Identity Problem #1 – Sharing CredentialsIf we share credentials (username, password, and/or pin), there is typically no way to establish a user’s identity since the methodology for authentication has been shared. Unfortunately, many devices, assets, and applications do not have good security concepts around identities, so administrators and users must share credentials to perform various tasks. This creates an auditing issue when the resource is accessed because the person or technology behind the access cannot be identified.
Identity Problem #2 – No Link Between Aliases and Real IdentityA second problem occurs with your identity if you have an alias. It is quite common for people to have a variety of aliases, from email addresses to usernames. Many times, they are formed from letters in your name, but for privacy or personal humor they could be anything else. What complicates the concept of aliases is when there is no obvious link to whom the real identity belongs. Correlating users for an audit across multiple aliases creates an exponential problem based on the number of users and their number of aliases.
Identity Problem #3 – Identity ChangesA third problem with identities is if your identity changes (yes, it can) or you have a personal alias. A typical identity change happens if you marry and you change your last name; either hyphenated or completely changed. Thinking back to our original analogy, this the same issue if “John” walked into another room and introduced himself as “Fred.” Finally, some people have aliases for their own reasons, some they created, others are nicknames, and others are given to them without their consent.
A Personal, Real World Example of These Identity ProblemsAs a security professional, I deal with the latter problem all the time and have been branded as John Titor. This is an alias that I cannot falsely embrace but could lead me to introduce myself as John, and people would actually believe me as well. Unfortunately, the nature of the internet, conspiracy theories, and hoaxes has led my identity to be linked to someone else (real or not). This is commonly known, regardless of how it happens, as some form of identity theft or identity impersonation. I cannot confirm (because I am not) or deny I am (because the accusers will not believe me) this alias without potentially participating in identify theft myself. The only thing I can do is ignore the situation and hope it stays manageable. It is a very weird problem to have and people with common names like John Smith deal with it all the time. Parents that name their children the same name commonly deal with this situation as well. Having a unique name is a benefit unless you have a well known alias. Your name, or alias, is not unique enough to confirm your identity without an additional method such as a photo, password, PIN or biometrics. Thus, stopping identity theft or impersonation is a bigger problem.
Best Practices to Secure Your IdentityWith these known flaws in the identification of a person’s identity, here are a few best practices to secure your identity and make sure it remains solely with you:
- Never share your identity authentication mechanisms with anyone else. These include credentials, ID cards, pins, or any other form or electronic or physical resource that confirms your identity. For example, you would never share your passport, right? So why share your username and password to your workstation or bank account?
- Minimize your aliases. This is primarily important for work; have all necessary aliases linked coherently back to your identity. At home, having goofy or non-identifiable aliases for email is acceptable but the more you have makes it even harder to personally manage. I personally recommend three: One for official business with banks and financial institutions. A second for correspondence, and third for spam, junk mail, and everything else.
- Keep all access unique. Your identity itself is unique and every link to a resource should be unique as well. This means you may use the same or similar alias (username) but the password should be unique per resource. This way any password re-use associated with your identity cannot be a risk by someone else stealing it and impersonating you. In addition, it allows for auditing and reporting on your identity to positively confirm or refute access.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.