A Review of the Best News of the Week on Identity Management & Web Fraud

Simple Banking Security Tip: Verbal Passwords (Krebs on Security, Nov 06 2017)
“There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.”

Estonia suspends national 760,000 ID cards found prone to encryption vulnerability (SC Magazine, Nov 08 2017)
Estonia on Friday blocked the certificates of 760,000 national ID cards in response to a cryptographic vulnerability that researchers have discovered is even more dangerous than originally reported.

Duo conducted a U.S.-census-representative survey that asked questions about 2FA usage (The Duo Blog, Nov 07 2017)
Through this survey, they discovered that:
– Only 28% of people use 2FA.
– The majority of participants who did use 2FA (54%) began using it voluntarily.
– Two-thirds of people who had used security keys or push notifications as an authentication method believed it to be convenient and quick.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

How to Protect Yourself From Security Oversights (Auth0 Blog, Nov 03 2017)
An inside look at how tech companies can improve their security and what you can do to help yours, too

Shape Security introduces Blackfish protect consumers whose passwords have been stolen in data breaches (Shape Security, Nov 07 2017)
Credential stuffing attacks are responsible for more than $10 billion in fraud losses, identify theft, and brand damage every year. Shape’s network data shows that in many industries, such as retail, more than 90% of all login attempts to websites often come from credential stuffing attacks instead of from real users. In these attacks, cybercriminals use advanced automation to test stolen passwords on other websites, simulating real users to take over large groups of accounts en masse.

Smile for the camera (or don’t!) – LastPass supports Face ID! (The LastPass Blog, Nov 03 2017)
Now, LastPass users can use Face ID to open up their LastPass vault, instead of typing the master password.

Identity Analytics: The New Face of IAM (SC Magazine, Nov 08 2017)
Identity Analytics (IdA) automates the detection of access risks, access outliers, excess access, shared high privileged access (HPA) accounts, as well as, orphan and dormant accounts. It reduces the attack surface area for identities by replacing roles defined using manual processes and legacy rules, with machine-learning-based intelligent roles.

They Wrote the Book on ABAC (Axiomatics, Nov 08 2017)
Artech House has just published a book on Attribute Based Access Control, authored by Vincent Hu, David Ferraiolo, Ramaswamy Chandramouli and Richard Kuhn.

Device provisioning: Identity attestation with TPM (Microsoft Azure Blog, Nov 07 2017)
Folks using the IoT Hub Device Provisioning Service to securely provision their devices are taking the opportunity to start using hardware security modules (HSM) to store the keys on their devices.

SaaS Identity Security (JumpCloud, Nov 09 2017)
The modern era of identity management kicked off when Tim Howes, and his colleagues at the University of Michigan, created the authentication protocol LDAP. This protocol revolutionized how people could authenticate and manage user access.

How Biometrics is Transforming Online Identity Verification (Video) (BioCatch, Nov 06 2017)
In this panel, biometrics pioneers discuss the benefits, barriers, and challenges we can expect as more and more businesses begin improving their security measures through biometric authentication.

Identity management to-do list aligns with cybersecurity (CSO Online, Nov 07 2017)
Large organizations want to monitor user activities, move to multi-factor authentication, and get security more involved with IAM decisions.

In The Future, Retail Commerce Platforms Will Be Built With DevOps, Microservices and Identity (ForgeRock, Nov 08 2017)
A variant of the service-oriented architecture (SOA) architectural style that structures an application as a collection of loosely coupled services, microservices also parallelizes development by enabling small autonomous teams to develop, deploy and scale their respective services independently, which makes building e-commerce applications faster and easier, capable of operating at extremely high scale with the ability to change or evolve services in a much more agile way.