In today's digital ecosystem, every person and every "thing" — computers, smartphones, internet-connected devices (IoT), and applications — has a unique digital identity. A digital identity contains certain unique identifiers that allow systems, services, and applications to know who or what they are interacting with. During an in-person transaction, you may show a driver's license or other government-issued identification to verify your identity. But to verify your identity in the digital world, without human intervention, there needs to be a combination of data and attributes or behaviors that, together, provide a reasonable level of certainty about your authenticity. These attributes may include:
- Username
- Password
- Fingerprint or facial scan
- Email address
- Network
- IP address
- Device and operating system
- Online activities
- Date of birth
- Social Security number
- Purchasing history or behavior
Intro to Identity: What is Digital Identity?
As digital activity increases, digital identity becomes more complex
People's use of digital services has skyrocketed, a trend accelerated by the pandemic. Once online shopping became commonplace, people began to use digital channels in all areas of their lives — to do their banking, visit the doctor, pay their taxes, read the news, go to class, do their jobs, and so much more.
Recently, TechRadar reported that consumers have, on average, 100 online accounts. Even though these accounts are owned by the same person, each account identifies the person differently. While your one driver's license may suffice for proving your age and identity everywhere you go, your digital identity will be different for every online account with which you connect. For your employer, your digital identity may include your device information along with your login credentials. Your streaming service may identify you by your television, location, and viewing habits. Your bank may use multi-factor authentication (MFA), which would require your credentials as well as a security question, a push notification, or a second factor for verification (2FA).
The organizations that have to manage all these identities, while securing them from attacks and fraud and maintaining privacy and compliance, face a significant challenge. In addition to all the human identities that must be managed, machine identities now outnumber people; it's not unusual for an enterprise to be managing millions of identities.
Why digital IDs are becoming harder to ascertain
At one time, a simple user ID and password were enough to allow a user access with a degree of confidence about that user's authenticity. But these identifiers are no longer enough, as they tend to be static and the information they contain could be stolen. On the flip side, you may have a legitimate user who needed to borrow a device while hers was being repaired. It's important to block unauthorized access, but you don't want to keep a legitimate customer or employee from gaining access to needed accounts.
Access decisions used to be simple: allow or deny. But today, decisions are not so black and white. Identity and access management (IAM) solutions must take into consideration a range of other factors and contexts, such as the user's location, device, patterns of behavior, and the level of access being requested.
If login credentials are correct but the device is unrecognized, the IAM solution should flag this login attempt and require a "step-up" authentication, such as responding to a push notification. Similarly, if a trusted user is logging in from an unusual timezone, the IAM solution can add the step-up to ensure the attempt is legitimate and, if it is, can store that information so that no step-up will be required on the next attempt from that location.
The risk of identity theft in the digital space
According to the latest ForgeRock Identity Breach Report, unauthorized access was the leading cause of breaches for the fifth consecutive year. Questionable yet common practices, like reusing passwords, enable bad actors to gain access to valuable data like birth dates or social security numbers. They can steal this data and sell it on the black market, or they can use the data to carry out fraudulent activities, such as account takeover (ATO) attacks, which increased 307 percent from 2019 to 2020. In a successful ATO, an attacker can move money, open other accounts, and create financial havoc for the customer and the institution. Read more about ATO in this blog.
The leading cause of breaches is related to identity, and much of the blame can be placed squarely on the digital world's continued reliance on passwords. Consumers want their data and personal information to be secure, but how is a person supposed to remember unique passwords for 100 online accounts? In a PC Magazine study, 65 percent of respondents reported that they will forget their password if they don't write it down, and 57 percent will forget their new password immediately upon resetting it.
The solution is to do away with passwords altogether. With passwordless authentication, a person can log in to an online account without having to enter a password. Instead, the job of authentication is assigned to endpoints, such as mobile devices or computers, where the user can use a fingerprint or facial scan, known as "biometric" authentication. It can also be done with authenticator apps, tokens, and smartcards — all growing in popularity. The user doesn't have to worry about forgotten passwords, and age-old attack methods, such as brute-force attacks and password spraying, become ineffective.
"The percentage of breaches attributed to unauthorized access remained unchanged in 2022 but comprised 91% of the number of records breached in 2022, impacting nearly 1.4 billion people."
Digital identity is the new secure perimeter
In addition to increased digital commerce, there's been significant growth in the hybrid/remote workforce and in the use of cloud applications and services. As a result, the traditional network security perimeter no longer exists. Now, secure access is based on digital identity, also known as the identity perimeter.
The ForgeRock Identity Platform offers the sophisticated IAM capabilities you need to protect every identity in your organization — people, systems, applications, and things. It includes AI-powered solutions to manage digital identities at scale and ensure that entities are who they claim to be. In addition, ForgeRock Autonomous Access is an AI-powered threat protection solution that can help you prevent account takeover and fraud at the identity perimeter. It analyzes threat signals and behavior patterns in real time to create risk scores, which are then used to orchestrate secure user journeys while removing unnecessary friction and improving the digital experience of legitimate users.
Read about bringing the power of artificial intelligence, machine learning, and advanced pattern recognition to the identity perimeter with ForgeRock Autonomous Identity and ForgeRock Autonomous Access.
Solution Brief
It's Time to Go Passwordless
Analyst Report
Gartner Magic Quadrant for Access Management, 2022
ForgeRock was named a leader in the Gartner ® Magic Quadrant™ for Access Management
Datasheet
ForgeRock Access Management
Secure and seamless experiences for your customers and workforce