What is a digital identity?
A digital identity is an individual’s digital version of their analog identity. It consists of multiple accounts, credentials, entitlements, behaviors, and usage patterns associated with an individual.
Represented and digitally documented online, a digital identity provides a digitally authenticated and stored collection of characteristics associated with a uniquely identifiable individual. It is used to authenticate users when validated proof of identity is required to access online services or perform transactions or operations.
Like analog identities, a digital identity has requirements to ensure validity. Three main characteristics are:
- A digital identity must be personal and non-transferable (i.e., it can only be accessed and used by the individual to whom it belongs).
- A digital identity must be reusable (i.e., once a digital identity is assigned, it can be used wherever it is required).
- A digital identity should be easy to use (i.e., accessible and usable wherever it is needed without requiring any technical expertise).
A digital identity can be used to:
- Access existing accounts
- Establish credibility to access services
- Open a new account
Often, a digital identity makes known the presence of an individual or entity within applications, networks, on-premises systems, or cloud environments. It could be a person, organization, application, or device.
Unique identifiers and use patterns make it possible to detect digital identities for security purposes.
Website owners and advertisers also use them to identify and track users. In these cases, a digital identity is used for personalization, enabling highly-targeted content and advertising.
Digital identities vs users
Users and digital identities possess a one-to-many relationship regarding accounts. However, unlike a digital identity (the unique characteristics that make up a person’s online identity), a user refers to the person or entity that operates or interacts with a resource and their associated activities.
As an example, in a cloud environment, an Identity holds the password, while the user holds the name, email address, and other properties of a user. In this case, a user has the option of having an associated digital identity. However, to access most applications and services, users are required to have or create a digital identity.
Types of digital identities
Digital identities fall into three main categories: Human, machine, and cloud.
Human digital identity
A human digital identity provides access to various resources. Examples of a human digital identity in an enterprise environment are:
- Customers
- Employees
- Partners
- Vendors
Machine digital identity
A machine identity is used to authenticate non-human users, such as applications, servers, and software, as well as mobile, Internet of Things (IoT), and other devices, to a network or system.
Cloud digital identity
A cloud digital identity is used to provide access to cloud-based computing resources and services. A cloud digital identity can be used for machines or humans.
Different digital identities can be used depending on the activities being performed. Examples include:
- Citizen digital identity: Governments use this to provide citizens with access to online systems. Examples of how a citizen’s digital identity is used are to:
- Order official documents
- Find a personal identification number
- File tax returns
- Electronic banking digital identity: Financial institutions use digital identity to provide customers with access to account information and make transactions (e.g., pay bills or trade securities).
- Employee digital identity: This is assigned by an employer and used for various purposes, such as to:
- Access the internal network
- Enter an office building
- Use other company resources
- Online shopping or customer digital identity: This is used to provide customers with the ability to make secure online purchases. In addition, a customer digital identity helps merchants manage customer data to:
- Improve customer service
- Personalize marketing campaigns
- Prevent fraud by detecting unusual patterns
- Track customers’ transactions, preferences, and demographic information
There are four main categories of digital identity usage: a credential, a character, a user, and a reputation.
Digital identity as a character
With digital identity as a character, an individual creates a persona to distinguish themselves online. Digital identity as a character is a form of self-expression that is based on user-created descriptions, commentary, interactions, and activities. A character digital identity is largely based on elements from personal apps, such as dating, social media, and metaverse profiles.
Digital identity as a credential
When used as a credential, a digital identity is based on specific information used to validate a user. Digital identity as a credential relies heavily on government-issued documents, such as birth certificates, driver’s licenses, passports, or social security numbers. Depending on the circumstances, email identifications may also fit this category.
Digital identity as a reputation
A digital identity as a reputation is derived from reputable and authorized entities. This type of digital identity contains information about an individual’s history in a particular area, such as employment history, educational background, credit scores, and criminal records.
Digital identity as a user
A digital identity based on a person’s role as a user of online resources and services relies on information related to their digital behavior. The elements of a user-based digital identity include browsing history, online purchases, webinar signups, and opened emails.
Digital identities vs accounts
There are similarities between a digital identity and account, but they are not the same. Both contain personally identifiable information (PII) and confidential data as well as serve as a way for users to gain access to online resources (e.g., application, platform, network, or website). However, that is all they share.
An account is a type of digital identity, but it does not represent a person’s entire online presence. Users typically have multiple accounts (e.g., work email and network, personal email and network, websites, and cloud services).
Digital identity attributes
Digital identity attributes classify ownership. Defining attributes for a digital identity can range from credentials and legal names to browsing history and location data. Digital identity attribute data is divided into three categories:
- Accumulated (e.g., transaction history or health records)
- Assigned (e.g., social security number or custodianship)
- Inherent (e.g., date of birth or fingerprint)
Digital identity identifiers
Digital identity identifiers are the data that make up a digital identity. The identifier associated with a digital identity can vary based on how it is used (e.g., accessing a corporate network, browsing an e-commerce site, or logging into a bank account). Digital identity identifiers may include:
- Biometrics (e.g., fingerprint, retinal scan, or facial scan)
- Birthdates
- Browsing activity
- Email addresses
- Government-issued identifiers (e.g., social security numbers, driver’s license numbers, and passport numbers)
- IP addresses
- Purchase history
- Search history
- Usernames and passwords
Digital identity attack vectors
Cybercriminals have no shortage of creative digital identity compromise tactics. While privileged identities are preferred, non-privileged accounts are also valuable targets. Digital identity attack vectors that cybercriminals use include the following.
Abuse of self-service features is a commonly used attack vector for stealing a digital identity. Cybercriminals game the forgotten password feature by guessing passwords and reestablishing access through fake identities.
Canary accounts are created by cybercriminals to study how internal systems work before launching an attack. These appear to be legitimate accounts and are usually used only for reconnaissance and not to perpetrate an attack.
Credential stuffing takes advantage of users’ tendency to reuse passwords across multiple online accounts. With credential stuffing, stolen digital identity information is used to try to gain entry into other accounts. This type of attack is often automated using bots.
Misconfigurations are exploited as they provide gaps in security armor that provide an entry point. Vulnerability exploits bugs in systems as a point of entry to take over an account.
Password spraying is a digital identity attack vector that uses a brute-force approach of trying commonly used usernames and passwords to impersonate someone’s digital identity and gain unauthorized access to systems or services.
Privileged access attacks are launched using purloined credentials from users with privileged access or acquired by executing privileged escalation or lateral movement to gain access and control of multiple accounts.
Social engineering covers a wide range of attack tactics that manipulate users to share their personal information, such as impersonating law enforcement, posing as a friend or colleague, or pretending to be a representative from a financial institution. The objective of digital identity theft is to capture access information, such as credentials or one-time passwords.
Examples of social engineering tactics used to steal digital identities include:
- Phishing—a common type of social engineering that lures targets through email
- Smishing—the same as phishing, but using text messages instead of email
- Spear phishing and whaling—also versions of phishing that are aimed at specific users (spear phishing) or executives (whaling)
Safeguarding digital identities
Best practices for digital identity protection include the following.
Deploy a digital identity warehouse
Gain visibility and insights by using a digital identity warehouse as a central repository to store and manage identity data for all users (e.g., humans, systems, devices, and data sources), taking care to ensure that shadow IT is included.
Follow the principle of least privilege
Continuously review and adjust users’ digital identity entitlements and roles to keep them aligned with actual needs. Each person’s digital identity should give them exactly the right amount of access to the right resources at the right time.
IT administrators should use a standard account for performing any activity that does not explicitly require privilege to limit the exposure of privileged accounts. This helps mitigate threats, as most malware depends on privileges for lateral movement.
Implement strong access controls
Digital identity access security controls should use roles and policy management. These should be used to assign access to data and applications on an as-needed basis only as well as manage and monitor provisioning and deprovisioning. In addition, separation of duties (SoD) should be implemented to avoid risky access combinations.
Monitor every digital identity for risk
Digital identity access should be continuously monitored with logging of all users’ activities based on their access to proactively create alerts when suspicious activity is detected.
Perform digital identity assessments
Analyze each digital identity to identify access and SoD risk by user, role, and business process. This also helps identify access updates that need to be made, establish behavior baselines, and direct optimization of security policies and controls.
Remove unused or obsolete privileges
If a digital identity becomes obsolete or has unused privileges, the account should be deprovisioned, and any unused or unneeded privileges should be revoked.
Educate users about digital identity threat vectors
Digital identity theft puts all systems and resources at risk. Educating users about digital identity risk helps reduce the risk of loss or theft. Training and embedding security awareness into corporate culture can protect digital identities and help harden attack surfaces.
Harden systems
Digital identity safeguards are also achieved by keeping systems hardened, which should be part of overall security efforts. Hardening systems should remove unused or obsolete applications and related privileges as well as close unneeded or risky ports.
Install all updates and patches in a timely manner
Digital identity protection is supported by eliminating system vulnerabilities caused by outdated software or firmware. Installing updates and patches in a timely manner improves the baseline security posture and minimizes the attack surface.
Digital identity: An opportunity and a threat
The accelerating replacement of a user’s analog identity with a digital identity continues at a breakneck speed despite the risks. In addition to corporate entities, governments are increasingly using digital identity as an alternative approach to analog options.
The success of digital identity depends on the effective use of existing cybersecurity tools along with new ones that have been purpose-built to address challenges. Learning about how digital identity works and its strengths and weaknesses helps protect this powerful technology.
