You need more than a username and password to protect your digital identity.
We live our lives online. In fact, we’re more online than off. We bank, find partners, shop and communicate online and so much more, and for each of those activities, we need to verify our identity. To access these services, you need to verify your identity. Right now, that is a username and password for the majority of them. But this method is fast becoming archaic and passwords are becoming increasingly insecure or insufficient.
This means that if a bad actor compromises your credentials, they are in control of your life.
Every time we access a system online, we need to enter a username and password to prove our identity. The majority of internet users tend to use the same password to log onto all of their accounts, from their banking app to their favourite social media pages to their work email. This is largely because passwords have become so complicated that they’ve become virtually impossible to remember, while each platform that requires identity verification typically has its own username and password.
As a result, users do one of three things: they have all of their usernames and passwords written down somewhere; they choose a password that’s easy to remember (and therefore easy to guess); or they stick to the one password that they can remember and use that across all business and personal accounts.
It’s a conundrum: how do you go about using various services on the internet but in the process, avoid exposing yourself? You want it to be secure, but you also want it to be convenient.
Other, more secure (than passwords) methods of simultaneously proving and protecting your identity include using multi-factor authentication, biometrics or geolocation to prove that the person is who they say they are.
The use of a username and password to prove your identity on the internet is becoming an increasingly insecure method, says Mike Groenewald, a cloud consultant at BUI. “We need to get away from poor password practices, as passwords are regarded as an increasingly ineffective method of proving your identity.
“The world is moving towards a decentralised identity, a world without passwords, in which individuals will have one, digital identity.”
Groenewald is talking about moving towards a world where a password is no longer used to verify people’s identity, but believes that businesses are going to have to drive this change to help people adapt to a completely new way of doing things.
“We need to change mindsets around passwords and encourage people to use other authentication methods, regardless of whether it’s for their business accounts or personal logins.”
Most applications require that you authenticate users at some point. You can use either a password or a social media platform like Facebook or Twitter to log in. However, there are clear drawbacks to these forms of authentication. The problem with passwords has been covered earlier in this article: they’re difficult to remember, people generally have far too many of them and they become a popular target for attackers.
In a world where cybercrime abounds, people want more control over their digital information and their online identities. Usernames and passwords remain vulnerable to attack – and if you’re duplicating the same password across several accounts, you are asking to be hacked.
Logging on using your social identity, on the other hand, has some immediately apparent benefits as you conveniently only have to remember one password, you’re generally already logged in so you don’t need to retype anything, you just click on a link. The challenges are less clear. For instance, people may not always be comfortable using their social identities to log in to a bank account, for example. They might also not be comfortable with the behaviour tracking that comes along with using their social identity to log into sites.
The challenge is achieving authentication on log in, in an easy and convenient way, but with the same privacy guarantees that you might get when using a password. When you use a password, you log directly onto that website without an intermediary like a social media account, it’s just less convenient. What people really want, is the best of both worlds. While using your social media identity to log into other accounts does, to some extent, solve the single online identity challenge, it doesn’t solve it completely.
“It’s counterintuitive that for every application we access, we need to prove our identity in a different manner, whether that’s via a social media identity or a username and password. Why can’t we just be recognised online based on our own unique, intrinsic characteristics (biometrics) or perhaps by something we own, such as a device? Unfortunately, it’s not quite that simple.”
The solution, he says, might lie in a decentralised identity underpinned by blockchain technology. He says: “A decentralised identity gives users ownership of their digital identities and data by leveraging permission-less distributed ledgers.”
A decentralised identity aims to have you represented once on the internet and all systems can integrate with that identity management system to verify who you are. We’re talking about a single ID that can represent you and that can be used on any system that you log onto. Using blockchain to underpin the technology means the user’s identity isn’t tied to one organisation or multiple identity databases, which gives the user ownership of his or her digital identity.
For instance, suppose you want to access an application, you can present yourself to the application by using your wallet ID stored on your mobile device. Along with this you have the trusted intermediary that can be used to store the decentralised identifier which corresponds to your wallet ID, which in turn represents your digital identity on the internet. One obvious candidate that could serve as the trusted, decentralised intermediary is blockchain. As the user you would then assert your identity to the application by using your wallet ID. The application can then verify your identity by querying the blockchain transactions for the decentralised identity which corresponds to your wallet ID, which in turn is then used to authenticate you and allow access to the application. This is far more secure and convenient than using a centralised layer such as a social media account to log in.
However, one can do far more with a decentralised identity than just log onto sites online. “You can also associate some rich information with your identity, such as contact information, age, clothing size or any other data that might be required when transacting online. You can choose which personal information to associate with your digital identity and when you wish to share it, you can also update it or even remove it, should you want to.”
Is this the end of the password as we know it? Not entirely. Passwords will probably continue to exist, says Groenewald, but will be just one in a series of methods that can be used to authenticate one’s identity online. So, if you’ve attempted to use other login methods such as biometrics or geolocation as your primary authentication method and they’ve failed, the last resort might be a password. So, passwords will be used as a secondary or tertiary authentication method and only when the other, primary authentication methods have failed.
This article was originally published on ITWeb.