Identity is a universal concept that accompanies us throughout our lives, regardless of our cultural or national background. Immediately after birth, newborns around the world are identified in various ways. In some cultures, babies might receive bands on their wrists or ankles, while others may have different traditional identification methods. These methods often include the baby’s name, date of birth, and other crucial information that helps distinguish them from others.

Governments and communities across the globe maintain records of their citizens’ identities in various forms, such as birth certificates, family registers, or national ID systems. These records typically contain vital information such as names, birthdates, places of birth, and parentage.

Individuals from diverse cultures and nations rely on these records to establish and verify their identities. Moreover, the importance of these documents transcends geographical boundaries since people need them for various purposes, such as education, civic participation, and international travel. For example, these records may be required for enrolling in school, registering to vote, or obtaining necessary documents such as passports or driver’s licenses.

The documents used to identify a person may change, depending on the context. For example, I need documents establishing my identity and employment authorization to apply for a job. On the other hand, I may need a passport rather than a driver’s license when traveling abroad. And to open a bank account, I may require proof of residence and identification information. Collectively, these artifacts provide what is known as personally identifiable information (PII).

Let’s look at the process of opening a bank account before the internet. A customer had to drive to the bank, meet with a bank representative, and present the required documents to open an account. Only then would they be issued an account number and be allowed to make transactions via that account. After applying for and receiving an automated teller machine (ATM) or debit card in the mail, they could use it to access their account. Every time they wanted to perform a transaction, they would need to go to a branch and authenticate themselves to a teller that would verify that they were the person they claimed to be and that they were authorized to perform the transaction they wanted. With an ATM card, they no longer needed to show their picture ID to confirm who they were. Anybody with that person’s ATM card could do everything they were authorized to do at the ATM. When someone withdraws cash with an ATM card or makes a purchase with a debit card, the card reader takes information about the account from the card and sends it, along with the amount of the transaction, to the bank. To verify that the card was not stolen, the card reader requests the card’s personal identification number (PIN); once the PIN is entered correctly, the bank approves the transaction and withdraws the funds from the account.

Identity is a multifaceted concept encompassing the unique characteristics that define who or what a person or thing is. The amalgamation of physical, emotional, cultural, and social attributes creates the intricate tapestry of our individuality. In both the physical and digital realms, identity plays a crucial role in remembering, recognizing, and interacting with subjects, be they people or objects.

In today’s increasingly interconnected world, our identities extend beyond the tangible realm, forming an integral part of our digital presence. This digital identity is a virtual representation of our real-world selves, encompassing various elements, such as usernames, passwords, biometrics, and personal preferences. It enables us to navigate the vast expanse of the internet, engage in online transactions, and interact with digital services.

The process of authentication is vital in both physical and digital environments. By verifying the identity of a subject, we ensure that they are who they claim to be and grant them access to specific services or actions based on their authorization. This process is essential for maintaining security and trust and enabling the seamless functioning of our increasingly digital lives.

In digital transactions, the owner of a digital identity is often referred to as the security principal or simply the principal. This term highlights the significance of the individual or entity at the heart of the authentication inquiry. As we engage in various online activities, our digital identities are the foundation for creating trust and facilitating secure transactions.

Just like identity existed before the internet, two-factor authentication (2FA) and MFA existed as well. The PIN on an ATM or debit card is one example of MFA (and 2FA, which is a subset of MFA). To verify (authenticate) my identity, I need to present my ATM card (something I have) and enter my PIN (something I know). Similarly, showing my driver’s license to the bank teller is another example of MFA. The driver’s license is the first factor (again, something I have), while matching the picture on the ID to me is the second factor (something you are).

Establishing identities is also critical, if not more important, online. Even though a large number of countries have established some form of online digital ID (you can see a list at https://www.worldprivacyforum.org/2021/10/national-ids-and-biometrics/), it is still rare to encounter customer-facing applications that will accept those digital IDs outside of the country that issued the ID.

The New Yorker published a cartoon in July 1993 where a large dog was sitting in front of a computer, speaking to another dog on the floor to his side, saying, On the internet, nobody knows you’re a dog. It can be viewed here: https://i.kym-cdn.com/photos/images/original/000/427/569/bfa.jpg. Here’s Dalle-2’s interpretation of it:

Figure 1.1 – Dalle-2’s interpretation of “On the internet, nobody knows you’re a dog”

The saying quickly became popular and has been used to describe the anonymous nature of life online. As more and more applications become available online, identifying users is essential for several reasons.

For privacy reasons, users that register at a site may not want or permit their information and activities to be seen by somebody else. Therefore, companies must verify the user when they return to the site and validate their identity.

Companies that sell services need to make sure that the user registering is legitimate and that they are authorized to use those credentials. As Microsoft’s investigation of the security breach by the group LAPSUS$ shows (https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/), cybercriminals usually buy credit card numbers and other information on criminal underground forums and will also use the Redline password stealer, Loki, and other password stealers that are bought on the dark web or available for a subscription fee. They will use that information to open new accounts and spend money they don’t intend to pay for. Companies in the financial services industry may also have other regulations they need to follow to prevent money laundering, for example.

Especially after the COVID-19 pandemic started, companies began to hire employees without ever seeing them. Onboarding employees has completely changed. It is not always possible to verify an employee’s identity by looking at their physical documents (birth certificate, social security number, driver’s license, and so on) before or when they start working. Even though identity verification is not something that affects the authentication of that user, it affects what we are fundamentally discussing in this book. If you give valid credentials to a bad actor, all the security in the world will not prevent that user from doing what those credentials allow them to do.

The process of registration is a crucial step in creating and managing a digital identity. It involves collecting and verifying information about a subject (a person or an entity) and linking it to a unique identifier in the digital realm. This identifier can be a username, email address, or any other unique attribute that distinguishes the subject from others. The relationship between a subject and their digital identity is established during the registration process, and it sets the foundation for future authentication and authorization.

The first step in the registration process is to collect relevant information about the subject. Data collection may include personal details such as name, address, date of birth, contact information, and digital credentials such as a username and password. In some cases, biometric data or other unique attributes may also be collected.

After collecting the necessary information, the next step is to verify the authenticity of the data provided by the subject. For example, data verification may involve checking the validity of an email address, confirming a phone number via SMS, or comparing the provided biometric data to a pre-existing database. This verification process ensures that the subject is who they claim to be and helps maintain the integrity of the digital identity system.

Once the data has been verified, an individual account is created for the subject. This account serves as the digital representation of the subject and is linked to their unique identifier (for example, username or email address). In addition, the account may include additional information, such as preferences, interests, and other data to help personalize the subject’s digital experience:

Figure 1.2 – Application registration

With the account created and linked to the subject’s unique identifier, the subject can now use their digital identity to authenticate themselves when accessing online services.

The most common way of proving your identity online is by using a username and password:

Figure 1.3 – Application authentication

As documents or other forms of identification are used to determine if a person is who they say they are, authenticators are used to assess the validity of claims from a subject engaged in a transaction online, confirming the digital identity of the subject.

In the physical world, governments and companies define the rules used to identify the users of their services or access to their systems. For example, a person must present a driver’s license or another form of identification to travel to domestic destinations or withdraw money from their local bank. However, they need to show a passport to be able to travel internationally. In addition, government-issued identification may not be enough when going to a company’s office, and badges may be required instead.

A digital identity is different. Even though it must be unique to the digital service it was created for, it does not uniquely identify the subject across all digital services.

Identity proofing, sometimes also referred to as identity verification, is required to validate that a subject is who they say they are. In a process similar to the one described earlier for the physical world, a person will present a driver’s license or password, or other documents accepted by the identity-proofing service, and the identity-proofing service will provide identity assurance (the degree of certainty that the identity can be trusted to belong to the person).

Similarly, companies define their own rules to register for online (or virtual) identities and use them. In some cases, a username or email address is all that is required to create a new account. Others will need more information and, depending on the objective of the identity, validate the data used to create the new identity.

For internal users, the process is usually more complex. Legal or regulatory requirements may specify the information required for each user. The employer verifies that the worker is authorized to work in the country by validating some documents, for example.

Another difference may be self-service, where users can create their own accounts.

When self-service is not used, there are two ways of creating new identities. First, when companies are in their early stages, and the number of employees is small, they use manual processes to create accounts for their employees. Later, as the number of employees grows and the number of applications that those users have access to grows, an identity management platform or product usually performs automated identity creation and management.

Controlling access to systems, applications, and software and who is authorized to do what is called access management.

Workforce identity

Before they can offer services and applications to external customers, companies must start their identity work with everyone in the organization – employees, their contingent workforce, and business partners. Workforce identity software is used to manage identities for employees and the contingent workforce. Businesses may also use workforce identity to manage temporary or permanent identities for the contingent workforce and partners. Identity federation is the trust relationship between the company and an external (workforce) identity system to authenticate users. Identity systems usually work together with access management in what is called identity and access management (IAM) software.

The following are the typical requirements for workforce identity products:

• Secure and frictionless experience: Users need to be productive with their daily operations. The company must be able to use the product according to their required balance of secure and convenient access for workforce users.
• Granular, centralized administration: A workforce identity solution must provide sufficient capabilities to control the life cycle of the company’s identities with a centralized administration giving full control to the identity infrastructure.

Customer identity

Businesses use customer identity and access management (CIAM) software to manage customer identities and offer a secure, seamless login experience for the company’s applications. When building an internet-facing application, there are common features and standard requirements that companies usually ask for:

• Self-service: The first thing is self-service, account management, and many related features – starting with allowing users to sign up and sign in, managing their profile, changing their profile, changing their password, making account recovery, performing MFA, changing their authentication factors, and onboarding new devices. All of these things come under self-service account management. It would be best if you had a solution that allows you to do this for your customers and let your customers – the end users of your application – manage these profiles for themselves.
• Scalability: The second point is that it scales to tens of millions of users and has a large global coverage. This is different from workforce identity since usually, you have thousands or maybe tens of thousands of users. In the consumer space, you have tens of millions. On Azure, AWS, or Google Cloud, some companies have hundreds of millions of customers, and that number is always increasing. A system must allow millions of identities to be created for a large enterprise with a global presence in different countries and locations. The system must also be able to distribute these users or position them in a country closer to them; they may do this for data residency reasons. For example, users in Europe must have their data only in Europe.
• Ease of use: We usually want to attract as many users as possible in consumer identity. Ease of use is essential when onboarding customers in an online application. If the process is not user-friendly, it may discourage potential customers from completing the onboarding process and prevent them from using the application. The end users’ onboarding and authentication journey must be as easy as possible while providing various options.

Using social media accounts for onboarding can be convenient and efficient for users to create accounts and access online applications. In addition, this approach allows users to authenticate their identity and provide personal information while using their existing social media profiles rather than having to create a new account from scratch.

Again, this is different from workforce identity. The workforce is usually a captive audience that has to be created by an administrator and typically follows an HR process. Using the same process with external users will cause them to abandon the process. They will do business elsewhere. The journey to onboard end users has to be as seamless as possible.

One requirement that applies to customer or workforce IAM products is single sign-on (SSO). When access management (AM) products allow users to log in once for multiple applications, that is called SSO.

When there is a trusted relationship between separate organizations and companies that allow users to authenticate across domains, that is called federated SSO.

Different protocols are used for SSO. Some of them will be used in the practical implementation examples in this book, starting from Chapter 3:

• SAML 2.0: Security Assertion Markup Language (SAML) is an open standard created in 2005 to provide cross-domain SSO. In SAML, you have an identity provider (IdP), which is responsible for authenticating users and managing identities, a relying party (RP), which is a service requesting and receiving data from the IdP, and a user agent (UA), which is the user requesting the services. SAML is used by several SSO products (including Azure AD, as shown in Chapter 3) to authenticate users to online Software-as-a-Service (SaaS) applications such as Salesforce, Slack, and others.
• OAuth 2.0: OAuth allows users to share specific data with an application while keeping their credentials private. For example, a printing service can use OAuth to obtain permission from users to access their photos for printing. We are going to use OAuth for some examples in this book. The OAuth Playground website provides a detailed description of the steps involved in using OAuth, along with an example application that is free to use. OAuth Playground can be viewed at https://www.oauth.com/playground/client-registration.html:

Figure 1.4 – OAuth Playground client registration

After registering a new client on OAuth Playground, you can use the generated credentials to test the OAuth protocol:

Figure 1.5 – OAuth Playground test credentials

To test these credentials, go to https://www.oauth.com/playground/authorization-code.html and enter the user account credentials that were generated in the previous step.

Now that the basic terminology is out of the way, let’s dive into the main topic of this book: MFA.

MFA is a method of verifying a user’s identity by requiring them to present more than one piece of information. By combining multiple layers of security, MFA decreases the chances of compromised online access to an account.

What are authentication factors?

Authentication factors are different ways of proving identity. There are three different categories of authentication factors:

• Something you know (knowledge): Passwords, PINs, answers to pre-selected security questions
• Something you are (being or inheritance): Face recognition, fingerprint scan, voice recognition
• Something you have (possession): SMS codes, one-time passwords, smart cards, ATM cards, mobile phones, key fobs:

Figure 1.6 – Authentication factors

As can be seen in Figure 1.7, the three different authentication factors can be used individually, or combined, as part of the same authentication process. The process of combining two different factor types in the same authentication process is called 2FA or MFA. The process of combining three or more different categories of authentication factors used in the same authentication process is called MFA.

To be considered 2FA or MFA, the authentication factors should be from different categories.

Most websites use a username and password combination to verify users’ identities. Some will attempt to increase security and require an answer to a security question as well. This is not MFA. Even though the user provided two factors to authenticate (password and answer to security questions), the second factor is also from the knowledge category. This is considered a two-step authentication process but a single factor.

Going back to our ATM example, MFA enhances security because it requires the hacker to obtain the two factors of authentication before being able to access your money. If your wallet is stolen or you lose your ATM card, the person that has your card cannot use it without knowing the pin as well. Similarly, if someone shoulder surfs (steals your PIN by spying over your shoulder as you use an ATM) and can use your PIN, they still don’t have the ATM card needed to complete the transaction.

Most free email providers, such as Gmail, Outlook, iCloud, and Yahoo!, provide some form of 2FA:

Figure 1.7 – Gmail 2-Step Verification confirmation

As we discuss MFA throughout this book, it is important to consider the needs of the organization and the types of users that are going to be using the systems. An authentication system needs to balance its security needs with the usability and risks of the application being accessed.

In certain industries and the government, special standards and regulations may also require (or prohibit) the use of different types of MFA systems.

https://2fa.directory/us/ provides a list of websites for different industries and whether or not they support 2FA and is a good place to look to see what your competition is doing in this area.

Criminals can obtain user credentials in different ways. For example, they can buy user credentials on the dark web, try brute-force attacks, or use social engineering methods.

Another problem with passwords is that users reuse passwords across many different sites; they may share passwords with their colleagues. They may also write the passwords on post-it notes and attach them to their monitor at work or home.

All these issues make using passwords as the single method to identify users a significant security risk for companies.

If passwords are not enough, what else can organizations do? MFA, or at least 2FA, is the most common solution. Google, in their latest Hacking Google series, states “Add 2FA to your account, and we do the rest regarding security.” Microsoft says that 99.9% of identity attacks can be blocked by MFA (https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/).

On the other hand, MFA overuse may cause customers to choose to move to a friendlier site and do business with a different company or abandon a shopping cart or transaction completely. Therefore, the balance between usability and security has to be considered according to the risk involved with the transaction.

In some cases, the use of MFA is based on other signals that help the system decide when to ask for a second form of authentication – for example, detection that the user’s IP address has traveled impossible distances, thus limiting the number of login attempts and increasing the time after each failure, and bot detection, among others.

Other tools may create a profile of the browser or mobile phone used by the users and ask for additional authentication if the phone changes or screen dimensions change, among other characteristics.

Behavioral biometrics can also be used to create a profile of the user and perform continuous authentication of the user based on their behaviors, not only when they log in:

Figure 1.8 – Top five cyber attacks in 2022

According to a report by HYPR (https://get.hypr.com/state-of-authentication-in-the-finance-industry-2022), cyberattacks persistently targeted financial service institutions in 2022, as evidenced by the fact that 94% of those surveyed experienced some form of attacks within the last year. As shown in the preceding figure, the most common type of attack continues to be phishing, accounting for 36% of incidents. Other frequently occurring attacks included malware, credential stuffing, MFA fatigue attacks, and Man-in-the-Middle (MitM) attacks.

Phishing

Employees frequently fall for emails that promise bonuses, an urgent request from their CEO, or a request from the Information Technology (IT) department. Those emails ask users to click on a website or verify their credentials. Unfortunately, the whole company may be compromised when the employee clicks on the link or enters their credentials where they shouldn’t.

Here are some other related attacks:

• When a hack is done via a phone call, this is known as vishing
• Similar to emails, SMS texts are sent to users in what is known as smishing
• When code to redirect the original browser request to a malicious website – without the knowledge or consent of the user – is installed on a server or personal computer, the attack is called pharming

Credential stuffing

Credential stuffing attacks occur when many username/password combinations are tried against a website. Bots usually perform this type of attack.

Malware

Malware, or malicious software, is a term that describes a malicious program or piece of code that is harmful to the user’s computer.

Malware is normally used in conjunction with phishing to obtain the credentials from a user.

Account Take Over (ATO)

The reuse of credentials causes another typical attack. Most users commonly use the same email or username on many different apps. At the same time, passwords are also reused. If one account is compromised, bad actors can use the same credentials and try to log in to many other sites. Account Take Over (ATO) is usually the outcome of a successful credential stuffing attack.

MFA fatigue – push notification attack

A common way to prevent a credential stuffing attack is by using a second authentication step in addition to a username and password. For example, systems may require users to accept an app push notification or receive a phone call and press a key as a second factor. When an attack issues multiple MFA requests to the end user until the user accepts the authentication, this is called MFA fatigue. It is also known as a push notification attack.

Man-in-the-Middle attack

An MitM attack is a type of session hijacking attack. The attacker eavesdrops and interrupts an existing conversation by inserting themselves into the middle of the transfer.

The attacker pretends to be the other legitimate participant for both the user and the original web application, enabling them to intercept information and data from either side of the conversation. An MitM attack can be used for account takeover purposes or just for the duration of the session:

Figure 1.9 – MitM attack

In Chapter 2, we will discuss different types of authentication factors and what types can be used to prevent different types of attacks.

In addition to knowledge-based authentication factors, other commonly used authentication factors will be described next.

One-time password

A one-time password (OTP) is a mechanism for logging into an application or service using a unique password that can only be used once. OTP can be generated by security tokens or applications such as Google Authenticator or Microsoft Authenticator. SMS-based OTP is not recommended because of its vulnerabilities.

FIDO Alliance

The Fast Identity Online (FIDO) Alliance is an open industry association with a single goal: to create authentication standards to help reduce the world’s reliance on passwords.

FIDO Universal 2nd Factor standard

Yubico and Google developed the FIDO Universal 2nd Factor (FIDO U2F) standard. After FIDO U2F was successfully tested with Google employees, the standard was contributed to the FIDO Alliance.

The WebAuthn specification

WebAuthn is a World Wide Web Consortium (W3C) specification that allows the creation and use of strong, public key-based credentials for authenticating users. It is designed to be a secure and convenient alternative to traditional username and password authentication methods and can be used to authenticate users on websites and other online platforms.

WebAuthn works with the FIDO Client To Authenticator Protocol version 2 (CTAP2) to securely create and retrieve credentials on a security key. The two standards work together. Developers only use the WebAuthn specification; they don’t have to worry about CTAP2. WebAuthn uses public key infrastructure (PKI) to create and manage the public keys that are used for authentication.

One of the main benefits of WebAuthn is that it allows users to authenticate using a variety of different devices, such as security keys, biometric sensors (such as fingerprint scanners or facial recognition cameras), and other types of hardware tokens. This makes it easier for users to authenticate securely and reduces the risk of password-based attacks such as phishing and brute-force attacks.

WebAuthn is supported by most modern web browsers and is becoming increasingly popular as a secure and convenient way to authenticate users on the web.

FIDO2

The FIDO2 specification includes World Wide Web Consortium’s WebAuthn specification and FIDO Alliance’s corresponding CTAP. The specifications are open and free for general use.

Passkeys

Passkeys are replacements for passwords based on FIDO Alliance and W3C standards. Passwords are replaced with strong credentials (cryptographic key pairs). In addition, passkeys are linked with the website or application they were created for, thus being safe from phishing. Passkeys are not a new thing, just a new name for WebAuthn/FIDO2 credentials, enabling a fully passwordless experience for the user. Even though passkeys are on a user’s devices (something they have) and the relying party (the service provider that processes access to the applications) can ask for user verification, which is done by a biometric or PIN (something the user is or knows), some regulatory bodies still do not recognize passkeys as MFA.

This completes our introduction to MFA, authenticator factors, and the types of attacks companies face.

In this chapter, you learned why (digital) identity and authentication are fundamental parts of security. We also covered the basic concepts and terminology that will be used throughout this book. Finally, we introduced MFA.

In the next chapter, we are going to discuss the different types of authentication factors, how cybercriminals attempt to bypass them, and when to use or not to use different types of authentication factors.