Identity

I Am

In 1637 Rene Descartes wrote "Je pence, donc Je suis" -  I think, therefore I am. Descartes was trying to assert his existence - his identity - from first principles. But things have changed a bit since then, and one of those changes is the Internet. Now, a first principle of identity might be, "I surf, therefore I Am", or "I login, therefore We are". As we leave our digital fingerprints across the cyber world. With each site visit and login exposing a different slice of who "we" are. And providing tantalizing targets for the trash that infests the Internet. 

These days, for IT folks, IAM stands for Identity and Access Management and is the foundation for identity-based cyber security. This "Identity" page on our site is about how we can leverage the best of modern IT to prove and protect our multitude of Internet identities from the criminals trying to steal them. 

Too long? Don't want to read the whole Page? Below are some take-aways from the other sections. A list of tools to help protect the Individuals, Families, and Home Businesses that comprise the Internet of Us.  And below that? An onion.

Lots of things are used to identify us - globally & uniquely. Some of these identifiers are more important, more personal, and more immutable than others. Things we know, have, or are. Sort of like an identity onion. 

And some of these identifiers can be used to identify us AND prove it - to  strangers that we trust to look after our stuff, around the world, over the Internet.

These special identifiers are gatekeepers to the Internet of Us and are dangerous in the wrong hands. They include eMail, Phone Numbers, and "Trusted Devices". And the first 2 are for sale in huge databases across the dark net to any crook who takes a liking to our stuff. 

We call these things Authenticators. But they should have a special name that combines Identifier & Authenticator.  Identicator? Read on to see some ways to protect these dangerous things.

Identity, Identifiers, Authentication, and the Scum of the Earth

Authentication is how we prove our identity when we login to an Internet service. Our identity in the service is tied to a unique login identifier, such as an email address, phone number, username, or account number. When we enter the login identifier, we prove that it's ours by also providing a password or some other authentication method that the service can validate.

We want authentication to be easy for us but hard for  "CyberScum" to attack.  Others call  these cyber-criminals "Bad Actors" but that doesn't capture the scope of the global evil they represent. They're from around the world, attack the entire world, and can innovate their attack methods at a blistering pace thanks to their global diversity and to their astonishing revenue. CyberScum are truly the Scum of the Earth.

If CyberCrime were a country its cost to the rest of us would make it the third largest economy on the planet, behind only the US and China. Thanks to unfettered global internet connectivity and this income & innovation, they're able to invest in the latest AI and other technologies and launch  millions of increasingly believable attacks every day against us, our families, and our businesses.

These criminal individuals and enterprises will do everything they can to impersonate us and steal and/or destroy our money, our memories, our reputations, and yes, our identities. Read on to see a few things that we can do to help thwart the attacks of CyberScum.

The Identifier Problem

To setup an online account we almost always need to provide our personal, globally-unique identifiers - emails and/or phone numbers - to create the account. This personal identifier becomes the account identifier on their system, and a required part of the login process - and on most other services we use on the Internet. This makes it very easy for us to remember the name of our account across the entire Internet -it's just our email or phone number. Services don't need to use these personal identifiers to log us in though. They could support identifiers specific to their service instead (like bank account numbers) but they don't.  

So what? Three things:

And what about simple privacy breaches? These universally-known personal identifiers also power simple privacy-breach spraying of our personal information. Here's an example . . .

A few years ago, Home Depot started offering customers the option to have  receipts emailed to them. Pretty convenient for us customers, right? Have an electronic record of what you bought and when, and what you paid for it. What could go wrong?  What they didn't tell consumers (as described by ITWorld Canada), is that they were also sharing some of this information with Facebook, to power their advertising program. And explicitly allowed Facebook to use that personal information any way they wanted. And Facebook is able to tie this Home Depot receipt to any matching Facebook accounts, because both Facebook and Home Depot used the same Universal Identifiers - our eMail. And of course Facebook could also combine this with all the other data feeds that were tagged with any of our Universal Identifiers to build a profile of us . . . 

. . .  which they could then  sell to others for advertising (and other?) purposes. So at Home Depot we were both the purchasers of the products they sold us, and the products they sold to Facebook without our knowledge or consent. Because of Universal Identifiers and  flawed privacy practices.

The Identifier Solution

So what can we do about this? 

Possible mitigations?

The Future?

Even future "Passwordless" Passkey technology doesn't deal with avoiding universal identifiers that double as our doors on the Internet. So we're probably stuck with this for the foreseeable future. 

Reality

The realistic solution to the identifier problem lies in the other components of how we authenticate - to everything.  Starting with Passwords ....

The Password  Problem

In a typical account login we enter an email or a phone number (an identifier) and then a password (an authentication) to prove that we own the account. We could have logins to hundreds of sites of vastly varying importance to us, each with a username and password that we need to keep track of, and have available when we need them. 

And we want this whole identity/password process to be as easy as possible and not get in the way of our busy lives. 

We're tempted to:

Where do we keep our list of passwords?

Remember the CyberScum? They love these strategies.

So we're told:

Back to the Password Problem:

Read on for part one of the solution .....

The Password Solution, Part One: Password Managers

What?

How?

Why?

We believe that a good, secure, password manager is the second most important tool we can get to protect our Cyber-selves. Get 1Password today!

Even more important?  

The Password Solution, Part Two: Multi-Factor Authentication

A password is a single factor that we use to prove our identity. But there are situations where we might need something stronger. Multi-factor (AKA two-step) authentication has been the solution for a while. But MFA comes with gotchas for the unwary and is hackable by the unscrupulous. 

Coming soon - see an overview of how we can tailor our Identity proofing to the situation by using Multi-factor Authentication. Maybe.

Coming soon - a more detailed description of MFA and its multitude of flavors so you can pick the poison that works for you. Maybe.

The Password Solution, Part Three: Passkeys - Identity Nirvana?

Passkeys are touted as the solution to Password problems. 

But they come with a bit of baggage

So what's the solution?

Why?

But ...