Last month the Better Identity Coalition co-hosted its annual “Identity, Authentication, and the Road Ahead” Policy Forum in partnership with the FIDO Alliance, the Identity Theft Resource Center (ITRC). The day-long event featured government keynote speakers and panel sessions that discussed issues around data breach trends, the role of biometrics and artificial intelligence, government action in the identity space, and other critical topics. Below is a high-level summary of each of the forum sessions, for more detail you can find video recordings of each session on YouTube.
Keynote: Caitlin Clarke, White House National Security Council (NSC)
The event kicked off with a keynote session from Caitlin Clarke, senior director at the White House National Security Council who reflected on the threat around identity and how the White House is thinking about this issue. “Identity is either the target or the culprit in the cyber incidents we are seeing every day,” Clarke said. “Either by exploiting weak vulnerabilities in identity and access management, products that are end-of-life that don't require authentication … or cyber intrusions that are specifically targeting identity information.”
To combat these challenges, the Biden administration defined five high-impact cybersecurity practices to be implemented with “speed and urgency across the federal civilian executive branch” which include multifactor authentication (MFA), encryption, endpoint detection and response, logging, and establishing skilled cybersecurity teams. Clarke underscored the importance of starting with authentication, noting that “implementing MFA – especially phishing-resistant MFA, not just the text to your phone that someone might be able to intercept – is critical to locking our digital doors.”
She also made note of the work the National Institute of Standards and Technology (NIST) is doing through their National Cybersecurity Center of Excellence focused on mobile drivers licenses and accelerating the adoption of digital identities on mobile devices. Clarke concluded by stating the government is actively working “to identify a number of actions that we believe will have a positive impact on digital identity and identity verification” and to “bear with us” as more work in this area is released soon.
Release of the 2023 ITRC Data Breach Report
James Lee, Chief Operating Officer at the ITRC led the second session where the organization ITRC released its annual data breach report with detailed trends around identity related crimes. 2023 set a new all-time high with 3,025 reported data breaches, while the estimated number of victims dropped. Supply chain and zero-day attacks grew, and most breaches involved sensitive personal identifying information (PII).
Moving forward, Lee laid out three strategic shifts that are needed to combat the staggering numbers of identity related crimes: ensure uniform data breach laws and regulations, promote greater supply chain due diligence, and reduce the value of stolen information. In order to accomplish these tasks, Lee suggested standardizing definitions and triggers for data breach laws, creating a breach alert system for supply chains, and accelerating the adoption of mobile driver’s licenses.
Panel: The Role Biometrics Can Play in Devaluing Stolen Data
The first panel session of the day was moderated by Jay Meier, of FaceTec and featured panelists Arun Vemury, biometrics expert and ITRC Advisory Board Member; James Lee, COO, ITRC; Dr. Stephanie Schuckers, director of the Center for Identification Technology Research (CITeR) at Clarkson University; and John Breyault, vice president of public policy, Telecom and Fraud, at the National Consumers League.
The panel began by breaking down what it means to “devalue data” and why this is important. Dr. Schuckers explained that in a traditional data breach, the “main attack vector is often biographical information” that can be stolen and put together to create a fake profile for an individual, and that use of alternative solutions that rely on biometric information rather than biographical data can help to make stolen data less valuable. However, as Vemury noted, biometrics alone may not be sufficient; given new attacks that look to “spoof” biometrics, implementations of biometrics today should ideally include tools that take extra measurements to measure “liveness” – meaning there is a way to determine that the biometric ties back to a real person, as opposed to a deepfake or mask.
In his remarks, John Breyault highlighted the potential costs of misusing biometric technology that often fall on those who are least prepared, such as marginalized populations, but noted that the use of biometric data has been an overall net-good for consumers. James Lee also raised the issue of ensuring an “equally robust second path for verifying identities” of individuals who don’t have the tools to use biometrics. The panel concluded by reflecting on best practices for using biometric data such as only using it for specific use cases, data minimization, increasing anonymous transactions, informing users on risks, rigorous testing, using liveness detection, and providing alternative methods for verification.
Perspectives from ID Theft Victims
During this session, Eva Velasquez, President and CEO at the ITRC, shared a number of perspectives from ID theft victims to shine a light on the human impact of identity related crimes. The sentiments from victims spotlighted the range of affects identity related crime have ranging from social isolation to mental health challenges.
One victim said, “I have zero funds to even meet a friend for coffee or a drink. Therefore, I remain totally isolated and mentally not good due to feeling the scammers took my life.” Another noted, “I have been in therapy for over a year trying to get a better handle on how this happened and how to prevent it again.”
Victim sentiments also spoke to their behavior change in response to their situation by monitoring accounts more regularly and changing passwords more frequently. Velasquez closed the session by noting that despite the debilitating impacts of identity related crimes on victims, findings show a slow rate of adoption for a variety of well-established best practices as well as modern technology or processes that protect personal and business information. The vast majority of small and medium sized businesses have not utilized tools such as MFA for employee or customer use, mandatory strong passwords, or role-based access for employee access to sensitive data.
Better Identity at Five Years: A Report Card and New Path Forward
In his session, Jeremy Grant, Coordinator of the Better Identity Coalition (BIC), unveiled a new report from the Coalition that graded the government on progress made against BIC’s 2018 Policy Blueprint, and also laid out an updated 21 point action plan for policymakers to address deficiencies in identity infrastructure.
Here the government got a “D” for its lack of progress in prioritizing the development of next-generation remote ID proofing & verification systems – Grant noted that two successive Administrations have effectively ignored this issue and Congressional efforts to drive action have stalled. However, government fared better in other areas, including earning an “A” for efforts to promote and prioritize the use of strong authentication and a B in changing the way America uses the SSN.
Grant noted that while no single action or initiative will be able to solve every issue with our identity ecosystem, “if taken as a package, if this Policy Blueprint is enacted and funded by the government, it will address critical challenges in digital identity - and make things better.” It is critical for the U.S. to develop a clear vision of what “good” digital identity authentication looks like as the situation continues to grow more dire.
In 2023, there were 3,025 data compromises reported, which is a 78% increase year-over-year, and the worst year ever by 72%, impacting 353 million individuals, with more than 80% of confirmed breaches related to compromised credentials. Grant walked through the revised blueprint that emphasizes prioritizing the development of next generation remote identity proofing and verification systems; changing the way America uses the Social Security Number; promoting and prioritizing the use of strong authentication; and pursuing international coordination and harmonization.
Panel: The Cost of Government Doing Nothing in Digital Identity
The second panel session of the day was moderated by Jeremy Grant, Better Identity Coalition coordinator, and featured panelists Eva Velasquez, President/CEO, ITRC; Carole House, Co-Chair, Subcommittee on Digital Assets and Blockchain Technology, U.S. Commodity Futures Trading Commission; Pastor Ben Roberts, I.D. Ministry, Foundry United Methodist Church; and Pam Dingle, Director of Identity Standards, Microsoft.
The panel was convened to discuss the consequences of government inaction in the digital identity space. The conversation kicked off with a dialogue around the gap between physical and digital credentials, with Roberts sharing his experiences helping non-housed individuals get identity documents, shedding light on the time and cost intensive process.
House reflected on the “need to turn identity into a lever to support economic growth,” calling for a coordinated effort led by the White House. Dingle pointed to some positive trends emerging by referencing the National Institute of Standards and Technology (NIST) 800-63 standard as an “excellent exemplar of how government regulation and industry can work together.” All of the panelists agreed that the cost of the government not taking clear, decisive action in digital identity will make things significantly worse, and that we must remind ourselves of the human impact that will result from inaction.
Keynote: FIDO Alliance
Andrew Shikiar, executive director at the FIDO Alliance, led a session outlining the alliance’s priorities for the year ahead and to reflect on last year's predictions.
Shikiar noted that most of the 2023 predictions came true with MFA bypass attacks against organizations accelerating the adoption of unphishable authentication methods. He also noted that 2023 was “the year of the passkey,” seeing rapid adoption among hundreds of companies that enabled consumer use of passkeys.
As Shikiar reflected on the year ahead, he pointed out the role generative AI has had in “adding fuel to the phishing fire,” with a 1256% rise in malicious phishing emails since Q4 2022. A fundamental shift is needed with phishing now being the primary threat, moving towards passkeys which provide a phishing-resistant passwordless sign-in to online services. As he closed, Shikiar stated that we need to prioritize strong security at every sign-in, and advanced technologies for remote identity verification, like passkeys, can help “snuff out attacks.”
Keynote: Chris DeRusha, White House Office of Management and Budget
Chris DeRusha, chief information security officer at the Office of Management and Budget (OMB) spoke in his capacity as a member of the U.S. government’s Cyber Safety Review Board (CSRB) to speak to the recent Review of the Attacks Associated with Lapsus$ and Related Group Threats report which included a number of recommendations specific to identity and access management.
DeRusha emphasized the need for “dramatic improvements in identity management” but that this will require “a whole-of-industry approach” to revamp our identity infrastructure. He advocated for transitioning away from vulnerable methods like SMS and voice MFA to more robust, phishing-resistant MFA tools like FIDO, and implementing secure-by-default measures to reduce the window of opportunity for attackers. The presentation concluded with a call for collaboration and a commitment to addressing the root cause in over 80% of data breaches - passwords.
Panel: AI is Here - What Does it Mean for Identity?
This panel discussed the intersection of artificial intelligence (AI) and identity and was moderated by Heather West, senior director of Cybersecurity and Privacy Services at Venable LLP, who was joined by speakers Ryan Galluzzo, Digital Identity Program Lead at NIST; Kim Soffen, legislative director for Congressman Bill Foster; and Beatrice Moissinac, Data Scientist, Okta.
Soffen began the conversation by emphasizing the importance of AI’s impact on digital identity especially with the proliferation of deep fakes, with the most recent example of President Biden telling citizens not to vote in primary elections. Galluzzo pointed to the work that NIST is doing in developing an AI Risk Management Framework, while “actively trying to mitigate biases across demographic groups” ensuring they have the right data to “train and test the efficacy of AI models.”
Moissinac complemented this NIST effort, and underscored the importance of collaboration between AI and cybersecurity experts to find the right blend of skill sets to produce the best AI models possible. All of the panelists reflected on the enormous impact that AI has had in the identity space and encouraged further action in the space.
Keynote: Financial Crimes Enforcement Network (FinCEN)
Andrea Gacki, director at FinCEN, started off the afternoon sessions of the policy forum with a keynote speech exploring some of FinCEN’s most recent activities including the implementation of beneficial ownership information reporting requirements and the publication of the Financial Trend Analysis - Identity-Related Suspicious Activity: 2021 Threats and Trends. “FinCEN’s financial trend analysis analyzes 2021 Bank Secrecy Act data to quantify, and feedback to industry on how bad actors are exploiting identity related processes during account openings, access, and transactions to perpetuate crimes. The report reveals the existence of significant identity related exploitations through a large variety of schemes,” said Gacki.
Providing financial institutions with intelligence about identity processes exploitations can help them mitigate gaps and provide them with a greater degree of certainty that their customers are who they claim to be. Gacki closed with hopeful sentiments looking forward to the continued work between the public and private sectors on “protecting American identities” and “preventing illicit actors from exploiting identity and financial crimes.”
Panel: Diving Deeper into the FinCEN Identity Project
The final panel session of the day featured Kay Turner, chief digital identity advisor at FinCEN and Sean Evans from FinCEN who presented on the Financial Trend Analysis - Identity-Related Suspicious Activity: 2021 Threats and Trends report.
“Identity is fundamental to the effectiveness of every financial institution's AML/CFT program” and as threats continue to grow in the identity space “identity systems have not,” said Turner as she reflected on the catalyst for this project. Evans walked through the project’s three main goals: to learn about customer identity processes; quantify processes gaps, breakdowns, vulnerabilities, and threats; and identify solutions including digital identity solutions.
He noted that “fraud” was the “most reported and impactful impersonation typology” while “identity theft” was the “most reported compromise typology, with abuse of access being the most impactful.” As Evans closed out the discussion, he remarked that this effort was “a snapshot of 2021” and moving forward FinCEN wants to identify trends over time. Therefore, Turner underscored the need for the community’s feedback on the report and their priorities moving forward so that it continues to be a collaborative effort.
Spotlight Session: Women in Identity - Code of Conduct
This year’s policy forum spotlight session featured Kim Sutherland and Kay Chopard from Women in Identity to present on the “Code of Conduct” research project the group has been developing. Women in Identity believe there is a need for a global Identity Code of Conduct to address identity exclusion which is impacting people’s ability to access financial services and products.
The project reviews the identity ecosystem in the United Kingdom and Ghana and identifies the causes and consequences of being excluded from access to identification credentials. As the research project enters its next phase, Women in Identity will be partnering with universities in the U.K. and U.S. to study the economic impact of having properly ID’d individuals and will be looking to partner with more corporate sponsors to continue this effort.
The final speaker of the day was Eric Goldstein, executive assistant director of cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS). Goldstein remarked that we are moving towards a “passwordless future, where FIDO2 is the de facto standard for those seeking to modernize identity management.”
He recognized that identity and authentication has been the target of every sophisticated threat actor in every major attack in recent years, underscoring the importance of driving modernization in identity authentication with urgency. Moving forward, Goldstein was excited about the adoption of passkeys and phishing resistant MFA, pushing for this to be a “core business imperative.” He noted that CISA is excited to continue to partner with the community to continue these necessary initiatives.
Better Identity at Five Years: An Updated Policy Blueprint and Report Card
The last five years has seen America make mixed progress on digital identity – in some cases embracing recommendations and moving forward – and in others stalled and rudderless in efforts to counter criminals and hostile nation states.
Cybersecurity Predictions for 2024
The Center for Cybersecurity Policy & Law staff offer their predictions on what's to come in 2024 and the season finale of the Distilling Cyber Policy podcast offers some additional commentary on what's ahead.
(Digital) Identity Crisis: The Need for a National Digital Identity Strategy in the U.S.
If you look at every peer country to the U.S. there is either a robust digital identity program in place or a national initiative under way. But the U.S. is an outlier and needs to prioritize these efforts to protect citizens and stop fraud.