Identity is a universal concept that accompanies us throughout our lives, regardless of our cultural or national background. Immediately after birth, newborns around the world are identified in various ways. In some cultures, babies might receive bands on their wrists or ankles, while others may have different traditional identification methods. These methods often include the baby’s name, date of birth, and other crucial information that helps distinguish them from others.
Governments and communities across the globe maintain records of their citizens’ identities in various forms, such as birth certificates, family registers, or national ID systems. These records typically contain vital information such as names, birthdates, places of birth, and parentage.
Individuals from diverse cultures and nations rely on these records to establish and verify their identities. Moreover, the importance of these documents transcends geographical boundaries since people need them for various purposes, such as education, civic participation, and international travel. For example, these records may be required for enrolling in school, registering to vote, or obtaining necessary documents such as passports or driver’s licenses.
The documents used to identify a person may change, depending on the context. For example, I need documents establishing my identity and employment authorization to apply for a job. On the other hand, I may need a passport rather than a driver’s license when traveling abroad. And to open a bank account, I may require proof of residence and identification information. Collectively, these artifacts provide what is known as personally identifiable information (PII).
Let’s look at the process of opening a bank account before the internet. A customer had to drive to the bank, meet with a bank representative, and present the required documents to open an account. Only then would they be issued an account number and be allowed to make transactions via that account. After applying for and receiving an automated teller machine (ATM) or debit card in the mail, they could use it to access their account. Every time they wanted to perform a transaction, they would need to go to a branch and authenticate themselves to a teller that would verify that they were the person they claimed to be and that they were authorized to perform the transaction they wanted. With an ATM card, they no longer needed to show their picture ID to confirm who they were. Anybody with that person’s ATM card could do everything they were authorized to do at the ATM. When someone withdraws cash with an ATM card or makes a purchase with a debit card, the card reader takes information about the account from the card and sends it, along with the amount of the transaction, to the bank. To verify that the card was not stolen, the card reader requests the card’s personal identification number (PIN); once the PIN is entered correctly, the bank approves the transaction and withdraws the funds from the account.
Identity is a multifaceted concept encompassing the unique characteristics that define who or what a person or thing is. The amalgamation of physical, emotional, cultural, and social attributes creates the intricate tapestry of our individuality. In both the physical and digital realms, identity plays a crucial role in remembering, recognizing, and interacting with subjects, be they people or objects.
In today’s increasingly interconnected world, our identities extend beyond the tangible realm, forming an integral part of our digital presence. This digital identity is a virtual representation of our real-world selves, encompassing various elements, such as usernames, passwords, biometrics, and personal preferences. It enables us to navigate the vast expanse of the internet, engage in online transactions, and interact with digital services.
The process of authentication is vital in both physical and digital environments. By verifying the identity of a subject, we ensure that they are who they claim to be and grant them access to specific services or actions based on their authorization. This process is essential for maintaining security and trust and enabling the seamless functioning of our increasingly digital lives.
In digital transactions, the owner of a digital identity is often referred to as the security principal or simply the principal. This term highlights the significance of the individual or entity at the heart of the authentication inquiry. As we engage in various online activities, our digital identities are the foundation for creating trust and facilitating secure transactions.
Just like identity existed before the internet, two-factor authentication (2FA) and MFA existed as well. The PIN on an ATM or debit card is one example of MFA (and 2FA, which is a subset of MFA). To verify (authenticate) my identity, I need to present my ATM card (something I have) and enter my PIN (something I know). Similarly, showing my driver’s license to the bank teller is another example of MFA. The driver’s license is the first factor (again, something I have), while matching the picture on the ID to me is the second factor (something you are).
Establishing identities is also critical, if not more important, online. Even though a large number of countries have established some form of online digital ID (you can see a list at https://www.worldprivacyforum.org/2021/10/national-ids-and-biometrics/), it is still rare to encounter customer-facing applications that will accept those digital IDs outside of the country that issued the ID.
The New Yorker published a cartoon in July 1993 where a large dog was sitting in front of a computer, speaking to another dog on the floor to his side, saying, On the internet, nobody knows you’re a dog. It can be viewed here: https://i.kym-cdn.com/photos/images/original/000/427/569/bfa.jpg. Here’s Dalle-2’s interpretation of it:
Figure 1.1 – Dalle-2’s interpretation of “On the internet, nobody knows you’re a dog”
The saying quickly became popular and has been used to describe the anonymous nature of life online. As more and more applications become available online, identifying users is essential for several reasons.
For privacy reasons, users that register at a site may not want or permit their information and activities to be seen by somebody else. Therefore, companies must verify the user when they return to the site and validate their identity.
Companies that sell services need to make sure that the user registering is legitimate and that they are authorized to use those credentials. As Microsoft’s investigation of the security breach by the group LAPSUS$ shows (https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/), cybercriminals usually buy credit card numbers and other information on criminal underground forums and will also use the Redline password stealer, Loki, and other password stealers that are bought on the dark web or available for a subscription fee. They will use that information to open new accounts and spend money they don’t intend to pay for. Companies in the financial services industry may also have other regulations they need to follow to prevent money laundering, for example.
Especially after the COVID-19 pandemic started, companies began to hire employees without ever seeing them. Onboarding employees has completely changed. It is not always possible to verify an employee’s identity by looking at their physical documents (birth certificate, social security number, driver’s license, and so on) before or when they start working. Even though identity verification is not something that affects the authentication of that user, it affects what we are fundamentally discussing in this book. If you give valid credentials to a bad actor, all the security in the world will not prevent that user from doing what those credentials allow them to do.
The process of registration is a crucial step in creating and managing a digital identity. It involves collecting and verifying information about a subject (a person or an entity) and linking it to a unique identifier in the digital realm. This identifier can be a username, email address, or any other unique attribute that distinguishes the subject from others. The relationship between a subject and their digital identity is established during the registration process, and it sets the foundation for future authentication and authorization.
The first step in the registration process is to collect relevant information about the subject. Data collection may include personal details such as name, address, date of birth, contact information, and digital credentials such as a username and password. In some cases, biometric data or other unique attributes may also be collected.
After collecting the necessary information, the next step is to verify the authenticity of the data provided by the subject. For example, data verification may involve checking the validity of an email address, confirming a phone number via SMS, or comparing the provided biometric data to a pre-existing database. This verification process ensures that the subject is who they claim to be and helps maintain the integrity of the digital identity system.
Once the data has been verified, an individual account is created for the subject. This account serves as the digital representation of the subject and is linked to their unique identifier (for example, username or email address). In addition, the account may include additional information, such as preferences, interests, and other data to help personalize the subject’s digital experience:
Figure 1.2 – Application registration
With the account created and linked to the subject’s unique identifier, the subject can now use their digital identity to authenticate themselves when accessing online services.
The most common way of proving your identity online is by using a username and password:
Figure 1.3 – Application authentication
As documents or other forms of identification are used to determine if a person is who they say they are, authenticators are used to assess the validity of claims from a subject engaged in a transaction online, confirming the digital identity of the subject.
In the physical world, governments and companies define the rules used to identify the users of their services or access to their systems. For example, a person must present a driver’s license or another form of identification to travel to domestic destinations or withdraw money from their local bank. However, they need to show a passport to be able to travel internationally. In addition, government-issued identification may not be enough when going to a company’s office, and badges may be required instead.
A digital identity is different. Even though it must be unique to the digital service it was created for, it does not uniquely identify the subject across all digital services.
Identity proofing, sometimes also referred to as identity verification, is required to validate that a subject is who they say they are. In a process similar to the one described earlier for the physical world, a person will present a driver’s license or password, or other documents accepted by the identity-proofing service, and the identity-proofing service will provide identity assurance (the degree of certainty that the identity can be trusted to belong to the person).
Similarly, companies define their own rules to register for online (or virtual) identities and use them. In some cases, a username or email address is all that is required to create a new account. Others will need more information and, depending on the objective of the identity, validate the data used to create the new identity.
For internal users, the process is usually more complex. Legal or regulatory requirements may specify the information required for each user. The employer verifies that the worker is authorized to work in the country by validating some documents, for example.
Another difference may be self-service, where users can create their own accounts.
When self-service is not used, there are two ways of creating new identities. First, when companies are in their early stages, and the number of employees is small, they use manual processes to create accounts for their employees. Later, as the number of employees grows and the number of applications that those users have access to grows, an identity management platform or product usually performs automated identity creation and management.
Controlling access to systems, applications, and software and who is authorized to do what is called access management.
Workforce identity
Before they can offer services and applications to external customers, companies must start their identity work with everyone in the organization – employees, their contingent workforce, and business partners. Workforce identity software is used to manage identities for employees and the contingent workforce. Businesses may also use workforce identity to manage temporary or permanent identities for the contingent workforce and partners. Identity federation is the trust relationship between the company and an external (workforce) identity system to authenticate users. Identity systems usually work together with access management in what is called identity and access management (IAM) software.
The following are the typical requirements for workforce identity products:
- Secure and frictionless experience: Users need to be productive with their daily operations. The company must be able to use the product according to their required balance of secure and convenient access for workforce users.
- Granular, centralized administration: A workforce identity solution must provide sufficient capabilities to control the life cycle of the company’s identities with a centralized administration giving full control to the identity infrastructure.
Customer identity
Businesses use customer identity and access management (CIAM) software to manage customer identities and offer a secure, seamless login experience for the company’s applications. When building an internet-facing application, there are common features and standard requirements that companies usually ask for:
- Self-service: The first thing is self-service, account management, and many related features – starting with allowing users to sign up and sign in, managing their profile, changing their profile, changing their password, making account recovery, performing MFA, changing their authentication factors, and onboarding new devices. All of these things come under self-service account management. It would be best if you had a solution that allows you to do this for your customers and let your customers – the end users of your application – manage these profiles for themselves.
- Scalability: The second point is that it scales to tens of millions of users and has a large global coverage. This is different from workforce identity since usually, you have thousands or maybe tens of thousands of users. In the consumer space, you have tens of millions. On Azure, AWS, or Google Cloud, some companies have hundreds of millions of customers, and that number is always increasing. A system must allow millions of identities to be created for a large enterprise with a global presence in different countries and locations. The system must also be able to distribute these users or position them in a country closer to them; they may do this for data residency reasons. For example, users in Europe must have their data only in Europe.
- Ease of use: We usually want to attract as many users as possible in consumer identity. Ease of use is essential when onboarding customers in an online application. If the process is not user-friendly, it may discourage potential customers from completing the onboarding process and prevent them from using the application. The end users’ onboarding and authentication journey must be as easy as possible while providing various options.
Using social media accounts for onboarding can be convenient and efficient for users to create accounts and access online applications. In addition, this approach allows users to authenticate their identity and provide personal information while using their existing social media profiles rather than having to create a new account from scratch.
Again, this is different from workforce identity. The workforce is usually a captive audience that has to be created by an administrator and typically follows an HR process. Using the same process with external users will cause them to abandon the process. They will do business elsewhere. The journey to onboard end users has to be as seamless as possible.
One requirement that applies to customer or workforce IAM products is single sign-on (SSO). When access management (AM) products allow users to log in once for multiple applications, that is called SSO.
When there is a trusted relationship between separate organizations and companies that allow users to authenticate across domains, that is called federated SSO.
Different protocols are used for SSO. Some of them will be used in the practical implementation examples in this book, starting from Chapter 3:
- SAML 2.0: Security Assertion Markup Language (SAML) is an open standard created in 2005 to provide cross-domain SSO. In SAML, you have an identity provider (IdP), which is responsible for authenticating users and managing identities, a relying party (RP), which is a service requesting and receiving data from the IdP, and a user agent (UA), which is the user requesting the services. SAML is used by several SSO products (including Azure AD, as shown in Chapter 3) to authenticate users to online Software-as-a-Service (SaaS) applications such as Salesforce, Slack, and others.
- OAuth 2.0: OAuth allows users to share specific data with an application while keeping their credentials private. For example, a printing service can use OAuth to obtain permission from users to access their photos for printing. We are going to use OAuth for some examples in this book. The OAuth Playground website provides a detailed description of the steps involved in using OAuth, along with an example application that is free to use. OAuth Playground can be viewed at https://www.oauth.com/playground/client-registration.html:
Figure 1.4 – OAuth Playground client registration
After registering a new client on OAuth Playground, you can use the generated credentials to test the OAuth protocol:
Figure 1.5 – OAuth Playground test credentials
To test these credentials, go to https://www.oauth.com/playground/authorization-code.html and enter the user account credentials that were generated in the previous step.
Now that the basic terminology is out of the way, let’s dive into the main topic of this book: MFA.