How many sites do you log into everyday? Between work email, personal email, Twitter, Facebook, LinkedIn, and all the other accounts the average person has online, the number is probably fairly large. With that in mind, how many passwords do you have? That number is almost certainly smaller. Therein lies the core of the issue with digital identity protection.
Online, users must prove their identities using credentials, such as a password. This process is called authentication, and it is essential to protecting your “digital identity.” If authentication can be circumvented, then anyone can pretend to be anyone else online, and that can lead to serious problems. For example, most of the major data breaches over the course of the last year were accomplished by hackers who had gained access to credentials that they shouldn’t have had. Armed with this information, they were able to access systems and steal data on a truly massive scale.
Clearly, digital identities are important and need to be protected, but so far there are not many good ways of doing so. Most people use passwords to secure their identities. This is an example of what is called single-factor authentication, since verifying the owner’s identity is based on a single piece of theoretically secret information: the password. However, passwords are notoriously terrible at protecting information – although that is not entirely the fault of passwords themselves. In theory, people should have different, unique passwords for every site that requires one, the passwords should be long, with a mixture of character types, and the passwords should be changed every six months. In practice, a staggering number of people have passwords like “password” or “123456,” because it would be impossible for most people to actually remember their passwords if they abided by the best practices.
There are ways to work around this—sites like LastPass.com will remember, manage, and automatically enter user passwords in an attempt to make secure passwords more usable. Some people are even offering custom made, truly randomized passwords that are delivered through physical mail. Broadly speaking though, in order for a password to be effective, it will also be nearly impossible for a human to remember.
As a result, there are a number of different methods of securing access to digital identities that do not rely entirely upon passwords. Many of these use two-factor authentication or multi-factor authentication. These types of systems use several pieces of information to verify a user’s identity. For example, a computer might require a password and a fingerprint in order to log in, or it may use facial recognition software combined with a keycard or other physical token.
Many modern two-factor systems are incorporating biometrics as one of the necessary factors for verifying an individual’s identity. This makes intuitive sense, as many people would not expect a hacker to be able to steal someone’s fingerprints as easily as they could a password. However, this is not the case. As part of the OPM hack, the hackers were able to steal the fingerprint information for more than 5 million federal employees. This remains one of the biggest issues with biometric security: it seems completely secure, but that is not necessarily the case—and the illusion of complete security could have dangerous implications.
As with most security technologies, the developers of digital identity protection procedures are caught in a perpetual race with criminals who want to circumvent their efforts. Biometric security is still an emerging field, and advances are being made to make biometric systems more secure and accessible. At present, passwords remain the most popular means of authentication online, but that may change as the problems with passwords become more sever, the data breaches continue, and new options for better protecting identity information become available.