Identity management through the years and what’s to come
By Karson Kwan, Solutions Consultant, Forter
Although largely invisible to most internet users, the role of online identity is crucial to the delivery of services and experiences people enjoy the most online. Mismanagement or poor identity management (IDM) postures can lead to different kinds of pitfalls. A healthy and secure IDM creates a more enjoyable consumer experience, and from an e-commerce perspective, protects customers’ valuable information.
IDM has progressed many times over since its inception two decades ago. Let’s take a look back at the progress made and what is coming down the road.
Start of the Millennium
In the early days, Lightweight Directory Access Protocol (LDAP) became the framework for what IDM technology is today. It was created as a directory service protocol open standard that allows users to retrieve information about individuals, organizations and resources like files and folders stored in either public internet servers or private intranets.
Windows 2000 Server was then released in 1999 for Windows domain networks with Microsoft’s Active Directory included. Microsoft’s Active Directory leveraged the LDAP protocol and launched enterprise identity management in the early 2000s. After many versions and updates, Active Directory continues to be a mainstay for corporations around the world.
Later in 2003, Active Directory Federations Services made its debut in that year’s version of Windows Server R2 which powered users to utilize single sign-on with Active Directory while maintaining compliance with SAML and WS-FED standards.
The top IDM trend of the early 2000s was the idea that credentials served one purpose. Credentials granted access without separate security measures in mind like multi-factor authentication (MFA). Most people typically stored a list of websites/applications/usernames and their corresponding passwords in a single notebook to keep track of them. Using Active Directory, access management had a limited view and can only see which users had access to what specifically. Every day users outside of the corporate identity context were exposed to fewer applications that required authentication so only one pair of credentials was required.
10 years later
The security market experienced a flood of new cybersecurity technologies in the early 2010s as single sign-on (SSO) became the norm. Technologies included new and updated identity protocols such as SAML 2.0 and OpenID Connect.
Single sign-on technologies prompted developers to improve and innovate the security postures of web and cloud applications. Notable developers at the time include Okta and Ping Identity which foresaw the need to secure cloud applications and developed some of the first enterprise cloud identity solutions. Building on top of this, the formation of the FIDO Alliance in 2013 went further by making it its mission to “develop and promote authentication standards that help reduce the world’s over-reliance on passwords.”
During this time we saw a budding interest and awareness spread for MFA as adoption numbers were minimal. Specific methods that gained popularity were simple tokens like One-Time Password (OTP) sent via SMS or e-mail and some applications going as far as requiring users to opt into MFA.
In the present
Today MFA has become more prevalent and many applications now require users to set it up upon creating their account. However, weak password security prevails. Understanding the security risks, developers have created new security measures to ensure identities remain secure with the use of push notifications via mobile apps, hardware tokens (like YubiKeys), OTP via authenticator apps, OTP (SMS), security questions, or push notifications via mobile apps.
The need for passwords together has now begun to come into the question. Passwordless authentication grants access based on a combination of factors and variables rather than a fixed password like biometrics, possession of a device, or information only the user knows.
By creating different combinations of these factors or variables, the security level of accounts — and the identities attached to them — is increased. Passwords can fall into “information only the user knows” which makes them the least secure option as they can be stolen or users can be manipulated to share that information. Biometrics like fingerprints or face scans are the most secure as they are difficult to replicate.
What the future holds
Password and identity management has recently become the Achilles heel of security in the age of ransomware, and the limitations of passwords are very apparent. Passwordless Authentication appears to be the natural successor and next innovation in the IDM timeline as websites and applications are adopting WebAuthn, a service that stores unique keys on personal devices and shares across platforms.
Major companies like Apple are experimenting with Passwordless Authentication technology too, specifically with their Passkeys. This feature allows developers to embed Face ID and Touch ID into their services and authentic users through these avenues as opposed to usernames and passwords.
On the cutting edge of technology, adaptive authentication is an emerging product that aims to fully understand the user to determine if they should be granted access without causing any friction to the user and is likely something we will see more retailers adopt to provide security and a smooth shopping experience.
By having an understanding of where we’ve been and trends to come, organizations can stay ahead of the curve and stay secure.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.