While this idea may still be in the realm of innovation rather than standard practice, it introduces a pattern worth exploring for organizations looking to strengthen their account recovery processes.

Why Explore NFC Chips?

Modern passports and ID cards often include NFC chips containing cryptographically verifiable data. These chips offer significant security benefits, such as:

• Resistance to attacks: NFC chips in government-issued identity artifacts use cryptographic protections that are not vulnerable to phishing, deepfakes, or social engineering.
• Privacy-first design: Businesses can rely on secure data matching without needing to store sensitive personal information.
• Global availability: With billions of chipped IDs in circulation, the infrastructure for this approach already exists.

Using NFC-enabled phones, individuals can verify their identities securely, replacing traditional recovery methods like knowledge-based authentication or telephone-based verification, both of which have become increasingly vulnerable.

A Potential New Path for Account Recovery

For organizations grappling with the growing complexity of identity verification, this model introduces a forward-thinking possibility:

1. Improved Security Posture: By leveraging cryptographically verifiable identity documents, recovery processes can be made stronger than the authentication methods they support—a critical principle in identity management.
2. Cost Reduction: Eliminating labor-intensive telephone-based identity verification could yield significant savings, especially for larger organizations. 
3. Value Protection: Customer Lifetime Value is at risk if organizations lack account takeover prevention measures—would account takeover victims remain loyal? 
4. Enhanced User Experience: Self-service recovery options leveraging widely available technology could reduce frustration for legitimate users while thwarting fraud attempts.

Recognizing the Challenges

This is not a one-size-fits-all solution. Organizations must weigh several factors, such as:

• The availability of NFC-enabled identity documents among their user base.
• Educating users on how to utilize chipped IDs effectively.
• Addressing edge cases where users lack compatible IDs or devices.

Additionally, as the article acknowledges, this approach requires collaboration across industries and careful consideration of privacy and compliance requirements.

An Idea to Explore

As an IDPro member, I appreciate the value of discussing emerging ideas like this with the community—not as definitive solutions but as possibilities to explore as the identity landscape evolves. For some organizations, NFC-based account recovery may represent a promising opportunity to address vulnerabilities in their processes. For others, it may serve as inspiration for thinking creatively about strengthening identity recovery.

Learn More

To explore the technical and operational considerations of using NFC-enabled passport chips in account recovery, check out the full article on LinkedIn: Using a Passport Chip for Account Recovery.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author Bio

Rob Brown has had chips with everything throughout his career:
From RFID tag start-ups to the NFC Forum, growing market demand for smart card processors, and Trusted Execution Environments for mobile payments and biometrics.
He consulted on IAM of Things, supply chain transparency, went through blockchain, and is now at @Inverid, where NFC chips, IDV, Mobiles, and biometrics converge in an app that scans your document chip to prove it is you.
As a mountain bike coach, he sees every crash teaches a lesson. A smashed phone and a world of digital pain in account recovery inspired him to look for something better for the next time.

The post Exploring New Frontiers in Account Recovery appeared first on IDPro.

Adopting identity standards is a lot like acquiring a foreign tongue. While it’s relatively easy to have a surface knowledge of the technology, most of us don’t easily understand what is occurring in these identity approaches until we can actually interact with them personally. As we explore them by hand, we see what each exchange looks like, what happens when things fall over, and what current systems do when faced with boundary cases.

In short, we need a “conversational” partner that will let us try out these interactions and learn the proper call and response.

A Demo System as a Conversational Partner

Open-source or publicly-available demo systems are crucial to the learning process. They allow for a deeper understanding of interactions and the chance to learn via experience. When it comes to emerging standards, they speed adoption tremendously, as can be seen from examples such as AuthZen and the Shared Signals Framework from the OpenID working groups.

Those of us participating in the Shared Signals Framework Interop this year in March (and coming up again in December) have benefitted from Caep.Dev – an online receiver/transmitter that can be used publicly both to understand interactions within the standard and to identify where ongoing development efforts may have failed to follow the specification. (Not that Caep.Dev was infallible by the way—it helped clarify issues on both sides of most interactions.) Without the existence of this kind of conversational partner, the standard would see much slower adoption and lower levels of successful interop participation.

Just Try It Out

But it’s not just emerging standards, either—existing standards benefit from conversational partners as well. Take SCIM, for instance; it has been around for at least nine years, but still benefits from projects such as Arie Timmerman’s Scim.Dev. Users can explore the world of SCIM, including my personal favorite emerging standard: SCIM Events.

I’ll let Arie describe what he’s created over on Scim.Dev:

“Tell me and I forget, teach me and I may remember, involve me and I learn.” This wisdom—shared by Benjamin Franklin—underpins the philosophy behind SCIM Playground. Rather than responding to questions like “How do I integrate using SCIM?” with “Read the specs”, we can now say, “Just try it out.” A demo environment is one click away, complete with optional dummy users and groups to help you get started quickly. Many IT professionals perceive SCIM as complex or challenging to understand, but this playground and testing environment can help overcome these barriers and encourage adoption of the protocol.

Sites such as Caep.Dev and Scim.Dev (no, they’re not all suffixed with .dev) give us the opportunity to practice using these standards, write prototype and production code against them, and level up quickly as we rush to enhance the utility of identity. These kinds of publicly available tools exist for most standards—easily found a few short searches away (ask on the IDPro Slack if you’re having difficulty uncovering what you need).

Accelerate Your Progress

So, if you’re looking to learn something new about identity or want to understand a new or emerging standard, accelerate your progress the same way you would if you were trying to gain fluency in a language other than your own: find a conversational partner.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author Bio

Director of Strategy and Standards, SailPoint

Mike Kiser is insecure. He has been this way since birth, despite holding a panoply of industry positions over the past 20 years—from the Office of the CTO to Security Strategist to Security Analyst to Security Architect—that might imply otherwise. In spite of this, he has designed, directed, and advised on large-scale security deployments for a global clientele. He is currently in a long-term relationship with fine haberdashery, is a chronic chronoptimist (look it up), and delights in needlessly convoluted verbiage. Mike speaks regularly at events such as the European Identity Conference and the RSA Conference, is a member of several standards groups, and has presented identity-related research at Black Hat and Def Con. He is currently the Director of Strategy and Standards at SailPoint Technologies and an active IDPro member.

The post The Importance of Conversational Partners in Standards appeared first on IDPro.

Authenticate 2024 took place in Carlsbad, CA in mid-October. The weather was beautiful and the attendance was high. Hosted by the FIDO Alliance, Authenticate focuses on user authentication and brings together CISOs, business leaders, product managers, and identity architects.

Keynote and session highlights:

IDPro member Chris Anderson, Product CTO at Cisco discussed the challenges that exist today with compromised identity credentials, which contribute to over 80% of data breaches, a seemingly undented figure year over year. Chris noted there are gaps in protection as there is no phishing-resistant MFA available for many areas from unmanaged devices to remote access, to Linux systems, to contractors and vendors, and others.

IDPro member Tina Srivastava, PhD, Badge Co-founder and MIT Lecturer, and Bill Wright, former executive director at USAA bank and FIDO board member, presented on the importance of strong attestation for #passkeys and the approaches financial institutions are taking to solve this on their passwordless journeys. Relatedly, Pedro Martinez from Thales presented why synced passkeys do not work for banking, including that “they are exported and stored in the Cloud of the user’s device OS” and “synced passkeys may not meet stringent MFA requirements from Financial regulators in some countries/regions.”

The industry has been seeking phishing-resistant technologies to address the problem of breaches caused by the compromise of identity credentials. Challenges exist with passkeys, such as with account recovery, provenance, and portability. Many approaches still maintain a password or KBA as a fallback for account recovery, enabling ATOs prone to attack from social engineering. 

Google’s keynote by John Gronberg noted “Cross device still a challenge” and “Users are anxious about losing their devices.” In his key learnings about passkeys, he shared, “Raising the security bar comes later” and that passkeys are for “re-authentication,” account takeover playbooks already include passkeys, and credential managers storing passkeys are becoming targets. He noted that the new device bootstrap scenario is critical and unsolved. Amazon’s keynote by Abhinav Mehta similarly noted “Cross-Platform Challenges” and that “Passkeys don’t transfer across platforms.”

On the future of digital payments, Mastercard executives Jonathan Grossar, VP, product management, and Fred Tyler, VP, emerging digital products for North America, introduced the concept of the payment passkey, bound to a user’s device. They shared that in situations of higher security, enterprises are leaning towards device-bound passkeys. Generally, enterprises are not adopting synced passkeys as stand-alone MFA. This is the approach many companies seem to be taking, including Mastercard.

Sushma K. and Ritesh Kumar from Microsoft shared the challenges with migrating a passkey across devices. They demonstrated a set up that is required once per device that requires scanning QR codes with a phone or tablet. The accessibility and usability issues of scanning QR codes were raised.

Amazon and Microsoft presented their passkey implementations, including the importance of using prompts like “Skip for now” instead of “Not now” or “No thanks.”

Partnership Announcements and Expo highlights:

Qualcomm and Daon are working toward IoT-connected cars using biometrics and passkeys with key drivers including personalization and payments. 

Cisco and Thales announced major partnerships with Badge, the award-winning privacy company enabling identity without secrets. The companies demonstrated their joint integrations with customers. Cisco demonstrated the Hardwareless MFA experience. Thales showcased Passwordless authentication without secrets.

Social highlights:

An identity-themed family feud-style game show captured the attention of attendees, resulting in laughter and applause from the Authenticate audience. A big surprise was that for the question “What trend are you most tired of in the identity and access management space?” the answer “FIDO/Passkeys” was #2. IDPro member Jeff Steadman, of the Identity at the Center podcast, quickly noted to his FIDO hosts that he did not generate these and was just the host! The Gliterati team was seen taking shots on stage at a fun-filled comedic break.

Karaoke was a hit at the Passwordless Party. Pictured below, singing their hearts out to Katy Perry’s “Firework”: Christiaan Brand from Google, IDPro member Tim Cappalli from Okta, Matt Miller from Cisco, IDPro member Christine Owen from 1Kosmos, Jamie Danker from Venable LLP, and IDPro member Tina Srivastava, PhD from Badge (left to right).

Dr. Tina P. Srivastava is an entrepreneur, author, inventor of more than 15 patents, and an MIT-trained rocket scientist. She served as Chief Engineer of electronic warfare programs at Raytheon before founding a cybersecurity startup that was acquired by a public company and global leader in network security. She is an FAA-certified pilot and is a Lecturer at MIT in Aeronautics and Astronautics.

When her identity was stolen in a data breach in 2015, Dr. Srivastava teamed up with a group of MIT cryptography PhDs to crack the code on one of the most common reasons for modern data breaches: stored credentials. Together, they solved a decades-old cryptography problem to remove PII, biometrics and other stored credentials from the authentication equation, eliminating highly vulnerable storage systems as points of attack for hackers. Badge Inc. is the award-winning privacy company enabling Identity without Secrets.

The post Highlights from Authenticate 2024 by FIDO Alliance  appeared first on IDPro.