The evolution of identity with Chief Technical Officer, Chris Eckl

21 July 2020

In this Condatis ‘Meet the Team’, we’re speaking with Condatis CTO and co-founder Chris Eckl. Chris takes us on a whistle-stop tour of how identity has evolved and what’s coming in the future.

Where did identity on the internet begin?

The first digital services were really only protected by being hidden; if we were lucky, we stumbled upon them. As the internet grew, hackers came along and protecting resources simply by

Photo of Chris Eckl, CTO
Chris Eckl, CTO

obfuscation wasn’t good enough. So, businesses started putting usernames and passwords on websites and saving these credentials in databases. But it turned out this wasn’t the best way to protect us (though we didn’t know it at the time):

  • Credentials were usually sent in clear over the wire, and if a service wasn’t well protected from man-in-the-middle attacks – and in the early days many weren’t – someone listening-in could see user credentials and steal them.
  • Passwords become an attack vector. We are bad at choosing passwords and typically use the same passwords across multiple sites. And how were sites storing these passwords in their databases? Generally, in cleartext. So, when a credential store was compromised – either hacked or from a bad actor in a business – the attacker had passwords he or she could readily try elsewhere.

We started to address this:

  • By making web traffic encryption the default standard. Https helps prevents man-in-the-middle by making it more difficult for bad actors to tamper with communications between a user and a site.
  • We stopped storing passwords in cleartext. Companies started protecting databases with hashing algorithms, so they couldn’t see the passwords anymore. Salting passwords stopped algorithms identified for one credential store being used to guess passwords from another (that used the same hashing algorithm).

There was still more to do…

Should a business be responsible for managing credential stores in the first place, though? It’s a lot of PII for a business to hold and the number of high-profile hacks shows many companies aren’t very good at keeping our data safe. Businesses started to externalise this function, using services such as Microsoft Azure Active Directory to take the burden of keeping credentials safe away from the business. Businesses can take advantage of Microsoft investment in securing AAD and the threat analytics that comes with operating identity systems on a global scale.

Multi-factor authentication and passwordless

Credentials remain a weak point. We are expected to know different, complex credentials for each service and this is hard. How can we make this experience better? One answer is multi-factor authentication (MFA). With MFA I replace or augment the credential as something I know (a username and password) with something I have. We put a secret on a device – typically on a user’s phone.

What we start to see now is authenticator apps replacing passwords entirely. We see this in Windows Hello and Apple FaceId. These are passwordless technologies that make identity about as simple and secure as it can be right now. Extending this out to services where we currently have usernames and passwords will start to happen.

What’s coming next?

A change I hope we’ll see is a move away from centralized identity stores. A lot of us trust providers such as Facebook and Google to identify us to websites. This means we’re telling these providers a lot about where we spend our time on the web. Google knows if we’re signing into a hardware store or a service offering advice on a medical condition. And what happens if Google changes their model and starts charging us to use our Google identities?

The challenge is how we move away from a reliance on providers we may not entirely trust and to more decentralized systems. Decentralized systems build a safer internet because I can take my data from a provider such as Facebook and Google and use it without the provider knowing what I’m doing. This means I can prove things like age, earnings, or state nationality without the issuer of that data needing to know why.

I think decentralized identity will start to become reality soon. We’re working with a number of customers to test what’s possible and hope to get something into Live use very soon.

We build software that secures your systems. Get in touch to find out how.