Identity Problem #1 – Sharing CredentialsIf we share credentials (username, password, and/or pin), there is typically no way to establish a user’s identity since the methodology for authentication has been shared. Unfortunately, many devices, assets, and applications do not have good security concepts around identities, so administrators and users must share credentials to perform various tasks. This creates an auditing issue when the resource is accessed because the person or technology behind the access cannot be identified.
Identity Problem #2 – No Link Between Aliases and Real IdentityA second problem occurs with your identity if you have an alias. It is quite common for people to have a variety of aliases, from email addresses to usernames. Many times, they are formed from letters in your name, but for privacy or personal humor they could be anything else. What complicates the concept of aliases is when there is no obvious link to whom the real identity belongs. Correlating users for an audit across multiple aliases creates an exponential problem based on the number of users and their number of aliases.
Identity Problem #3 – Identity ChangesA third problem with identities is if your identity changes (yes, it can) or you have a personal alias. A typical identity change happens if you marry and you change your last name; either hyphenated or completely changed. Thinking back to our original analogy, this the same issue if “John” walked into another room and introduced himself as “Fred.” Finally, some people have aliases for their own reasons, some they created, others are nicknames, and others are given to them without their consent.
A Personal, Real World Example of These Identity ProblemsAs a security professional, I deal with the latter problem all the time and have been branded as John Titor. This is an alias that I cannot falsely embrace but could lead me to introduce myself as John, and people would actually believe me as well. Unfortunately, the nature of the internet, conspiracy theories, and hoaxes has led my identity to be linked to someone else (real or not). This is commonly known, regardless of how it happens, as some form of identity theft or identity impersonation. I cannot confirm (because I am not) or deny I am (because the accusers will not believe me) this alias without potentially participating in identify theft myself. The only thing I can do is ignore the situation and hope it stays manageable. It is a very weird problem to have and people with common names like John Smith deal with it all the time. Parents that name their children the same name commonly deal with this situation as well. Having a unique name is a benefit unless you have a well known alias. Your name, or alias, is not unique enough to confirm your identity without an additional method such as a photo, password, PIN or biometrics. Thus, stopping identity theft or impersonation is a bigger problem.
Best Practices to Secure Your IdentityWith these known flaws in the identification of a person’s identity, here are a few best practices to secure your identity and make sure it remains solely with you:
- Never share your identity authentication mechanisms with anyone else. These include credentials, ID cards, pins, or any other form or electronic or physical resource that confirms your identity. For example, you would never share your passport, right? So why share your username and password to your workstation or bank account?
- Minimize your aliases. This is primarily important for work; have all necessary aliases linked coherently back to your identity. At home, having goofy or non-identifiable aliases for email is acceptable but the more you have makes it even harder to personally manage. I personally recommend three: One for official business with banks and financial institutions. A second for correspondence, and third for spam, junk mail, and everything else.
- Keep all access unique. Your identity itself is unique and every link to a resource should be unique as well. This means you may use the same or similar alias (username) but the password should be unique per resource. This way any password re-use associated with your identity cannot be a risk by someone else stealing it and impersonating you. In addition, it allows for auditing and reporting on your identity to positively confirm or refute access.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.