Securing the Future of Digital Identity

So it's great to be back at IC again this year. I always learned so much at this conference being a newbie to identity only three years in. Of course, that's a newbie among all of you. It's always great to meet new people and learn new things. At this event today, I'm gonna be talking about the future of identity and the role that distributed identity may play in securing organizations and the people that they interact with. I guess I need this thing, don't I? So if we think back, there's been significant changes over the course of the last 30 years, right? If we go back to the nineties, we were probably at least some of us logging into bulletin boards using yes usernames and passwords. We then go on to the early two thousands where the internet became more pervasive and we were logging into things like our Hotmail account using usernames and passwords.
It's now 30 years later, we're logging into some of the most sophisticated systems on the planet using yes usernames and passwords. Our approach to securing our identity hasn't evolved that much over the course of 30 years. Many people still rely on usernames and passwords. Many organizations still rely on usernames and passwords, although in many cases, hopefully they're leveraging some secondary form of verification like MFA that said the adversary. Those people who are attempting to steal our identities have con continued to evolve the methods that they use, and they've become increasingly sophisticated in their approach to potential to, to hacking into organizations and stealing people's identities. Now, what is the challenge that we've got? And the challenge is that we really haven't solved the basic problems around authenticating people with usernames and passwords. Usernames and passwords are rich targets. The recent Verizon DBI report indicates that about 80% of all breaches start with compromised credentials.
If you can get your hands on the username and password or other credentials of individuals within the corporation, it likely gives you a path and a world of possibilities in that organization. Now, weak passwords are also a major problem because people don't take passwords seriously. They tend to use weak passwords and often reuse passwords. Easy passwords make tools like password crackers, extre, extremely effective, and frankly, in many cases, all hackers have to do is make an educated guess to be able to compromise a password. Now, according to a Google Harris poll from 20 21 52 PERS Respo, 52% of respondents to that poll reused their passwords for multiple accounts. Another 13% used the same password for every single one of their accounts, which means about 65% of their respondents, which I wish, I felt like that was probably an anomaly, but it probably isn't. 65% reused passwords. Now, we add to that, that they're not only using their passwords over and over again, they're using weak passwords. An organization named Cyber News does a poll every couple of years where they identify the top 10 most frequently used passwords. They refresh that in April of 2023.
The top 10 passwords are astonishingly naive. One might be harsh and say, bordered on stupid. Number one is 1, 2, 3, 4, 5, 6. Number two, they get a little more creative and they add seven and eight. Number three is the word quirky. Number four is brilliant. The word password, all lowercase, and the next six are only slights a name. How are we surprised that identities get compromised? Now, add to that another organization, and lemme make sure I get this name, good firms did a survey where they identified that 30% of their respondents reported that they had had their identities compromised as a result of the breach, and it was directly related to weak passwords. So despite, despite the fact that 30%, somewhere in that neighborhood of people have had their passwords cracked, they've had a compromise of their identity as a result of that, they're still using 1, 2, 3, 4, 5, 6. It's quite amazing.
Now, the second challenge we have is centralized identity stores. If as a hacker, I know that I can breach a centralized identity store and capture tens of millions of records of data, that is a very attractive target for me. Now, new privacy laws are helping organizations kind of put some rules around how they store data, where they store data, et cetera. But these giant data, centralized data stores really are rich targets for hackers. And a great example of this is the Equifax breach of 2017. And I know it's an old breach, right? Should do something current. But it's such a good example of a data store that was breached that resulted in tens of millions of records being stolen by hackers. Now, if we think about that breach, Equifax is a credit bureau in the United States. They hold very sensitive data on tens of millions of Americans as well as foreign nationals.
And this particular breach information like social security numbers, financial information, loan data addresses, birthdates, you name it, were compromised. There were 147.9. I don't know where the 0.9 person came from, but 147.9 million Americans data was compromised. 15 million approximately British citizens data was compromised, and 19,000 Canadians data was compromised in a single breach. Now, we know that credit bureaus are not the only organizations that have large stores of data within their organization. Governments, large companies, all have these data stores, and we know that they're significant targets when it comes to hackers. Now, we also know that we have poor memories sometimes in companies. These large data stores tend to get out of date, they get stale. It's almost impossible for people to remove themselves from these, those data stores. And that becomes a challenge over time as the information there continues to get stale and organizations are held accountable by oftentimes regulatory agencies or governments for making sure that that information gets kept up to date.
Now, as we move on, we also have to contend with ai can't have a presentation nowadays without at least mentioning ai. But if we think about our role as identity experts and vendors and and experts, professionals, we've gotta think about the fact that we're leveraging AI for good, but it's being equally leveraged for bad from our adversaries. We rely on the integrity of assets like pictures, like biometrics, like people's voices. And yet with ai, it's becoming increasingly information increasingly easy to create disinformation that really undermines the potential validity of some of those assets. This is an example of a picture, a photo of President Macron at a protest. It was made in minutes using a product called Mid Journey. It is a complete and total fake. It's just a great example of how misinformation can be created in a way that it looks very, very real.
Now, when we think about the identity space, I like to use the example of voice verification. Voice synthesizers are now becoming fairly prevalent and in the identity industry, we often use voice verification as a way of determining that someone is who they say they are. Often used in call centers or in banks, when someone calls in and wants to get access to their account, they'll use voice verification as one of the attributes that they may use to determine that this is a verified and valid inquiry. The problem we have now is that if you have, if a hacker or a cyber criminal has a pretty good quality audio of your voice, they can literally create a replica of that voice, a synthesized version of your voice in minutes. Now, the good news is a lot of the vendors that are actually biometric vendors are working on ways that they can thwart and identify voice synthesized voices.
So for those of you who are using those kinds of biometrics, your vendors are already ahead of the game working on algorithms that will allow them to identify a synthesized voice. But this is gonna be our reality going forward. This is the beginning of how individuals will leverage AI to kind of get around our security controls. Now, how are we supposed to secure ourselves and our organizations in light of this data? What if end users themselves could help shoulder the burden of managing their identity, maybe taking control of their own identity? Now, there's really two options today, detection and protection, and let's dig into each of those just a little bit. Now, in the last couple years, we've heard a lot about detection and response, whether it be from endpoint to network to extended detection and response in the last year or two, identity detection and response. Now, I tdr, in my opinion, is an acknowledgement that data and credentials of individuals is most often held by large organizations, and it's incumbent on those large organizations to secure that data. I tdr or extended detection and response, any of these detection and response capabilities are one of the ways in which they're doing that.
Now, the problem with detection is if you're detecting something, it's likely already in process or it already happened. The next step is cleanup. So the problem is that I T D R is inherently a reactive approach to dealing with this problem. Now, if we think about protection as security professionals, we know that we will never be able to protect against everything. As soon as we figure out what the cyber criminals are up to and we identify a control that we can put in place to help fort their activity, they figure out a new and novel way to circumvent those security controls. I used to work with a CISO who said, you've either been breached, you either, you either know you've been breached or you're breached and you don't know it. Now for the CISOs in the world, I think you all have to live in this world of always anticipating the worst possible scenario, and he certainly was was an example of the pessimist that really thinks about what are all the possible things that could happen.
Now we have to protect users, and users have to help protect themselves. The answer at least one of the answers to this protection paradigm, I think, is decentralized identity. Because credentials are issued by organizations and they can be revoked by those same organizations, the data tends to be more current and fresh over time. If verifying my identity is predicated on me providing a verified credential, rather than giving them the last four digits of my social security number, my mother's maiden name or my birthdate, then the ability for someone to essentially successfully perpetrate a account takeover or a fraudulent act is reduced. So I, tdr and decentralized identity are different approaches. However, they're highly complimentary. DCI is essentially a way for improving security and privacy by reducing an org's reliance on large data stores. And in the event of a breach of central of a centralized database, I tdr allows an organization to detect and respond to an attack while d c allows for individuals to essentially get backup and running without reliance on a central database. Now, what are verifiable credentials? There are critical element that's gonna be required in order to make decentralized identity a reality.
Verifiable credentials are digital credentials that can be cryptographically verified to ensure the AU authenticity and integrity of integrity, providing a secure and tamper-proof way to validate someone's identity or qualifications, they contain information about an individual's id, personal identity, things like biometrics or biographics, things like affiliations. What are their employment or contractor status, maybe their memberships, things like eligibility. What are their entitlements, permissions and privileges? What are their achievements? That could be their educational degrees. It could be their professional certifications, and it can provide extended attributes as well. Things that define how and when they can use that credential. Should Candace be in the building today? How long it can be used? Even information about what was the verification process that the individual went through in order to get the verified credential? They're stored in a digital wallet and that wallet is controlled by the individual and the individual gets to decide then who they share those credentials with.
It's really changing the paradigm from organizations controlling the identity of individuals to identity, being handed to individuals to determine who and when it gets shared. When a verifiable credential is shared with a third party such as an employer or an educational organization, it's been cryptographically verified. This ensures that the credential hasn't been tampered with and can continue to be trusted. The third party can then rely on the authenticity of the credential to make decisions about that individual's qualifications and identity. One of the key benefits of verifiable credentials is that they allow individuals to maintain control over their personal information and identity. Individuals can choose with whom and when to share that information, and this provides more privacy and control for the individuals. Now, if we move on, how do credential issuances work? They start with a new or if a already authorized user, the first thing the issuer needs to do is make sure that it's Candace and ensure that she's present aka through some sort of verification, perhaps a selfie matching. This requires a wallet pairing to make sure that the credential ends up in the right wallet and can only be held in that wallet and presented from that wallet to be valid. You then take some of the attributes from that verification. You combine them with newly minted attributes, maybe like a bank account, and essentially you issue a DI digital certificate or a digital credential, excuse me. The digital credential is then signed cryptographically using the private key, and at that point you can provision the credential using the user's wallet.
So let's take this opportunity to show a quick video. Hopefully. There we go. This is showing you exactly kind of how a verification process would transpire.
So I wanna thank Daryl Go, who's the product manager for Neo at Ping Identity for being the rockstar in this particular video for us. Now, very quickly, a wallet is a software application that allows a U user to manage their identity and personal information securely. Unlike traditional systems where individuals must rely on the third party to verify and manage their identity with a digital wallet, the individual can do that themselves. Now, digital wallets have to be and will continue to be secure by design. They're very attractive and will continue to be attractive to hackers. Digital wallets use the Secure Enclave feature found in most mobile devices. Specifically the Secure Enclave is a hardware based security feature of its available on wind, excuse me, on Apple and mobile phones. And the advantage of is of it is that it stores things like cryptographic keys, biometrics, and other sensitive information separately on the device from where you have the main processor and memory. So it is an extremely secure environment.
Now, identity is the new edge, and as we think about identity, if a bad actor can compromise the identity of an organization, the username and passwords, it gives them access to very critical data and intellectual property. We also know that centralized data stores increase the risk of potential loss of data. As a result of having lots of data in a single location, we've seen privacy regulations increase and we continue to see them evolve over time. And when organizations are subject to those regulations, it does in fact increase their risk and their cost associated with securing that data. So it took us 20 years to get to where we are today with identity systems, and we're not naive enough to believe that we're gonna wake up tomorrow morning and centralized identity is gonna solve all of our problems and be this utopian solution for identity. However, the skeptics are gonna say, products are not ready, standards are still evolving, use cases are being developed. That said, the shift is happening, and it's not a matter of if decentralized identity will become a reality, it's a matter of when. So my recommendation is if you haven't started with decentralized identity yet it's time to think about decentralized identity today. Thank you so much.