Page 136 - Cyber Defense eMagazine September 2022
P. 136
Why identity and access are not the same
FIDO’s approach exposes a misguided confusion between identity and access. In essence, someone’s
identity is composed of fixed non-changing properties such as legal identity, work or studies credentials
and biometrics. Your legal identity gives you certain legal rights such as the right to live in a country, to
receive benefits and to travel to certain places, while your work and studies credentials give you the right
to work in certain regulated professions such as doctors or lawyers. Biometrics, such as your face, iris
and fingerprint are hardcoded visible – therefore non-secret – characteristics that you can’t change.
None of the data connected to these attributes is hard to get, from leaked databases such as the entire
45 million Argentinian digital ID database to photographs such as this benevolent hacker recreating the
fingerprint of the current president of the EU Commission. What makes using identity particularly
dangerous is the permanence of the theft. Once stolen, data cannot be unstolen. You can change a
password, but you cannot change who you are.
On the other hand, people have long invented the concept of keys to grant access to certain places. The
concept is simple: as long as you have the right key, you can open a certain door. It is completely
independent of your identity, as keys can be transferred, shared or changed. In the physical world, you
can have as many keys as you have doors to lock, ensuring that losing one key only requires changing
one lock.
Don’t use a single key for everything
In the physical world, people do not use a single key for all their doors. It would be extremely unsafe to
have one single key to access everything from their house to their car to their office... since losing it would
mean losing everything in one swoop. But in the digital world, people have been advised to use a single
master password, biometric or PIN to access their digital assets. FIDO’s proposal is another illustration
of the push to trade resilience for convenience. If people follow that advice, it means one attack could
cause the loss of all of their accounts and data at once.
A lifetime of risk for a moment of convenience
When you start mixing biometrics and single access things get worse. Imagine that you use your identity
biometrics to access everything you own. Biometrics are a unique combination of 1s and 0s, which by
the nature of digital information can be stolen. Not only would a thief be able to access every account
you have, but the unique biometrics data is permanently stolen - since you can’t change who you are.
That means you will never be able to fully control your “digital identity” ever again. Any time in the future,
that data you innocently gave away for access may be used without you ever knowing it, putting you in
potentially illegal situations without your knowledge.
Cyber Defense eMagazine – September 2022 Edition 136
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.