Page 136 - Cyber Defense eMagazine September 2022
P. 136

Why identity and access are not the same

            FIDO’s approach exposes a misguided confusion between identity and access. In essence, someone’s
            identity is composed of fixed non-changing properties such as legal identity, work or studies credentials
            and biometrics. Your legal identity gives you certain legal rights such as the right to live in a country, to
            receive benefits and to travel to certain places, while your work and studies credentials give you the right
            to work in certain regulated professions such as doctors or lawyers. Biometrics, such as your face, iris
            and fingerprint are hardcoded visible – therefore non-secret – characteristics that you can’t change.

            None of the data connected to these attributes is hard to get, from leaked databases such as the entire
            45 million Argentinian digital ID database to photographs such as this benevolent hacker recreating the
            fingerprint  of  the  current  president  of  the  EU  Commission.  What  makes  using  identity  particularly
            dangerous is the permanence of the theft. Once stolen, data cannot be unstolen. You can change a
            password, but you cannot change who you are.

            On the other hand, people have long invented the concept of keys to grant access to certain places. The
            concept  is  simple:  as  long  as  you  have  the right  key,  you  can  open  a certain  door. It  is  completely
            independent of your identity, as keys can be transferred, shared or changed. In the physical world, you
            can have as many keys as you have doors to lock, ensuring that losing one key only requires changing
            one lock.



            Don’t use a single key for everything

            In the physical world, people do not use a single key for all their doors. It would be extremely unsafe to
            have one single key to access everything from their house to their car to their office... since losing it would
            mean losing everything in one swoop. But in the digital world, people have been advised to use a single
            master password, biometric or PIN to access their digital assets. FIDO’s proposal is another illustration
            of the push to trade resilience for convenience. If people follow that advice, it means one attack could
            cause the loss of all of their accounts and data at once.



            A lifetime of risk for a moment of convenience

            When you start mixing biometrics and single access things get worse. Imagine that you use your identity
            biometrics to access everything you own. Biometrics are a unique combination of 1s and 0s, which by
            the nature of digital information can be stolen. Not only would a thief be able to access every account
            you have, but the unique biometrics data is permanently stolen - since you can’t change who you are.
            That means you will never be able to fully control your “digital identity” ever again. Any time in the future,
            that data you innocently gave away for access may be used without you ever knowing it, putting you in
            potentially illegal situations without your knowledge.










            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         136
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   131   132   133   134   135   136   137   138   139   140   141