biggest shift is with this premise that identity can somehow be assured based on knowledge-based authentication like date of birth, mother’s maiden name, where you went to school, or, in the United States, Social Security number. That idea is fundamentally flawed and is a big area of identity that needs to change. There are so many services that have absolutely no reason to have your date of birth but do.

Natalia: What are the current gaps in identity solutions?

Troy: The traditional approach in the United States, where someone says, “Just give us your Social Security number and then we’ll know it’s you and it will be fine,” has always been inherently flawed, but it’s even more flawed now.

The bigger concern is what if other people try to prove my identity? I’m concerned about SIM swapping because there’s so much identity assurance that is done via SMS. The telecommunications companies will say, “You shouldn’t be doing that. You can’t be confident the person who owns the number is the right person.” And the banks will say, “This is kind of all we have.” I asked my telco, “Can we put a lock on my SIM so the only way someone can migrate my SIM is if they come into your office and prove identity with a passport or driver’s license?” That would eliminate a lot of the problems. They said, “We can’t do that because it would be anticompetitive. Government legislation says we need to make it easy for people to transfer their number to another provider so that people have freedom of choice. Otherwise, they’re locked into the provider.” And I responded with, “The outcome of that—depending on the platform I’m using—could be that someone gets into a really important account of mine.” Their response: I shouldn’t have been using SIMs as a means of identity verification.

Natalia: How can organizations mitigate identity risk?

Troy: For many organizations, there hasn’t been a lot of forethought around what happens when incidents impact identity. One example is breach preparedness. For many years, many organizations would do disaster recovery planning—the annual entire-site-has-gone-down exercise. I rarely see them drill into the impact of a data breach. Organizations rarely dry run what happens when information is leaked that may enable others to take on identities.

One organization that had a data breach and did exceptionally well with disclosure was Imgur. Within 24 hours, they had all the right messaging sent to everyone and cycled passwords. I asked the Chief Technical Officer, “How did you do this so quickly?” And he said, “We plan for it. We had literally written the procedures for how we would deal with an incident like this.” That preparedness is often what’s lacking in organizations today.

Natalia: What’s the biggest difference between enterprise and consumer identity technologies?

Troy: With internal, enterprise-facing identity, these individuals work for your organization and are probably on the payroll. You can make them do things that you can’t ask customers to do. Universal 2nd Factor (U2F) is a great example. You can ship U2F to everyone in your organization because you’re paying them. Plus, you can train internal staff and bring them up to speed with how to use these technologies. We have a lot more control in the internal organization.

Consumers are much harder. They are more likely to just jump ship if they don’t like something. Adoption rates of technologies, like multifactor authentication, are extremely low in consumer land because people don’t know what it is or the value proposition. We also see organizations reticent to push it. A few years ago, a client had a 1 percent adoption rate of two-factor authentication. I asked, “Why don’t you push it harder?” They said that every time they have more people using two-factor authentication, there are more people who get a new phone and don’t migrate their soft token or save the recovery codes. Then, they call them up and say, “I have my username or password but not my one-time password. Can you please let me in?” And they have to go through this big spiral—how do we do identity verification without the thing that we set up to do identity verification in the first place?

Natalia: What should you consider when building systems and policies for consumers to balance user experience and security?

Troy: One big question is: What is the impact of account takeover? For something like Dropbox, the impact of account takeover is massive because you put a lot of important stuff in your Dropbox. If it’s a forum community like, the impact of account takeover is minimal.

I’d also think about demographics. Dropbox has enormously wide adoption. My parents use Dropbox and they’re not particularly tech-savvy. If we’re talking about Stack Overflow, we’ve got a very tech-savvy incumbent audience. We can push harder on asking people to do things differently from what they might be used to, which is usually just a username and a password.

Another question is: Is it worth spending money on a per individual basis? My partner, who’s Norwegian, can log on to her Norwegian bank using a physical token. The physical token is not just an upfront cost for every customer but there’s also a maintenance cost. You’re going to have to cycle them every now and then, and people lose them. And you need to support that. But it’s a bank so they can afford to make that investment.

Natalia: What’s your advice on securing identities across your employees, partners, and customers?

Troy: I recommend some form of strong authentication in which you have confidence that a username and a password alone are not treated as identity. That worries me, particularly given there’s so much credential stuffing, and there are billions of credential pairs in lists. There’s also the big question: How did we establish identity in the first place? Whether it be identity theft or impersonation or even sock puppet accounts, how confident do we need to be in the identity at the point of registration, and then subsequently at the point of reauthentication? That will drive discussions around what level of identity documentation we need. But again, we come back to the fact that we don’t have a consistent mechanism in the industry, or in even in one single geography, to offer high assurance of identity at the time of registration.

Natalia: Passwordless is a huge buzzword. A lot of people think of it as a solution to many of our identity problems. What’s your perspective?

Troy: I first started doing interviews a decade ago and people would ask, “When are we going to get rid of passwords? Are we still going to have passwords 10 years from now?” Well, we’ve got more passwords than ever, and I think in 10 years, we will have more passwords. Even as we get passwordless solutions, the other passwords don’t go away.

I have a modern iPhone, and it has Face ID. The value proposition of Face ID is that you don’t need a password. You are passwordless to authenticate your device. When the phone came, I took it out of the box and had to get on the network. What’s the network password? I’ve got no idea, so I go to 1Password and pull it out. So, there’s one password. Then, the phone asks: Would you like to restore from iCloud? What’s your iCloud password? We’re two passwords in now. Would you like to use Face ID? Yes, because I want to go passwordless. That’s cool but you’ve got to have a password as a fallback position. Now, we’re three passwords in to go passwordless. Passwordless doesn’t necessarily mean we kill passwords altogether but that we change the prevalence with which we use them.

Keep an eye out for the second part of the interview where Troy Hunt shares best practices on how to secure identities in today’s world.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.