Employees face a challenge daily, actually multiple times per day, having to access multiple systems and applications throughout the day to do their job. They have to unlock their Windows desktop, log into internal and external web resources and apps, access a Unix server, the employer’s VPN technology, or even a facility. And, often, they are not using single sign-on, so each system and application requires different credentials for authentication.
By Michael Engle, Chief Strategy Officer, 1Kosmos, and Nick Roquefort-Villeneuve, Director of Marketing, 1Kosmos
Three Workforce Authentication Challenges
1. Leveraging Passwords
Some employees have no problem remembering different usernames and passwords. And then some specify it incorrectly three tries, before they’re locked out, and then they start speed dialing the Helpdesk. And a few choose to rely on the good old post-it note they stick on their monitor, openly and publicly.
To make matters worse, IT departments insist on complex formats for passwords: between eight and sixteen characters long with at least one uppercase letter, one number, and one special character. How is anyone going to memorize that type of password? Moreover, IT also enforces a password change every 30 or 60 days. For many folks, those requirements compounded by multiple systems can be overwhelming, resulting in a proliferation of the infamous post-it notes and Help Desk calls. To get round this challenge, some use the same password for multiple logins or services.
This ecosystem creates inefficiencies, such as loss of productivity and increased costs. Did you know, for example, that replacing one password can cost up to $70? Yes, that’s what it can cost in human capital and machine resources to handle one password reset request!
2. Leveraging 2FA and MFA Solutions
To avoid accounts from being compromised because a password was accidentally “stolen” and to strengthen the level of user authentication, many organizations have implemented two-factor authentication (2FA) or even multi-factor authentication solutions. That’s when you submit your username and password, and then you receive, for example, a text message prompting you to enter a code online.
Those solutions certainly make it slightly harder to compromise an account, however, they’re not foolproof. Ultimately, any hacker can steal a username, a password, and a mobile number stored inside a company’s centralized system. There are also MFA solutions that necessitate a piece of hardware like a security key (a hardware token like Google Titan), but that comes at a cost: Pay for each physical token and allocate resources for the hardware’s maintenance. The security key can also be lost or stolen.
3. Leveraging Some Passwordless Solutions
To mitigate the risks MFA solutions incur, biometrics have been added into the mix. This is what passwordless applications offer with the following biometric features: Touch ID, Face ID, or the more advanced iris recognition. A login page, a QR code to scan from a mobile application, a biometric-based authentication, and the employee is in. No more username and password needed! The mobile phone is something the employee has, and the biometric data is something the employee is. The problems with those solutions are high implementation costs and heavy data storage. For example, facial recognition requires top-quality cameras and advanced software to ensure accuracy and speed. Moreover, the high-quality images required for facial recognition take up a significant amount of storage.
So, is there an alternative?
Workforce Authentication Best Practices
A robust contact-free authentication solution for the workforce should focus on identity proofing and therefore be built on three identity pillars: Enrolling, authenticating and verifiable credentials. Each pillar needs to interact with one another to ensure that identity remains the number one priority. This is the core architecture of the BlockID platform.
1. Enrolling with Claim Triangulation
An employee’s enrollment should consist of triangulating a given claim with a multitude of company or government-issued documents and sources of truth, including advanced biometrics.
For example, by enrolling an employee’s driver’s license and passport (government-issued documents), we are able to verify, in real-time, the validity of each document by querying the proper databases (sources of truth) and triangulate several claims (first and last name, address, date of birth, photos) simultaneously, prior to adding an extra source of truth to our ID proofing process: a liveness test. The liveness test is performed to verify if the biometric traits of the employee are from a living person rather than an artificial or lifeless person.
We leverage more sources of validation, such as passport chips to validate the fact that the passport scanned during the enrollment process matches digitally signed data. We can also introduce credit cards, bank accounts or loyalty programs, among others, to reach the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3.
BlockID uses advanced biometric authentication as a security process that relies solely on the unique biological characteristics of the employee to verify that he is who he says he is. Our advanced biometric authentication technology, using a liveness test, compares biometric data capture to stored, confirmed factual data in the BlockID Blockchain Ecosystem. A liveness test offers the added benefit of requiring users to capture a live video of themselves, which has a frightening effect on criminals who’d rather not share their face with the company they are targeting.
The BlockID authentication process reaches the highest level of authentication assurance per the NIST 800-63-3 guidelines, or AAL3.
3. Verifiable Credentials
The verification process leverages the attributes BlockID triangulates during the enrollment phase as well as verifiable credentials (in their digital form) that users can share with third parties and with explicit consent.
A verifiable credential is a credential that was issued by a trusted authority for, and only for, the user. It is a tamper-evident credential based on W3C standards and has authorship that can be cryptographically verified. Schematically, issuers create verifiable credentials, users can store some of them, and verifiers ask for proof-based upon them. When identity needs to be confirmed, the user chooses those credentials that must be verified.
The BlockID verification process eliminates all tedious back-and-forth communication between verifiers and issuers, since the verifier no longer has to contact the issuer to confirm the credential, thus reducing data verification costs in the process. This mechanism infers that the user remains in control and keeps ownership over his or her identity, by electing what they want to disclose, and to whom they wish to disclose it.
4. Employee Data Stored Encrypted in a Decentralized Ledger
BlockID leverages the BlockID Private Blockchain Ecosystem to store employees’ encrypted data. The benefits of using a decentralized system are multiple, from being virtually uncompromisable to initiating peer-to-peer transactions while ensuring the immutability of the data stored. Such a system promotes transparency and consequently creates trust between employers and their employees who need to access corporate systems and applications. Employees own their data and choose to share only the information that is required to access a specific solution. And it is W3C compliant.
BlockID is the next generation contact-free authentication solution for the workforce that leverages advanced biometrics and distributed ledger technology. The application unifies physical and logical access, allowing all employees to use a single smartphone app for all kinds of accesses, whether it is to enter a highly secure data center through a mantrap, to log into Unix or Salesforce or to unlock a workstation without connectivity.
About the Authors
Michael Engle is the Chief Strategy Officer at 1Kosmos. He is a seasoned information technology executive, leader, and entrepreneur. Engle is an expert in information security, business development and product design/development. He has experience running large teams and multi-million-dollar projects for a Fortune-100 bank as well as working with startups that need to set direction and go from “zero to one” as it is now commonly called. As a co-founder of Bastille Networks, he helped raise over $40 million in VC to create a powerhouse in the RF security sector. As a Senior VP at Lehman Brothers, Engle was instrumental in designing and implementing the bank’s security program.
Nicolas Roquefort-Villeneuve, a French and American bi-national, is the Director of Marketing at 1Kosmos. He is an influential technology and communication marketing executive and an entrepreneur at heart. Roquefort-Villeneuve has 22 years of marketing experience with Fortune 100 companies (Mattel, E*Trade), startups, and as an independent consultant. He is also an award-winning documentary filmmaker. In the last three years, Roquefort-Villeneuve has become an expert in marketing new technologies such as Blockchain. He has earned a MSc in Econometrics from the Université Paris 1 and an MBA from the University of San Francisco.
CISO MAG did not evaluate/test the products mentioned in this article. The facts, opinions, and language in the article are entirely those expressed by the authors and do not reflect the views of CISO MAG.