How continuous and tightly coupled binding of real identity, authenticators, and entitlements enables convenience and high assurance in moments that matter.
As the lines between our digital and physical worlds continue to blur, it’s hard to prove who we are and what we are entitled to do in daily interactions.
Each of us has a single real identity and, in all likelihood, dozens or even hundreds of digital identities. When we sign up for a digital service, we’re often given the option of using an existing digital identity (e.g., “Sign in with Google”) or of manually entering information to create a new one within that application, platform, or service provider ecosystem.
In either case, one point of the sign-up process is to associate a digital identity with a real person. The level of importance of getting this right varies based on the job to be done. For example, some organizations may merely want to collect accurate user demographics, whereas others may be beholden to Know Your Customer (KYC) regulations. In the former scenario, the consequences of an error are relatively minor; in the latter scenario, the consequences may be dire.
But how do organizations gain the necessary assurances that a new user really is who they claim to be? Or that a returning user is the same person who created the account, and not a threat actor masquerading as the account holder?
How organizations assign entitlements
Determining who may legitimately access systems and accounts, hold privileges, and be eligible to receive specific benefits can be complicated. Organizations typically use a combination of approaches to ensure they get this right. These can include:
- Identity verification/proofing
- Authentication
- Authorization
Identity verification/proofing
Using terms from the National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines, identity verification (often used synonymously with “identity proofing”) aims to ensure that a user’s “claimed identity” matches their “actual identity.”
Identity verification is most frequently applied:
- At the beginning of an identity lifecycle (e.g., during account creation/registration or user onboarding)
- As an extra safeguard during high-risk/high-value transactions
Typically, identity verification will involve one or a combination of:
- Biometrics
- Trusted documents (e.g., photos, scans, or even physical confirmation)
- Knowledge-based ‘quizzes’ (e.g., mother’s maiden name, or name of first pet)
- Background checks
Each method comes with its own set of benefits and drawbacks, which influences its practicality for different purposes. For example, knowledge-based approaches can be performed cheaply and in real time. However, with a plethora of social media platforms, public databases, professional networking sites, look-up services, and — unfortunately — dark web dumps of sensitive data, it’s quite easy for threat actors to employ open-source intelligence (OSINT) tactics to acquire the knowledge needed to pass the verification process. We are all increasingly vulnerable to bad actors using this approach.
In contrast, background checks provide stronger assurances but are considerably more expensive to conduct and — depending on their depth and any backlogs — may take days, weeks, or even months to complete.
Authentication
Authentication has a similar aim to identity verification (i.e., establishing with a sufficient degree of confidence that a person or entity is who they are claiming to be), but differs in a few ways. Whereas identity proofing is performed rarely (e.g., at account creation, during onboarding, or to safeguard high-risk transactions) and can sometimes take a long time, authentication is typically performed:
- Frequently (e.g., every few days, after a period of inactivity, or perhaps every time a user interacts with a particular service)
- In real time
Authentication is usually handled by Identity and Access Management (IAM) systems, using one or more of several techniques:
- Username and password pairs
- One-time passcodes (OTPs) sent to a registered authenticator service, device, email address, or phone number
- Biometrics
Generally, the IAM system allows users or administrators to enroll in, and even enforce the use of, different authentication factors. Multifactor authentication (MFA) is intended to vastly increase the burden on attackers, albeit at the expense of a slight negative impact on user convenience, by employing two or more authentication factors:
- Knowledge-based factor: something a user knows
- Inherence factor: something a user is (e.g., biometrics)
- Possession factor: something a user has (e.g., a registered device)
Authorization
While identity verification and authentication pertain to who a person or entity is, authorization is the process of determining what someone is permitted to do. Behind the scenes, a user’s authorization is usually expressed in the form of controls or entitlements that restrict or grant access.
Such controls are typically managed by an IAM system and govern a user’s ability to view, edit, or comment on files, to use particular features within an application, to grant privileges to other users, etc. In the wider context of digital identities and the ‘real world,’ entitlements extend to privileges including:
- Power of Attorney (PoA), Delegated Financial Authority (DFA), and other legal roles
- Access to age-restricted content, services, etc.
- Occupational licensing
- Company directorship
All of these types of entitlements are cumbersome to prove today, as certification of documents may require physically shipping them or bring them to in-person appointments — both of which create friction and extend process timelines.
Increasing convenience and assurance with TrustTech
In most organizational and industry contexts, the three functions outlined above are siloed and disjointed. These fractures can contribute to poor user experiences and low identity confidence, and — more seriously — can open attack vectors that increase the risk of data breaches and fraud.
TrustTech offers a solution.
Existing at the fabric layer, TrustTech can provide continuous and tightly coupled binding of real identity, authenticators, and entitlements (along with other assurances). Crucially, this binding applies at every part of the trust lifecycle, enabling:
- Convenient and high-assurance experiences in critical moments
- Reduced risk, fraud, and compliance burdens
- Consistent and streamlined cross-channel experiences
- Portability of information, assurances, and entitlements — including into partner channels
- Significant cost reductions resulting from less duplication and ‘re-proofing’
Importantly, introducing TrustTech doesn’t require ripping and replacing your existing identity stack; rather, TrustTech seamlessly embeds trust into your existing solutions, leveraging an array of standards to add the value of high assurance to what you already do.
MATTR’s approach allows you to incorporate new capabilities to support full Trust Lifecycle Management. Through our work on a range of complex trust problems with clients around the world, we have a deep understanding of the considerations across the different layers of trust to improve security and lead to better, simpler, and more convenient experiences.
The MATTR approach puts the control back into the hands of businesses and people, giving them the tools they need to have confidence that they can prove things about themselves in everyday interactions and at moments that matter to them.
Interested in learning more?
Trust is truly transformative. Trust allows us to:
- Remove the frustration of double-checking information (including about our real identities)
- Speed up processes and reduce the effort required to establish the assurances needed to meet compliance requirements
- Create new value in the form of better, less stressful, more convenient experiences for everyone
- Provide stronger protections in increasingly high-risk operating environments.
To learn more — about TrustTech in general and about how MATTR's solutions can strengthen and improve your business outcomes — please explore our website or get in touch.