skavi
Sept 30, 2024
My goal with this article is to put forward some of the reasons that US government authorities should be the entities we should be looking to in addressing our challenges around a standardized, secure, privacy-preserving personal digital identity solution.
State governments already have processes for issuing identity and holding personal data.
Government agencies must serve everyone.
Government agencies are answerable to the public.
Government agencies are historically more stable than private companies.
Governments are obligated to keep constituents safe and enforce the rule of law.
May 7, 2024
I am always curious to hear what people outside the cybersecurity industry think about the idea of a digital credential taking the place of the physical card we carry around for everyday interactions. I get lots of positive reactions, many focused on the convenience - “I don’t have to carry my license when going out!” “I already have my plane ticket on my phone, why not my ID?”, but also skepticism, usually about the concerns around security - “Everything gets hacked, it’s just going to get stolen.” “People will just photoshop fake ones.”
This made me think, it would be good to try to provide some answers to how the mDL security components ensure that only the owner of the identity can set up and use the mDL. These answers are targeted for any mDL program is using the International Standards Organization (ISO) mDL Specifications to ensure interoperability and security.
April 23, 2024
I had a chance to work with the Daon Inc team and FIDO Alliance to present some practical advice when considering a FIDO Passkeys implementation, especially in a highly regulated industry. Check it out at Unlocking Security: The Power of Passkeys on the Path to Passwordless.
April 10, 2024
In the United States, the lack of a strong national digital identity policy and program has long been a subject of debate and concern, especially among security professionals. However, this apparent gap presents an opportunity, particularly when considering the dynamics of the traditional US identity landscape. The current state-centric approach to identification, where a driver's license serves as the de facto government ID, is a clear indication that a decentralized identity model is not just a possibility but a necessity. This model, aligned with the growing adoption of ISO/IEC standards, offers a promising solution to the challenges of managing complex many-to-many relationships inherent in this type of digital identity ecosystem and promoting greater control, privacy and transparency for individual holders.
Nov 27, 2023
I had the honor to represent STA mDL Jumpstart with David Kelts on the Identi3 Podcast hosted by Dock CEO Nick Lambert and talk about the progress of Mobile IDs, Verifiable Credentials and some of the opportunities that can come from having a reusable and reliable digital identity credential issued from a trusted and authoritative source.
mDL - The Digital Mobile Driver's License
Sept 29, 2023
In the previous entry, I highlighted some of the key benefits I see with the adoption of FIDO Passkeys as a strong and convenient authentication that benefits both end user and online businesses. While these authenticators have the potential to overhaul the cybersecurity landscape in a beneficial way, they also introduce some intriguing challenges because of the way it changes how access can be transferred between individuals.
Passkeys - Unforgettable in Every Way
Aug 17, 2023
Passkeys, also known as Multi-Device FIDO Authenticators, directly tackle several major weaknesses of passwords. These include:
Phishing-Resistant Protocols with enforced host specificity prevent nearly all phishing and smshing approaches.
Strong Cryptographic Authentication Handshakes eliminate the risk of brute-force guessing.
Unique Keys for Each Relationship eliminates vulnerabilities caused by password reuse; exposure at one entity does not compromise security at another.
Advancements in Standards for Utilization of Protected Hardware Modules enhances device-level security by preventing interference from malicious apps.
These improvements alone are compelling reasons for service providers to embrace adoption. However, the most significant advantage of passkeys lies in nearly eradicating the need for customers to click on “Forgot Password”.
Read More...
IAM Lifecycle with VC Example Enhancements
June 23, 2023
Verifiable Credentials have a compelling story for re-usable, interoperable, user-controlled credentials, and they will be a great compliment to the traditional IAM Lifecycle. The diagram illustrates several examples of where Issuance and Presentation could enhance identity and authentication interactions. Additionally, an authenticating entity might play both roles over time as an Issuer and a Verifier in the ecosystem.
LinkedIn Mobile App Page with Verifications
June 6, 2023
Verifiable credentials continue to be a hot topic in the digital identity space as a way to save verified attributes in a re-usable credential format to build scalable, transparent trust networks. Verification of employment seems an excellent example to test - relatively low effort and low risk for all parties involved - and I was excited to get the LinkedIn Verified Employee implementation up and running now that I had my Verified Employee VC in my Microsoft Authenticator Wallet!
Verified Credential for Employee in MS Authenticator App
May 3, 2023
Where we work is often a central part of our identity. And it’s more than a cliché conversation starter - Opening a brokerage account - Where do you work? Need a car loan - Where do you work? Applying for insurance - Where do you work? But it’s also something most interested parties really don’t bother checking on unless something is going wrong… and then it’s probably too late.
Microsoft is piloting a job verification scheme based on their Verified ID offering; employees can authenticate through their employer to generate a Verifiable Credential that can be held in the Microsoft Authenticator wallet. This VC can be presented at relying verifiers, such as LinkedIn, as a proof of employee relationship with the issuing employer.