In the world of information systems and application development, we often speak of “tightly integrated, loosely coupled” as a guiding philosophy. This is particularly true when integrating multiple systems - a common occurrence in today’s IT environment. The phrase represents the notion that two systems “tightly integrated” will allow for seamless data flow - behaving as if they are part of a single system - while “loosely coupled” enables relatively quick (less costly) re-integrations due to replacement of systems or components. A truly “loosely coupled” component can be plucked out and replaced painlessly - an ideal state in enterprise IT. On the other hand, when referring to identity management, “loosely coupled” can equate to “insecure by design”, and given current trends, may soon mean “deprecated” or “no longer supported”.
In identity management, the goal is to create a secure way to verify someone’s identity for the purpose of granting (or limiting) access to a system. Most commonly on the web, it’s a username and password combination - you use such a system to access your email, Netflix, online banking, and more. In another post, we can explore how dreadfully awful we are at picking unique passwords (nearly 17% of us have “123456” as our password, according to this study). For now, let’s explore the frailty of using username/password pairs at all.
Here’s a scenario: husband and wife have a shared bank account. To access it, they likewise have a shared username and password. It’s a “secret” that they both know. The bank doesn’t really know (or care) which individual is logging in, so long as the username/password pair is valid. Access is granted.
Another example: a team of coworkers in a corporate environment divide the responsibility of updating the corporate website. Instead of creating individual accounts for each person, or tying the system to another authentication platform, they just share the login credentials for a single administrator-level account. You could probably imagine countless other similar scenarios.
In these cases, the application in question believes it has identified an approved user and accordingly, grants access. Unfortunately, the application does not know which unique individual has been granted access. This system for identity management, based solely on a username/password pair, is loosely coupled (or “loosely bound’) to an individual’s actual identity.
The world faces an increasing number of threats online; from identity theft, to corporate espionage, and worse. One way to mitigate a portion of your cybersecurity risk is to move towards tightly coupled (or “tightly bound”) identity management. Biometric-controlled access systems do this in the physical world. It’s not easy to swap or share your fingerprints with your spouse or coworkers, after all. But for web-accessible applications, what is the solution?
First of all, user account management must be easy-to-use, and policies must strictly prohibit the sharing of access credentials. Remember, it must be easier to follow the controls than it is to circumvent them. Secondly, explore utilizing Multi-Factor Authentication (MFA) where possible. In most MFA scenarios, an additional piece of information (another “secret”) to the username/password pair is required to verify identity. Ironically, this means that in order to better verify someone’s identity, you must compromise additional pieces of their identity. The industry has not done us any favors by asking us the same few questions again and again - “Mother’s maiden name? Make/Model of your first car? First pet’s name? Last 4 digits of your SSN?” It’s an attempt to move towards more tightly bound identity management. But now, that “123456” password and your mom’s maiden name can provide a hacker with access to dozens of important accounts.
A better way is to utilize an MFA platform from Google, Microsoft, LastPass, or others. Instead of storing additional personal information about an individual, the platform generates a shared secret key that is sent to the user. That key is never sent again but it is used in combination with an algorithm to generate a time-based one-time-use password (TOTP) that is required upon login. In other words, in order to verify your identity, you must also provide a passcode that could only have been generated on a device you own with the shared secret key (sent once by the system authenticating you).
As secure as that sounds, the method is still vulnerable to what’s called a man-in-the-middle attack. We’ll save that for another post. Finally, the third option, and this is the direction the industry is moving, uses artificial intelligence (AI) to verify identity - and you’ve probably already seen it in action. Don’t believe me? Have you seen a “reCAPTCHA ” form that just asks you to check a box stating “I’m not a robot”? Have you wondered how it works? Of course, Google doesn’t say explicitly, but we can be pretty certain it’s like this:
Only Google, and maybe a few others, have enough information about you for their “Invisible CAPTCHA” to work reliably. You see, only Google can know at the moment you click on the check box:
- you’re also logged into GMail in another tab
- you’ve been browsing the web on the same computer for the last 26 minutes
- including several sites that you frequently visit that also require login
- you acknowledged that new Google Calendar appointment
- from your Android phone that’s synced to all of the above, plus
- Facebook, Twitter, and Netflix
By combining all that info against all your past observed historical behavior, Google can say quite confidently that you are indeed not a robot.
Not only that, but Google’s data-mining AI can also determine with high confidence that you are in fact, YOU. No one else behaves quite the same way, so the combination of trackers, markers, beacons, cookies, and other data generated by your constantly-connected activities results in a digital “fingerprint” that is as unique as your real-world fingerprint.
If security is important to your application, don’t forget to consider identity management and select a method for authentication that works for both your organization and your users. And, stay informed of the latest trends towards more tightly-bound digital identities (even though Netflix says it’s still okay to share).