TrustTech — Shaping Secure Identities (Part 3)
Robust identity solutions are more necessary than ever in today’s digital world where identities can be easily manipulated and fabricated. Think about it for a moment. Every day, we interact with others through various online platforms, from social media to email and even virtual meetings. Yet, can we really trust that the person on the other end is who they claim to be? As technology advances at an unprecedented pace, so does the ability to deceive and manipulate. Deep fakes have become alarmingly realistic. Coupled with the advent of generative AI, which can generate convincing, yet entirely made-up content, the line between reality and fiction has never been blurrier.
The Identity Layer is key for a trustworthy data exchange
This article is the third in our series dedicated to TrustTech (read part 1 here and part 2 here). TrustTech expands the traditional definition of cybersecurity to include technologies that promote trust across all layers of the Trust Backbone: infrastructure, identity, regulatory, and ethical. The Trust Backbone is a mesh connecting everything and everyone in the digital world. In our previous article, we discussed how TrustTech protects the Digital Infrastructure layer responsible for transporting sensitive data through the backbone. However, transporting the data securely is not enough to guarantee its integrity. This is where the Identity layer comes in; it ensures that only authorized parties are participating in the data exchange. Identity solutions hold equal significance for both humans and machines. In this article, we focus primarily on identity solutions for humans.
A budding market for identity solutions
In parallel with the broader TrustTech field, most of the Identity startups in the EU are in the early stages of development. Early-stage deals account for more than 83% of all VC deals, with late-stage deals accounting for only 9%. The Identity layer has seen a steady increase in both the number of startups and the amount of capital invested since 2018. The number of startups grew from 345 in 2018 to 551 in 2022. Additionally, the amount of invested capital tripled during this period.
The broader identity market is a multi-billion dollar industry comprising various submarkets, such as Identity and Access Management (IAM), Biometrics, Fraud Prevention, Decentralized Identity, and other related markets. To give some numbers: the global IAM market (Pitchbook estimate) alone was valued at $18 billion in 2022 and is projected to increase to $37 billion by 2030. The global Fraud Detection and Prevention market is anticipated to expand from $30 billion in 2022 to $129 billion in 2029. In addition to these well-established markets often dominated by incumbents, the emerging segments of Decentralized Identity and Digital Identity are examples that exhibit considerable potential for rapid growth, also for smaller players. But obviously, also in the mentioned well-established markets, new opportunities will emerge and offer potential for growth for startups and innovative smaller players.
The Identity Lifecycle
Given the broadness of the identity space, we tried to summarize the most relevant parts of the identity space in what we call the “Identity Lifecycle”, which comprises key stages such as creation and onboarding, authentication and identification, identity management, and identity revocation and deletion. The Identity Lifecycle requires robust solutions to ensure security, trustworthiness, and seamless user experiences. The following will describe the core parts of the Identity lifecycle, where threats are and how TrustTech is here to help.
1. Identity Creation, Enrollment and Onboarding
In today’s interconnected world, our identities hold immense value, but they need to be created first. Identity creation can happen in various forms such as a baby’s first passport or a new employee’s company-issued ID. We use our identities in various scenarios. Consider walking into a bank to open a bank account. The bank employee would obviously need to check your ID to be able to open the account for you. You would need to present your passport to complete this process and enroll at the bank as a new customer (“Enrollment” or “Customer onboarding”). This is pretty straightforward in the real world, but in the digital world onboarding requires an online solution. This is where Know-Your-Customer (KYC) solutions come in. KYC solutions match the pictures of users’ identity documents to their faces, enabling remote user account creation and onboarding. However, these procedures, both physical and digital, are susceptible to fraudulent attacks. Just think of a forged passport presented to the bank employee — as he or she is no expert, they likely won’t recognize a good fake. Various attacks are also possible in the digital space, such as a fraudster presenting a picture or wearing a mask to impersonate someone else and fool the KYC system.
TrustTech solutions have emerged to counter these threats. Mobile passport checks, sometimes AI-powered, can identify forged security features during physical enrollment. In the digital sphere, advanced AI-supported KYC systems, detect impersonation attempts using photos, pre-recorded media, or masks. By analyzing subtle facial micro-movements, eye movement, and pupil dilation, these systems ensure that a real person is present. They can even identify deepfakes and 3D masks, providing a robust defense against sophisticated biometric attacks, which can sometimes fool “traditional” biometric liveness checks.
G+D Ventures is invested in IDnow, a Munich-based leader in Identity Verification-as-a-Service (IVaaS). Head over to their website to see how they are helping companies empower their customer experience with multi-dimensional identity proofing and fraud prevention: https://www.idnow.io/.
2. Authentication and Identification
As a pivotal stage in the identity lifecycle, authentication establishes the link between a claimed identity and the real individual. In the case of the example given above, this would be the login page to your online bank account where you would claim who you are and enter some credentials (for example username and password) to prove that. It is safe to assume we are all familiar with username and password authentication, as they’ve been with us for years. Advanced authentication methods have emerged due to evolving security threats, allowing us the comfort and security of using our biometric markers to log into our online banking accounts, for example.
In certain scenarios, we shift from authentication (1:1 matching) to identification (1:N matching), such as when you enter your car, and an in-car camera identifies you, allowing you to start the car while the music and seat settings are being adjusted to your preference. Similarly, a smart home door might identify the family member at the entrance and unlock the door accordingly.
Threats to authentication range from straightforward data breaches to more complex social engineering attacks. Social engineering relies on psychological manipulation and deception to trick people into divulging sensitive information or compromising their devices. A case of sophisticated social engineering was seen in the 2020 Twitter hack where attackers manipulated employees into providing access to administrative tools, thereby bypassing traditional authentication methods. Data breaches are quite common, resulting in many username and password combinations being available on the darknet. However, even in the case of compromised credentials, TrustTech solutions are making it challenging for fraudsters. A prime example is AI-based continuous authentication using behavioral biometrics. It continually analyzes and records unique patterns in an individual’s behavior, such as their typing rhythm, mouse movements, and even the way they interact with their device. This information is used to create a nuanced behavioral profile for each individual that can’t be replicated. Any deviation from this ‘normal’ behavior can signal a potential security breach. In the case of online banking, even if your login credentials were compromised, AI-based continuous authentication would be able to detect unusual behavior and halt the transaction or trigger additional security checks. Continuous authentication can also include digital (browser) fingerprinting, which can confirm a user’s identity based on a user-specific set of data downloaded from a browser. This information can include anything from screen resolution, operating system to location and device settings. ML algorithms can use these digital fingerprints for advanced profiling of users.
Identities are not always confined to a single provider but often used in a federated scenario, such as “Login with Google”. These federated ID schemes simplify user experience but place immense trust in the security measures of providers like Google. In the event of a provider breach, every associated login could be compromised. The concept of Self-Sovereign Identity (SSI) has emerged to mitigate the risk of a provider breach in federated identity schemes. SSI is a TrustTech solution that allows individuals to own and control their digital identities without the need for centralized authorities. SSI systems use blockchain technology to provide secure, decentralized identity management, eliminating the need for centralized authorities.
3. Identity Management
Our identities evolve along with our life events, such as getting married, relocating, or getting promoted. These dynamic shifts need to be accurately reflected in our identity. Furthermore, once we have used our identity to sign up for a specific platform, in most cases we would like to keep using that platform. Take online banking for example; most of its value is derived from continuously using the service. Identity Management involves managing the identities throughout their lifecycle within the system. It includes granting or modifying access and privileges based on the user’s role or changes in their status. It also encompasses monitoring user activities for any suspicious behavior, updating user information, resetting passwords, and handling user queries or issues. The main focus of this stage is to maintain the accuracy and security of user identities while ensuring they have appropriate access to perform their functions. One possible threat at this stage of the Identity Lifecycle is privilege misuse, which occurs individuals with high-level access rights, such as administrators or managers, exploit their powers for malicious purposes. Unregulated, these privileges can lead to unauthorized access, data breaches, and profound damage to an organization’s data integrity and security.
Privileged Access Management (PAM) is a TrustTech solution for counteracting privilege misuse. This is the process of limiting access rights and permissions for users, accounts, applications, systems, devices (including IoT), and computing processes to the bare minimum required for performing regular, authorized tasks. In effect, PAM puts a leash on those with high-level access rights, ensuring they can’t run amok within the system. By limiting their access to what’s absolutely necessary for their role and continuously monitoring their activities, PAM can swiftly identify and halt any suspicious activities.
4. Identity Revocation and Deletion
The identity lifecycle concludes when a user’s association with a system ends, necessitating the secure removal of their digital identity. This phase could be triggered by an employee’s departure, account closure, or a user bidding farewell to social media.
Securely deleting all related data and credentials is critical to prevent misuse and ensure compliance with privacy regulations like GDPR’s “right to be forgotten”. However, eradicating specific records from backups can be problematic, potentially compromising data integrity and escalating storage costs. Enter crypto-shredding, a TrustTech solution that effectively renders the data useless by destroying the encryption keys used to decrypt it. This makes the data inaccessible in both primary storage and historical backups, ensuring a safe, compliant end to the identity journey.
We hope you enjoyed our overview of the Identity Lifecycle as part of the Identity layer of the Trust Backbone. If you want to learn more about TrustTech solutions on the Digital Infrastructure layer, make sure to check out our previous article. Stay tuned for more deep dives into TrustTech and the Trust Backbone. Next up — Regulatory layer.
Check out our website to find out more about G+D Ventures and our Portfolio!
G+D Ventures is a European TrustTech investor based in Munich, Germany. G+D Ventures invests in predominantly early-stage TrustTech startups developing solutions for greater security and trust in the digital world. TrustTech expands the traditional definition of cybersecurity to include technologies that promote trust across all layers of the Trust Backbone: infrastructure, identity, regulation, and ethics.
