Jacob Ideskog, Curity: “having systems that can safely assert properties about users without exposing the full user will become increasingly important”
A digital identity should gather enough information about a person only to assert that they are who they claim to be.
Identity authentication along with identity theft has been rapidly evolving during the past few years. Within a year, attacks involving usernames and passwords have increased by 450%.
Consequently, we have been witnessing a rise in password managers, authentication applications, and other cybersecurity tools usage. Yet, only relying on an application might not be enough if we keep providing our personal information each time we sign up for a new service or device.
How did Curity originate? What has the journey been like since your launch in 2015?
The idea of Curity sparked many years ago when Travis (Curity’s CEO) and I were on a long drive together. We dismissed it at first, but slowly and surely, the idea and concept grew on us.
Early on, we got some excellent professionals onboard. These outstanding people have created Curity’s culture. We’ve since also attracted new members of the team, too many to list, but all topnotch. At Curity, our culture is one of excellence and devotion to our craft.
Another key reason for our continued success is our early customers. All of our early adopters are still customers. They believed in us enough to use our product even before it had a UI, which is inspiring to me.
We have used the time since to ensure that our product, the Curity Identity Server, always remained the focus. As a result, we were able to build it at a reasonable rate, ensuring that it did not have too much technical debt and could continue to deliver excellence to our customers.
Can you tell us about the Curity Identity Server? What are its key features?
In short, it solves problems related to identities, APIs, and securing digital services, combining IAM and API security. It enables centralized, secure, and flexible authentication and a seamless user experience. It leverages OAuth and OpenID Connect with customizable tokens, scopes, claims, and policies. It also includes key features that support Open Banking initiatives and help customer organizations meet regulatory requirements in different regions.
One thing that perhaps stands out is our focus on configuration. We took a page from the Software-Defined Networking (SDN) playbook and applied it to the identity space. To make an incredibly configurable server that can be spun up in seconds.
How have the recent global events affected your field of work?
Access to systems and information, flexibility, and ease of use has come into sharp focus in the last couple of years. Hybrid working models have been essential for many organizations and this has meant a lot of new business. It accelerated digital transformation projects as companies have had to modernize their infrastructure, sometimes in record time, to cope with these changing models, and our approach to application access, login, and security has played a key part in helping them to adapt quickly. This need to act quickly has meant industry analysts such as Gartner are tracking different buying patterns in large organizations: a greater willingness to try new ways of delivering the services their organizations need, looking for new and innovative solutions rather than traditional IT brands, and focusing on speeding up buying and implementation times. We have been able to provide a modern, scalable identity and access solution that can keep pace with this rapid change.
What best practices can companies adopt to minimize the risk of identity-related attacks?
We’re big advocates for establishing a Zero Trust Architecture. It’s not the answer to everything, but it is a solid foundation. Enabling passwordless authentication is another important best practice. Most people use the same password across several online services, making their online accounts vulnerable to attack. For example, if one website is compromised and the password leaked, the attacker could access many of the user's other accounts. It’s much harder to compromise a passwordless login solution.
As for personal use, what actions can average individuals take to protect their identity online?
Not using the same password everywhere is a basic but critical one. Use a password manager if you need to use passwords. Always activate 2-factor authentication wherever possible. It’s easy to do but makes it just that little bit harder for those with bad intentions.
Since digital identity is a relatively new technology, people still tend to have some misconceptions regarding it. Which ones do you notice most often?
I think a common misconception is about what constitutes a digital identity. It doesn’t have to contain much personal information at all. In fact, most of the time, it shouldn’t. It just needs to be a way for a person to assert that they are the same person as last time. Many systems do not need to know more than that. There are times when a digital identity needs to be tied to a physical identity, such as with e-IDs, but more times than not, it isn’t needed.
What security issues will arise in the near future as digital identity becomes a significant part of our lives?
I think we already are seeing it, namely, identity fraud. This will gain more and more traction and needs to be stopped at the gate by requiring stronger authentication in more systems. The other part is privacy. I think we will need to work at providing better tools for companies and individuals to increase privacy. For example, just because you need to know my age, doesn’t mean you need to know my username. Having systems that can safely assert properties about users without exposing the full user will become increasingly important.
What do you think the future of authentication is going to be like? Do you think the use of biometrics is going to become commonplace soon?
We think biometrics is already commonplace as it is part of most smartphones and laptops these days. However, I think the future is going to make sure we keep broadening the sources of verification. The problem with biometrics is that it can’t be replaced, my finger is always my finger. So once provided to a system, it’s tightly coupled with the user. This is often not desirable, so having other sources such as things you have or things you know will always be needed. The industry is moving more towards a statistical analysis of your behavior to determine the risk involved in the current transaction. A simple example is if you always log in from, say, Stockholm, and, all of a sudden, log in from New York, it may be apt to request additional steps to authenticate you. Adapt the login experience based on your routines.
Would you like to share what’s next for Curity?
Our goal at Curity is to make the Internet a safer place. We look a lot at what we can do in the privacy space as well as in authentication. How can we make it easy to build secure systems that also protect the privacy of the individual? This is something you’ll see more from us in the coming years.