Identity. We’ve been lied to, hoodwinked, and bamboozled.

When it comes to the sanctity of our identity, we’ve been misled for so long that we’ve become blind to the digital chasm that now stands before us.?From a cyber security standpoint, that delusion has never been more evident than in an industry where thousands of security companies and professionals peddle “zero-trust” and "multifactor authentication" while ignoring the more consequential issues tied to proof of identity.

But, before we follow the white rabbit into Wonderland, let’s build a common understanding of what identity really is, and what it is not, by way of a couple of examples:

An example from the real world: Your best friend pops her head into your office and says, “Hey, I forgot my wallet this morning.?Can I borrow twenty bucks for lunch?” Without a thought, you pull out your wallet and hand over twenty dollars. ?In terms of identity, what really happened here? In less than a fraction of a second, you identified your friend, surfacing a deep sense of absolute trust, and decided to complete the transaction – loaning her twenty dollars. Without a thought, you knew with 100% certainty that this was your friend standing in your office doorway.?You knew her face, her voice, the way she speaks, and so forth. That is what we call Identity with a capital “I”. To parlay that in more technical terms, your friend's face, and voice might also be called biometrics. Biometrics are physical characteristics that make you … well, you! They can include your face, fingerprints, heart rhythm, iris, or even your genetic material. Some of these, humans are well adapted to interpreting, and others, like your fingerprints, require the assistance of a sophisticated computer. However, in all cases, to assert absolute proof of identity it must be something that cannot be easily stolen or replicated.?That fact will become important later in our discussion.

Let’s look at another familiar example. You walk up to an ATM, insert your debit card, type in a PIN, and withdraw cash from your bank account. When it comes to proof of identity, the difference in this example is probably obvious to you but let’s characterize things in a bit more detail.?Does the bank really know who you are? No. Do they trust you? No, and that’s why you are typically limited in how much cash you can withdraw each day from an ATM.?All the bank computer systems know is that someone with a debit card tied to your bank account that also knows your PIN was standing in front of the cash machine.?The bank knows it could be absolutely anyone and simply possessing a debit card along with knowing the associated PIN does not provide absolute proof of identity.?Your debit card and PIN are merely credentials.?Credentials can be stolen or replicated for use by someone other than the intended owner.

To put it in other words, trust is the fuel that makes digital commerce possible, and identity is the basis of that trust.

Both examples are everyday occurrences, but the latter is reflective of the type of transactions that dominate our digital world. To put it in other words, trust is the fuel that makes digital commerce possible, and identity is the basis of that trust. Without absolute identity and the associated trust, it builds, digital commerce is inefficient, costly, and unsecure.?That is the world we live in today and why virtually all cyber security incidences start with a failure in proof of identity.

Now, let’s explore what it takes to achieve absolute identity and trust. As mentioned above, true proof of identity must be something that cannot be stolen or replicated.?Achieving that level of confidence comes down to one word.?Control. In the physical world, you exercise absolute control over when you present yourself to someone and what information you wish to share, including any credentials you might need to divulge. The question becomes how to translate that same level of assurance and control into the digital world.

Usernames, passwords, PINs, smartphones, FOBs, tokens, one-time-passwords generators, etc. all inherently fail as absolute proofs of identity because they are not within your uncontested control. As credentials, they can all be stolen, replicated, or breached – some more easily than others.?Let’s talk more specifically about smartphones as these remarkable devices have duped many of us into a perilous false sense of control.?Indeed, you can physically possess and control the location of your smartphone.?You can even use biometrics to unlock your phone. But do you really control your phone? With millions of lines of software code, smartphones are fertile grounds for the bad guys to find vulnerabilities in the operating system that give them control of your smartphone without you ever knowing.?There are real-world examples of just this sort of breach. The fact that smartphones are virtually always connected to the Internet makes them easy targets. Do you use a PIN code as a backup on your phone? Then, your biometrics are nothing more than a personal convenience and a very thin veil when it comes to security. Finally, the ultimate controlling authority of your phone is the manufacturer, telecommunications provider, or even your government, who can dictate how your phone is used and operated. Simply put, you are no more in control of your smartphone than you are of deciding what time the sun rises each morning. If you are using your phone for proof of identity to unlock your doors, access a bank account, or log into your computer … well, look down and take a good hard look at that dark chasm.

While biometrics can be effective keys, they must remain completely within your uncontested control to provide absolute proof of identity and trust.

If you’re seeing that abyss for the first time, you’re in good company. So, how do we bridge our way across to safer territory? What is a solution that enables you to exert a sufficient level of control? Unsurprisingly, it is a complex and multifaceted problem. If you go hunting for an answer, you’ll come across plenty of organizations that toss around phrases like biometrics, zero-trust, and a slew of other security buzzwords. While biometrics can be effective keys, they must remain completely within your uncontested control to provide absolute proof of identity and trust. It comes down to the trusted container in which you place your biometrics along with any associated credentials. To exercise unconditional control, any solution must be private and decentralized, meaning only you have access. If others have access to your biometrics and credentials, then you no longer exert absolute and uncontested control.?The container must also be disconnected from the outside world until you decide there is a need to present any of the credentials that might be associated with your identity. Like your smartphone, if it’s always connected, the bad guys will eventually obtain access and, once again, you no longer exert absolute control.

An effective solution that provides that level of control and absolute proof of identity is a tall order. It is especially true if it needs to be cost-effective, easy to use, and generate a positive ROI within an enterprise environment. While this is a broader challenge than simply one company’s solution, allow me to shamelessly plug our own company for just a second. The SentryCard platform is, perhaps, one of the only solutions in the world today that delivers on the promise of absolute identity and trust. I invite you to come and decide for yourself.

You can learn more about absolute identity and trust at sentryenterprises.com .