Identity

Authentication is how we prove our identity when we login to an Internet service. Our identity in the service is tied to a unique login identifier, such as an email address, phone number, username, or account number. When we enter the login identifier, we prove that it's ours by also providing a password or some other authentication method that the service can validate.

We want authentication to be easy for us but hard for  "CyberScum" to attack.  Others call  these cyber-criminals "Bad Actors" but that doesn't capture the scope of the global evil they represent. They're from around the world, attack the entire world, and can innovate their attack methods at a blistering pace thanks to their global diversity and to their astonishing revenue. CyberScum are truly the Scum of the Earth.

If CyberCrime were a country its cost to the rest of us would make it the third largest economy on the planet, behind only the US and China. Thanks to unfettered global internet connectivity and this income & innovation, they're able to invest in the latest AI and other technologies and launch  millions of increasingly believable attacks every day against us, our families, and our businesses.

These criminal individuals and enterprises will do everything they can to impersonate us and steal and/or destroy our money, our memories, our reputations, and yes, our identities. Read on to see a few things that we can do to help thwart the attacks of CyberScum.

To setup an online account we almost always need to provide our personal, globally-unique identifiers - emails and/or phone numbers - to create the account. This personal identifier becomes the account identifier on their system, and a required part of the login process - and on most other services we use on the Internet. This makes it very easy for us to remember the name of our account across the entire Internet -it's just our email or phone number. Services don't need to use these personal identifiers to log us in though. They could support identifiers specific to their service instead (like bank account numbers) but they don't.  

So what? Three things:

1. Its also easy for CyberScum to know what our account name will be - everywhere. We're telling them exactly where we live on pretty much every service we use on the Internet. Great targeting information for their AI-bot-powered attacks on us.

2. Even more troubling, these aren't just unique identifiers. These "IDs"  also define exactly how anyone on the planet can attempt to contact us - they're conduits to our telephones, messaging, and in-boxes. Even better targeting information for the latest innovative AI-based phishing campaign. Which, by the way, can use those same identifiers to scrape our context from other sites and social media posts to craft believable stories and suck us in.

3. And that's not all. Our multitudinous Internet services use these same identifier-based contact channels to communicate with us and confirm our identities. And to act as "back-doors" for account recovery procedures when we forget our login credentials. These email accounts and phone numbers act as our Identity Services for all the other services we use, are not anonymized in any way, and are published everywhere. What better target could there possibly be for CyberScum to attempt to take over, than the very phone & email accounts that are central to our Internet identification AND our identity proofing. And who owns those phone number keys to our accounts when we get rid of a phone and the provider re-cycles the number to someone else?

And what about simple privacy breaches? These universally-known personal identifiers also power simple privacy-breach spraying of our personal information. Here's an example . . .

A few years ago, Home Depot started offering customers the option to have  receipts emailed to them. Pretty convenient for us customers, right? Have an electronic record of what you bought and when, and what you paid for it. What could go wrong?  What they didn't tell consumers (as described by ITWorld Canada), is that they were also sharing some of this information with Facebook, to power their advertising program. And explicitly allowed Facebook to use that personal information any way they wanted. And Facebook is able to tie this Home Depot receipt to any matching Facebook accounts, because both Facebook and Home Depot used the same Universal Identifiers - our eMail. And of course Facebook could also combine this with all the other data feeds that were tagged with any of our Universal Identifiers to build a profile of us . . . 

. . .  which they could then  sell to others for advertising (and other?) purposes. So at Home Depot we were both the purchasers of the products they sold us, and the products they sold to Facebook without our knowledge or consent. Because of Universal Identifiers and  flawed privacy practices.

So what can we do about this? 

• Realistically, not much - that horse has long departed the barn.  

Possible mitigations?

1. Service providers could stop using our email and phone numbers as account identifiers. That's pretty unlikely.

2. If we have the time, skills, and money we could setup lots of additional and "alias" email accounts to maybe solve some of the problem. But then of course we'd need to track which email account or alias we used for which  service account as well as the password. That whole process might segment the scale our exposure but could be pretty painful and probably won't solve the anonymity problem.

3. Email service providers could support alias eMail addresses (attached to a real email account) that allowed sending and receiving email, but not logging in. This would at least help to anonymize & protect the actual email "Identity" account. Google Workspace supports this for business accounts but consumer support is spotty. And it's not the kind of thing everyone wants to spend time on to figure out.

The Future?

Even future "Passwordless" Passkey technology doesn't deal with avoiding universal identifiers that double as our doors on the Internet. So we're probably stuck with this for the foreseeable future. 

Reality

The realistic solution to the identifier problem lies in the other components of how we authenticate - to everything.  Starting with Passwords ....

In a typical account login we enter an email or a phone number (an identifier) and then a password (an authentication) to prove that we own the account. We could have logins to hundreds of sites of vastly varying importance to us, each with a username and password that we need to keep track of, and have available when we need them. 

And we want this whole identity/password process to be as easy as possible and not get in the way of our busy lives. 

We're tempted to:

• Create short passwords that are easy to type

• Create passwords that are easy to remember ("password" anyone?)

• Re-use them on lots of sites 

• Come up with password patterns that we can remember and then create variants for each site

Where do we keep our list of passwords?

• Sticky notes, pieces of paper, or a password book that we might loose or lend to someone else, or that others might find by mistake

• In computer documents or spreadsheets that be backed up in multiple places, go missing, or end up in the wrong place? 

• On or in anything that isn't with us when we need it to login?

• In browser password managers that might be syncing data to who knows how many other devices? And to a central account, run by an advertising company whose main product is not password managers but selling our personal information? Where they are captive, locking us in to a single browser.

Remember the CyberScum? They love these strategies.

• Tens of Billions of username/password pairs that have been hacked from Internet sites are available on the dark web. That's billion, with a "B" - many times the human population of the planet.

• They know about using password patterns. And have algorithms that solve them.

• If we reuse the same password on multiple sites and even one of those sites is hacked, they know what identifier & password (or password pattern) to start with to try accessing our data or stealing our identity on other sites

• Even if the stolen passwords are encrypted, short, easy to guess passwords can be cracked in seconds

• And those browser password databases? They have malware programs that specifically target them and call home with their contents

• And because we're forced to use our personal email and phone identifiers for these accounts, they already have what they need to use bots to try and brute-force or phish other login credentials from us using text messages, phone calls, and eMail

So we're told:

1. Use strong passwords. At east 12 totally random characters, or 20 characters that we make up ourselves and which include special characters but not common words

2. Use a unique password for every one of out sites

3. Change them at least once per year

4. Don't write them down. Store and share them securely

5. Don't let yourself be Phished. Never tell CyberScum what your passwords are. No matter how believable the story their AI assistants concoct.

Back to the Password Problem:

1. How can we create and manage unique un-hackable passwords for each of the hundreds of places we might need them?

2. Where can we quickly & securely store, access, & update them, wherever & whenever needed?

3. How can we easily and securely share them when needed

4. Is a simple password good enough to protect our stuff? How do we protect access to internet accounts with the right level of identity proofing, depending on the sensitivity/importance of the account? 

5. How can we avoid being conned into giving away our access credentials?

Read on for part one of the solution .....

What?

• Make it easy to securely create, use, and share hundreds of secure, strong passwords.

How?

• Use a real Password manager. Get 1Password. 

Why?

• They're a Password Company, not an Advertising, Office Productivity, Hardware, or Other Services  company focused on selling other stuff to us. Or our personal information to anyone who'll pay them.  1Password is the product, not us.

• Their very existence depends on bulletproof security. They can't access our passwords if we use a good password for that 1 Password (for 1Password itself), and neither can CyberScum - even if they were able to hack into 1Passwords servers.

• It's regularly  recognized as the the best Password Manager, not only by us but also by well-respected tech reviewers such as Wired and the NY Times Wirecutter. Capable of classifying, tagging and searching our password list, automating logins, and even checking the dark web for hacked versions of our credentials.

• It can create unique, un-hackable passwords for every one of our onlone accounts, and we can securely access it on, and sync it between, all our systems: Macs, PCs, Apple iStuff, & Android devices. And in all the mainstream browsers that run on them.

• It has an excellent Family plan. And they've thought of the ways family members may need to share passwords and other critical information and built this into their product and processes.

• They've given a lot of thought to our user experience and have built a documentation and support eco-system to support the kinds of situations that we'll likely encounter when dealing with access to our stuff. Even the long-promised move to a "Passwordless" future.

• They don't lock us in and hold our information ransom. They actively support exporting our info to other systems and give tips to how to do it securely. And they even allow us to to continue to access our existing info on their system if we cancel our subscription - or have it securely deleted. The choices are ours. 

• We're customers, not products.

We believe that a good, secure, password manager is the second most important tool we can get to protect our Cyber-selves. Get 1Password today!

Even more important?  

• Install an anti-virus solution everywhere we can. 

• if CyberScum gets a foothold on our internal systems all bets are off for our CyberSecurity. Everywhere. Even the best home anti-virus system and password manager may not provide perfect protection, but we need to do everything we can to keep them out. And this is the first step.

• For individuals, families, and home businesses we recommend Sophos Home Premium.

A password is a single factor that we use to prove our identity. But there are situations where we might need something stronger. Multi-factor (AKA two-step) authentication has been the solution for a while. But MFA comes with gotchas for the unwary and is hackable by the unscrupulous. 

Coming soon - see an overview of how we can tailor our Identity proofing to the situation by using Multi-factor Authentication. Maybe.

Coming soon - a more detailed description of MFA and its multitude of flavors so you can pick the poison that works for you. Maybe.

Passkeys are touted as the solution to Password problems. 

• Un-hackable. They're like super-strong passwords that even the services can't guess. 

• Un-phishable

But they come with a bit of baggage

• It will take years (decades?) to replace passwords with passkeys. How will you keep track of what you used, where? 

• Vendor lock-in? Want to be forced into Apple, Google, or Microsoft's eco-system?

• Biometric fragility, failure, immutability

• Trusted device/authenticator dependence

• Added complexity! How do we keep track of all this?

So what's the solution?

• Use a real Password manager. Get 1Password. 

Why?

• One secure place to manage all your your passwords, MFAs, and passkeys

• That works were you do - Macs, PCs, Phones, Tablets, and Browsers

But ...

• It's not a complete security solution. Also install an anti-virus solution everywhere you can. 

• For individuals, families, and home businesses we recommend Sophos Home Premium.

• If CyberScum gets a foothold on our internal systems all bets are off for our CyberSecurity. Everywhere. Even the best home anti-virus system and password manager can't provide perfect protection. But we need to do everything we can to keep the CyberScum out. And these are the first steps. Then migrate your passwords to passkeys as the system becomes available in 1Password and all your online services.