Recovering a Lost Identity
Can we do better than Email?
Session: Monday Session 2 Space D
Convener: Michael Sprague
Notes-taker(s): Michael Sprague
Tags for the session - technology discussed/ideas considered: multi-factor authentication, strong authentication, recovery, legal
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Lively discussion… a dozen or so participants… many open questions…
As the value of services on the web grows, i.e. SaaS, banking, etc., the value of the identity used to access those services grows. Also, as identity providers emerge to assert identity across multiple relying parties, the compromise of a single identity grows in importance.
The two systems used today for identity recovery are email and secret questions. Both are easily compromised. Secret questions (i.e. what high-school did you attend) were particularly ridiculed. Most answers can be easily found through a web search.
These systems, however, developed out of a need to keep costs down. Having help desk personnel engage a customer to recover a password for a free email service is cost-prohibitive.
Perhaps recovery of a lost ID could be a chargeable transaction. Some reacted to this notion as if it could be exploited as a form of blackmail. On the other hand, a user could pre-establish a method of recovery and commit to such a charge when opening an account. This is more palatable. If one forewent this option the identity could be unrecoverable.
Recovery is a back-door to authentication and thus should be commensurate with the strength of the original authentication. If my authentication is level 2 my recovery procedure should similarly be at level 2.
Within an organization the policy is usually, go talk to your admin, who likely can verify your identity and re-issue access. On the open Internet this is not an available procedure.
Of course a way to establish recovery is to link authentications. When more than one form of authentication can access an account then secondary access can be used if primary access is lost. Barring this what is the legal process? Can it be standardized?
Many examples were explored. An admin with the only access to critical company data in a cloud service gets hit by a bus. The CFO will go through legal channels to gain access to this account. Perhaps this is something that can develop into standard and accepted procedures ...essentially an out-of-band counterpart to a technical authentication mechanism.