Importance of Digital Identity and the Ways to Secure it

Importance of Digital Identity and the Ways to Secure it

Digital Identity Illustration

Credit: N. Hanacek, B. Hayes/NIST (Source: Google images)

Evolution of digital identity

Identity and verification of identity have always been the principles on which access has been provided to physical areas, services, and goods. Particularly, a government-verified identity has immense integrity and sanctity associated with it.

Before the digital era (before 1990), identities were provided in the form of hard paper. We all remember ration cards, voter ID cards, Passports, etc., which served various purposes and were used to verify identity.

As we moved into the digital age (post-1990), computers, networks, and web applications became ubiquitous, and the concept of digital identity started to take shape. The evolution of digital identities can be represented as follows:

  • Username and passwords: The earliest form of identities (still in use) is a combination of username and password, which reflects the concept of “Something I know”.
  • Multi-factor authentication: Then evolved the 2nd factor of authentication, which, along with “Something I know,” also included the concept of “Something I have”.
    • A One-time password [Examples: SMS/WhatsApp messages, very popular for enabling financial transactions].
    • A software or hardware token providing a random number that can be used as the 2nd factor.
    • Personal details like email address, house address are also used as 2nd factor of authentication.
  • Biometric authentication: Biometric authentication is considered as one of the safest forms of authentication, as biometric features of a human cannot be duplicated.
  • Federated identity: Have you used your Gmail ID to log into other social media platforms like LinkedIn, Facebook, or any mobile app? This form of authentication, where one identity can be leveraged across various organizations providing services, is called federated identity.
  • Blockchain: Application of blockchain technology in identity management is a recent development. This is a decentralization approach that provides more autonomy to the user for identity authentication.

Importance of digital identity in enabling digital transformation

Digital identity is becoming the most important enabler as the world moves towards a digital economy and digital transformation. This is the foundation on which all the public and private services are based. Some of the important societal and business benefits of digital identity are as follows:

  • Direct monetary benefit to citizens: With a verified digital identity, all government monetary benefits can be directly credited to the bank account of the citizens.
  • eKYC: We are all familiar with leveraging Aadhaar (The Indian digital identity provided to all citizens) now used to verify identity, address proof, etc., for availing private (bank, telecommunication, real estate, medical, etc.) and public services and schemes.
  • Enabler of digital economy: Transition to a digital economy requires a robust, secure, and scalable digital identity system. Digital identity is at the core of such a transition.
  • Enabler of market economics: Take the example of India, presently 26% of the population is under the age of 14, 67% is between 15 to 64 years of age, which means at least 50% of the population is under the age of 45 and spends a significant amount of their time online and consumes services. This is a huge number of people who are potential customers for any industry sector and digital identity is enabling this market.

The images below show the expansion of digital India and how its enabling the digital economy, and digital identity is at the core of this revolution.

Digital India Growth Graph

Image Source: GrabOn

Digital Identity Impact

Image Source: GrabOn

Role of Aadhaar

India embarked on a challenging project to provide digital identity for its 1.4 B citizens in 2009. This was mainly done to ensure fairness and transparency in the public distribution system, whereby monetary benefits from government-sponsored programs can be provided to the deserving citizens and fraud can be minimized.

This required providing a unique digital identity to every citizen based on biometric credentials, which cannot be forged or duplicated. This feature of Aadhaar not only became its key strength as an identity provider but also propelled the growth of the digital economy.

Aadhaar is also used on a large scale by the private sector to verify the identity of its users and establish a higher level of trust (without integrity and trust digital economy will fail miserably), for example:

  • The financial sector (including all private banks, insurance companies, etc.), leverages Aadhaar to establish trust and identity of its customers through a process for KYC (Know your customer).
  • Social media companies like LinkedIn provide their users the option to verify their identity with Aadhaar (amongst other identity providers), which provides a higher level of trust amongst the users and LinkedIn.
  • All telecom providers will mandatorily request for Aadhaar before enabling mobile or internet services.

Thus, Aadhaar plays a key role in enabling trust and integrity of digital identity, which serves as a cornerstone for both the public distribution system and private industry sectors.

Architecting and securing digital identity

The role of identity providers (IdP) is crucial in today’s world, as the entry point for accessing services provided by the organization is managed by the IdP. In most cases, organizations use different strategies for identity authentication of customers (referred to as users) and their employees.

  • Users can get authenticated by their Gmail IDs while creating a user account with the Organization web services or mobile application.
  • This is done so that the user has a seamless experience of account creation, and also, there is no need to remember different usernames and passwords or go through additional authentication checks.
  • For employees, organizations may leverage various IdP vendors like Okta, SailPoint, or Microsoft.

Before discussing on architecture of IdPs, we need to understand some basic features which are important to know, such as:

  • Central IdP: Identity provider manages a central database of identities, and users or employees have very little control over the data once it is shared.
  • Single point of failure: As there is a central database to manage identities, it usually becomes a single point of failure.
  • Vulnerable to attacks: As the identity database is centralized, it is often vulnerable to external attacks from hackers.
  • Probability of Fraud: The probability of fraud and identity theft increases as it is easy to compromise centralized identity databases.

Architecting digital identity

Before an Identity provider can be architected, we need to understand the basic attributes of identity, what is an identity?

  • Name
  • Birth date
  • Nationality
  • Address
  • Photo (In some cases)
  • Mobile number
  • E-mail address
  • Biometric details (Very rare)
  • Credit card number
  • Bank account number
  • Device Id (Mobile, Tab, etc.)

A combination of these attributes, along with username and password, can be considered unique and may be used to authenticate the identity of a user.

All these attributes are considered personal information or Sensitive personal information, and are heavily regulated by regional, country laws and regulations. Hence, before architecting a digital identity provider, it is important to know the following:

Components of the architecture:

  • Identity provider (IdP) is the authority that will verify the identity of the user.
  • Authoritative source (AS) is where the user will enter basic details for registration, against which the user will be verified.

Principle to be followed:

  • The purpose of collecting the information.
  • Collect the minimum amount of information that is required to meet the business objective.
  • Providing access to the user (talking about customers here) to their data for updating and maintaining freshness.
  • Always ask for consent for the usage of the data.
  • And Security needs to be integrated with the design.

Use-cases: The architecture of IdP depends on specific use-cases it is meant to cater to, so it is important to list all the present use-cases before architecting the identity platform.

Below, I discuss some of the use-case-based IdP architecture for end users.

IdP Architecture use-cases: (End user use cases)

Use-case 1: When a user (customer) decides to use a service like Gmail:

  • IdP: Google Identity Services
  • Authoritative source (AS): Gmail registration form

Identity verifier:

  • Username and password created during registration, and 2nd factor of authentication if enabled or leveraging 2nd factor of authentication if Forget password option is chosen
  • Passkeys: Passwordless authentication, as it uses the device login, like biometric, screen lock, etc.

Use-case 2: When a user (customer) decides to use a service like LinkedIn:

  • IdP: LinkedIn or Social media logins like Google, Facebook, etc.
    • This is an interesting and a very popular use-case, where users can log in to any web/mobile service with existing social logins from Gmail, Facebook, etc. This creates a seamless and enriched experience for the user as no new registration needs to be done, and new username and passwords needs to be remembered.
    • This is enabled through a concept called identity federation, where multiple organizations securely share identity credentials like username/password through open standard protocols like SAML, OAuth 2.0, and OIDC.
  • Authoritative source: LinkedIn/Google/Facebook registration form

Identity verifier:

  • Username and password created during registration, and 2nd factor of authentication if enabled, or leveraging 2nd factor of authentication if Forget password option is chosen
  • Passkeys: Passwordless authentication, as it uses the device login, like biometric, screen lock, etc.
LinkedIn Identity Example

Use-case 3: When a user (customer) decides to use a service like LinkedIn and also verify identity with a Govt. provided ID like Aadhaar:

  • IdP: LinkedIn or Social media logins and Aadhaar
    • During the 1st time login, LinkedIn verifies authentication information from social media logins like Gmail or Facebook.
    • This is enabled through a concept called identity federation, where multiple organizations securely share identity credentials like username/password through open standard protocols like SAML, OAuth 2.0, and OIDC.
    • LinkedIn also provides an option to users to verify their identity with government-provided identification, including Aadhaar. This establishes more trust between users, leveraging the LinkedIn community.
  • Authoritative source: LinkedIn/Google/Facebook registration form + Aadhaar registration

Identity verifier:

  • Aadhaar ID number linked through Digi locker, phone number, and the OTP received on phone
  • This provides more reliability and trust as Aadhaar uses biometric features like fingerprint, retina scans to verify identity while registering citizens.
Aadhaar Verification Example

Security best practices

Data security:

  • Identity provider central database encryption (Ex, AES-256-bit data at rest encryption, 2048 PKI)
  • Data in transition encryption using Transport Layer Security (TLS) 1.2

Authentication support:

  • Multifactor authentication
  • Passwordless authentication
  • Support secure protocols for federated identity management (SAML, OIDC, OAuth)
  • Ability to support location, Internet Protocol (IP), and time zone-based authentication

Infrastructure security:

  • Regular patching and hardening
  • Secure configuration
  • Regular security testing
  • Network security
  • Periodic architecture reviews

Programming interface security:

  • API security (secure programming access to API)
  • Trust only verified IdPs through federated identity

Privileged user access:

  • Role-Based Access Control (RBAC) for privileged users.

Compliance support:

  • Support for adherence to different security standards in the industry (SOC, ISO 27001, GDPR, etc.)
  • Support for security audit, user access audits

Audit and logging capability:

  • Platform should have user access logging and auditing capability
  • Supports integration to central logging platforms

Legal considerations

Identity management as a function is bound and regulated by many laws and regulations. As personal information/ sensitive personal information of end users/employees is collected, stored, and managed, it becomes necessary to comply with laws and industry standards.

Based on the geographical location of the identity provider (Datacentre) where the information is hosted, the specific regional and country laws will be applicable.

For example, if the identity provider is based out of India and the information is also hosted in India, the following laws may be applicable:

  • Digital Personal Data Protection Act, 2023 (DPDP Act)
  • Information Technology (IT) Act, 2000
  • IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
  • RBI Guidelines (for banking and fintech)
  • IRDAI (for insurance)
  • Telecom Regulatory Authority of India (TRAI) rules
  • Aadhaar Act, 2016: Regulates biometric and demographic data

Apart from the above, the identity provider may also need to comply with various security standards and frameworks like the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) 27001, and Payment Card Industry Data Security Standard (PCI DSS), etc.

Hence, it is very important to also have an overarching Governance function for identity management operations.

Summary

In today’s world, digital identity is the cornerstone of the public distribution system and access to the company network and resources. With the advancement in technology, it is possible to design digital identity architecture for multiple use-cases with security and in compliance with applicable laws and regulations, and make it a seamless experience for the user.

Written by Kaushik Majumder, a Cybersecurity Strategy & Operations Leader. He has 18 years of experience in cybersecurity & has been a trusted advisor to CISOs & Business leaders on cybersecurity. Kaushik’s core area of expertise is Strategy, Risk Management, & setting up Security Center of Excellence from India.

Kaushik can be reached at www.linkedin.com/in/kmajumder1982

References

  1. https://identitymanagementinstitute.org/evolution-of-digital-identification/
  2. https://emudhra.com/en-my/blog/the-role-of-digital-identity-in-streamlining-government-services
  3. https://www.grabon.in/indulge/tech/internet-users-statistics/
  4. https://www.idnow.io/blog/5-reasons-why-digital-identity-revolutionize-business/
  5. https://www.pib.gov.in/FactsheetDetails.aspx?Id=149096
  6. Google images and research
Next

Building Cyber Resilience: A Deep Dive into “Security Operations Centre”

Building Cyber Resilience: A Deep Dive into “Security Operations Centre”
Back to blog