Beyond the Breach Headlines: Why Fixing Flawed Identity Proofing is the Real Security Imperative
By Michael Harris, EVP and Chief Technology Officer, NextgenID
The relentless drumbeat of data breach announcements has dulled the shock at each new incident. Moreover, the continued rise in breaches — despite escalating investments in security tools and security teams — has engendered a sense of inevitability.
Why isn’t more security spending translating into fewer breaches? Because the core of our digital defenses — identity security — is weak.
To put it bluntly, many organizations are diligently building stronger walls around a structure with a cracked foundation. Relying on outdated and easily compromised identity-proofing and credentialing processes makes it far too simple for today’s increasingly sophisticated, AI-powered threat actors to bypass even the most advanced security controls and detection mechanisms. That’s because threat actors aren’t breaking down the door; they’re increasingly walking in with legitimate, stolen, or expertly fabricated keys.
Identity is the center of modern cybersecurity
The threat landscape of today looks very different than five years ago. Traditional malware is still a concern, but three in four successful cyberattacks now leverage compromised identities. This changes the nature of the cybersecurity battle — from stopping the enemies at the gates to detecting enemies already inside.
Anomaly detection and behavioral analytics play a crucial role in mitigating risk, but these strategies are inherently reactive. And the unfortunate truth is that parsing legitimate actions of legitimate actors from the malicious actions of actors holding legitimate credentials is extremely difficult. The focus should move to preventing those legitimate credentials from being inappropriately issues or successfully compromised in the first place.
The limitations of yesterday’s “strong” authentication
The business world recognized the inherent weaknesses of simple username and password combinations years ago, leading to widespread adoption of multi-factor authentication (MFA), single sign-on (SSO), and other “strong authentication” methods. But adding layers of security on top of a weak foundation provides a false sense of security.
Indeed, a significant portion of identity-related breaches track back to vulnerabilities in the initial identity-proofing and credentialing stages. Threat actors are adept exploiting weaknesses in these processing — using social engineering and increasingly sophisticated AI-powered tools to trick individuals and systems into granting them legitimate credentials or access. Whether it’s a fishing attack that harvests credentials or the creation of a synthetic identity that bypasses weak verification checks, the result is the same: an attacker with the keys to the kingdom.
IAL2 is already not enough to stop today’s attackers
Even the move toward Identity Assurance Level 2 (IAL2), which incorporates evidence-based authentication like government-issued IDs and (sometimes) biometrics, is increasingly outgunned by today’s attackers. Deepfakes, voice clones and other AI-powered tactics can now effectively circumvent many IAL2 controls — even spoofing biometric checks. In other words, just taking the next step up in identity credentialing will not be enough to get ahead of today’s threats.
IAL3: Establishing trusted identities in a hostile landscape
In the face of these advanced threats, the Identity Assurance Level 3 (IAL3) standards, as defined by NIST 800-63, offer a future-proof path toward trusted digital identities. IAL3 is built on three core principles that address the fundamental weaknesses of conventional (and even IAL2) assurance programs:
1) Advanced document authentication: Leading IAL3 solutions use technology-enhanced methods like multi-spectral UV light analysis to detect document counterfeiting. IAL3 technologies also verify the authenticity of identity documents directly with the issuing source, addressing the issue of synthetic identities.
2) Liveness detection: IAL3 solutions conduct identity-proofing sessions with real-time observation of the enrollee, allowing for facial comparison against the presented identity documents. Top IAL 3 technologies use advanced liveness detection and face-matching technologies to ensure the enrollee’s presence and cross-verify their live image across multiple identity documents.
3) Biometric binding: IAL3 solutions capture and securely link a robust set of biometrics to the identity credential. Best practices include collecting multiple biometric modalities (face, fingerprints, dual iris). This binding provides a strong defense against SIM swaps and MFA bypasses that can undermine IAL2 security.
Breaking down the barriers to high-assurance identity-proofing
The perceived complexity, friction and costs associated with in-person IAL3 identity-proofing have limited widespread adoption in the business world — largely for good reason: Concerns around administrative overhead and user inconvenience were legitimate. However, technological advancements have drastically reduced these barriers.
The technology needed to execute IAL3 identity-proofing is now available in mobile kits and kiosks designed for self-service applications. And Supervised Remote Identity-Proofing (SRIP) has eliminated the need for physical agents to be present. Together, these innovations allow IAL3 credentialing to be deployed almost anywhere — and dramatically reduce travel or wait time burdens for enrollees.
Moreover, IAL3 solutions are now available via a frictionless transactional model, democratizing practical, cost-effective access. Companies no longer need to make large capital investments or build out an in-house team of SRIP agents, instead accessing these solutions on a flexible and scalable basis.
The network effect: A critical mass of trust
The convenience and cost-effectiveness of modern IAL3 solutions will increasingly make them a “no brainer” for businesses. And just as the proliferation of ATMs made banking more convenient and secure, we’re now seeing the establishment of nationwide identity-proofing networks that make the process more accessible and practical for both employers and distributed employees. This emerging network effect will create the critical mass of high-assurance digital identities needed to improve overall security posture of the broader digital ecosystem — and turn the tide on rising cyberattacks.
But that momentum must start with a fundamental shift in focus — from simply detecting breaches to proactively establishing trusted digital identities at the outset. By addressing the core problem of weak identity-proofing, security and IT leaders can break the cycle of escalating security spend and meaningfully move toward a more secure and trustworthy digital future for all businesses.