Companies must consider these top identity and access management metrics to measure how well their IAM functions and improve their IAM capabilities to better protect customer information, reduce the number of breaches, and improve identity-related processes across the organization. By considering and using these top IAM metrics, companies can know how well their existing processes and controls are working and quantify the effectiveness of the IAM measures in some key areas. This article will cover 12 top identity and access management metrics that companies may consider when assessing their IAM capabilities.

Top Identity and Access Management Metrics

12 Top Identity and Access Management Metrics

1. Password Reset Requests

Password reset is one of the most common reasons for users calling into customer service. The more employees who need help with their password reset, the larger the number of calls into service desk. Tracking this metric can help companies spot potential issues in this area to assess which aspect of their password management is not working properly and make the necessary changes and investments to improve.

2. Number of Users with Access to Sensitive Data

A surprisingly large number of employees might have access to sensitive information without the necessary business needs. For example, this could be because they no longer need access due to a role change or are no longer working for the company.

This access creep could pose a security risk. Tracking this metric can help assess the risk exposure and ensure that only the right people have access to sensitive information.

3. Authentication Factors

Authentication factors include PINs, passwords, tokens, and more. The number of authentication factors in place can help companies ensure that users are taking advantage of multiple measures to reduce the chance for a single-point security failure (e.g., password theft). Furthermore, authentication factors must be regularly tested to ensure they are working properly. Tracking this metric can help companies discover areas where authentication measures may need to be improved or adjusted.

4. New Account Provisioned

Every time an employee joins the company, a new account may be created for them. The number of new accounts being created per day can provide information on whether your company is growing – and thus why internal systems may need to be scaled or updated to support them. This information can help companies understand the rate at which employees are joining and leaving the organization – allowing them to adjust their headcount or security levels accordingly. The growing number of new accounts provisioned is important to consider, as they will need to be managed over time.

5. Average Time to Provision a User Account

The time it takes to provision a user account can be an extremely important metric for IAM, especially when critical transactions are involved. Faster speeds mean employees will have access to the applications they need to do their jobs. This information is crucial for areas where multiple clients might require accounts to be provisioned in a short timeframe. Time-to-provision can help companies identify areas where they need to speed up processes.

6. Expansion Rate

An expansion is an addition of a new application, data, location, users, or business unit for which employees need additional access. The number of expansions per month can show what kind of growth your company is experiencing – helping you plan headcount accordingly. These metrics are also helpful to keep an eye on for audit purposes.

7. Number of Privileged Accounts

Privileged accounts hold administrative access to various network components, including Active Directory, servers, and more. These accounts need to be regularly audited to ensure only the correct users have elevated access privileges. Furthermore, companies should track the number of privileged accounts to ensure they are not growing too quickly. It is recommended that companies limit the total number of privileged accounts in their environments. Any account that does not have a legitimate business purpose should be disabled as soon as possible.

8. Number of Service Accounts

Companies are constantly creating new service accounts which are often embedded within application programs to perform automated tasks. While service accounts are sometimes needed, they can pose a security risk as some service accounts may not have a password expiry date. Tracking service accounts can help prevent potential security breaches.

9. Offboarding and Access Removal

How often do employees leave the organization or change roles while they unnecessarily retain system access? Measuring the percentage of departed employees who continue to retain their system access can help improve offboarding flaws and the access termination process to remove access on a timely basis.

10. Number of Inactive Accounts

While organizations create new accounts on a daily basis, some of these accounts become inactive overtime which must be assessed periodically and disabled.

11. Number of Orphan Accounts

An orphan account refers to the lack of ownership of an account. A clear account ownership ensures accountability and helps with activity tracking. If an account owner is not properly identified, the account activities can not be traced back to a particular person. Sometimes, orphan accounts are shared accounts which can cause a serious issue when investigating a security breach associated with the orphan account while no one can be held accountable.

12. Incident Response Time

It is important for companies to know how quickly they respond to issues reported by users, or an incident discovered during an audit or security monitoring. The incident response time is an indication of how quickly an organization closes an IAM gap to ensure continued operations and security.


These top identity and access management metrics provide a snapshot of your IAM capabilities as well as risks associated with users, applications, data, and network. Paying attention to these numbers regularly can help you reduce the total cost of ownership (TCO) and keep track of whether or not your IAM implementation is working properly and, if not, highlight areas for security and operational improvement.

identity and access management certification

Blockchain Proof of Stake can prevent cyberattack as discussed in this article. Proof of Stake refers to the consensus algorithm used in many blockchains which will also be part of Ethereum’s upcoming 2.0 upgrade. PoS is an alternative method of validating transactions and achieving consensus in a blockchain ecosystem that is considered the intellectual successor to Proof of Work.

Blockchain Proof of Stake consensus can prevent cyberattack

What is Blockchain Proof of Stake?

While proof-of-stake shares several similarities with its proof-of-work counterpart, a few key differences between the two could have significant implications for blockchain security and future scalability.

In the Bitcoin’s proof of work network, miners race to solve cryptographic puzzles to add confirmed transactions into each block on the blockchain. Nowadays, this process requires substantial computing power and is known to be relatively energy-intensive. In contrast, proof of stake delivers based on the miners’ ownership (stake) in the blockchain.

No block rewards are awarded in PoS, so validators only make money if they validate correctly and vote into the active set. If not, then they lose their deposit. This kind of consensus mechanism is a lot faster and more efficient than proof of work.

In its purest form, there will be no block rewards at all with the proof-of-stake system – meaning the only way to make money would be to validate transactions for a fee. To prevent network spam, the transaction fees would likely need to increase.

How Proof of Stake Can Prevent Cyberattack

Proof of stake is a more efficient alternative because it uses less computing power and enables faster transaction speeds. It also makes the blockchain theoretically more secure against “51% attack” – a form of cyberattack where attackers control over half the network.

Proof-of-work blockchains rely on miners to all act in good faith by following the consensus rules. This means that one group could control over 50% of mining power and execute what’s known as a majority attack.

A majority attack allows the attacker to prevent transaction confirmation, double-spend coins, and perform fork attacks, making forked or alternative versions of the blockchain valid. This is because there has been disagreement over the main version of history in a “51% attack”.

However, a proof-of-stake system only allows the validators to choose a block if they have provided a security deposit. So, attackers would not prevent transactions from being confirmed or fork the blockchain because they wouldn’t have access to their stake.

Proof of stake can also reduce the probability of forks occurring in a blockchain system because it prevents bad actors from double-spending coins. This is because the stake will be lost if this individual acts dishonestly and doesn’t follow consensus.

Proof of Stake can prevent cyberattack mainly because it requires attackers to control the majority of all coins which makes the attack costly with minimal rewards and almost impossible.

How Proof of Stake Works

Distributed computing systems, such as blockchains, are designed to be secure and offer the highest Byzantine fault tolerance which ensures the system operates correctly; even if some components fail, behave maliciously, or respond slowly.

Proof-of-work mining was used first in Bitcoin by Satoshi Nakamoto in 2008 to produce the blockchain. It is used to verify transactions through a consensus algorithm, called “proof of work,” where miners solve a cryptographic puzzle by completing an impossible value puzzle that uses trial-and-error.

This process requires expensive hardware and consumes large amounts of energy. As a miner, if you solve the puzzle first, you will be awarded the block and the transaction fees within.

Since then, variations of proof-of-work have appeared in many other cryptocurrencies, such as Litecoin. Proof-of-stake is an alternative to PoW that has emerged as a consensus algorithm for blockchain systems.

PoS could present new challenges or opportunities for organizations looking to adopt blockchain technology into their businesses.

The idea is that instead of spending resources on performing the complex calculations required for proof-of-work, a node (a computer connected to the blockchain network) stakes several coins and becomes eligible to validate transactions. In this scenario, one would need to purchase at least 51% of all the coins to attack the blockchain which would make it significantly harder to gain control over the blockchain ledger.

Proof-of-stake is primarily used by cryptocurrencies that want to encourage ownership (stake) of their currency and prevent the need for huge hardware investments required with PoW.

Proof of stake promises to bring consensus into the blockchain by allowing all stakeholders in the system to participate in the validation process. With this algorithm, there is no need for competition. Instead, there is a power distribution between all validators voted into the active set through their total coin balance and length of time staking.

Other Blockchain Protocols include:

1- Proof of Authority: Instead of relying on the entire network to validate transactions, PoA uses an authorized dealer that validates all transactions.

2- Proof of Capacity: Instead of using energy-intensive computations, PoC uses hard disk space; participants are required to store a certain amount to gain mining rights in the blockchain.

3- Proof of Burn: In this blockchain protocol, miners give up their currency by sending it to a verifiably unspendable address; thus, they can only get the currency back by mining a new block.

4- Proof of Elapsed Time: This is a particular case of a proof-of-stake algorithm that uses trusted execution environments to add blocks. Participants in the blockchain must wait a specific amount of time while being recorded by a trusted validator before they are allowed to produce a block.

5- Proof of Weight: This protocol allows participants with higher weight in the network to create blocks more frequently than lighter participants.

6- Delegated Byzantine Fault Tolerance (dBFT): This protocol allows all users who stake tokens to participate in the consensus process by utilizing token holder voting.

7- Tendermint: This protocol is similar to Delegated Byzantine Fault Tolerance but uses a combination of stakeholders’ voting and traditional proof-of-work mining to achieve consensus.

So far, most blockchain protocols have been built using the rules of the Nakamoto Consensus, which states that all nodes in the system must agree to a certain set of rules. In Proof of Stake, instead of using complex computations to verify transactions, participants must have a certain number of tokens to validate a block.

What Blockchain Projects Already Use Proof of Stake?

A handful of cryptocurrencies currently use a version of proof-of-stake, and Ethereum is planning to convert from proof of work to proof stake in ETH 2.0 which is slated for conversion in late 2021 or early 2022. Other examples are Peercoin, Nav Coin, Qora, and Nxt.

Many other cryptocurrencies have expressed interest in moving towards the proof of stake consensus model because it is better for scalability and security than Proof of Work. However, there are many technical obstacles that need to be resolved before pure proof-of-stake can be implemented.

Proof of Work vs. Proof of Stake

How do Proof of Work and Proof of Stake compare? Proof of Stake is an alternative form of consensus that has recently gained popularity. Proof-of-Stake holds the same goal as proof-of-work, to reach a fair and decentralized agreement on the blockchain, but uses an entirely different method to achieve it.

Rather than relying on computational power like with proof-of-work, proof-of-stake uses the amount of currency/tokens held by the miner to determine their chance of finding or mining a new block.

Proof-of-Stake works in some ways similar to how miners in PoW are required to solve cryptographic puzzles to find blocks, but it also has very different characteristics that complement proof-of-work.

Some of the benefits to using proof-of-stake are:

-It is less power consuming since miners are not required to use their computational power in the mining process.
-To mine, there is no need for special equipment. All that is needed to become a validator is an active internet connection and the currency required to be considered an active participant.
-It is much simpler since it does not require advanced cryptographic puzzles that must be solved to find a new block.

Benefits of Blockchain Proof of Stake in Preventing Cyberattacks

1- The cost of hacking a blockchain is higher than the potential benefits that can be reaped from such an attack.

2- To successfully carry out a 51% attack, cybercriminals must control power equivalent to at least 51% of global hashing power.

3- If they succeed in carrying out the attack, the cost of the investment becomes a significant deterrent for them to keep going with their malicious activity.

4- To be recognized as a legitimate blockchain, attackers must convince more than 50% of all participants in the network that theirs is the correct chain while simultaneously making sure they don’t get outcompeted by the “good” chain.

5- The higher the hashing power and the number of participants, the more difficult it becomes to launch a successful cyberattack.

Drawbacks of Proof of Stake

Cyberattacks against proof of work cryptocurrencies such as Bitcoin and Ethereum (PoW) aren’t new. The evidence of PoS protocol is also not without its flaws when it comes to security. One of the greatest drawbacks is that it’s not very efficient in ensuring safety as the computers must run 24/7 on the network to maintain ultimate computing power for cyberattack prevention. That’s impossible.

Some drawbacks in using proof-of-stake include:

· If someone holds 1/3rd or more of the tokens, they are given more power since they are more likely to be selected to mine.
· This can be seen as unfair because it concentrates on power among a small group of people.
· It is more centralized since only 10–20 validators participate in mining new blocks; this allows for manipulation and collaboration on the network, making it unreliable.
· Nodes have been hacked many times, undermining the trust invested in cryptocurrencies based on this consensus algorithm. The blockchain itself has never been hacked, but individual nodes have been attacked.

However, hackers have managed to find several bugs that could be exploited to create coins out of nowhere, hijack the blockchain, and recover coins that had already been spent.


Proof of Stake is a somewhat controversial topic since many people don’t understand how it works. However, it is easily understandable that proof-of-stake is more secure and less resource-intensive than proof-of-work, but some drawbacks still need further attention. Although a PoS blockchain has never been hacked, individual nodes have been attacked.

Certified Identity Management Professional (CIMP) certification

The Federal Financial Institutions Examination Council (FFIEC) issued a new Guidance titled “Authentication and Access to Financial Institutions Services and Systems” on behalf of its members which offers 11 tips for authentication and access to financial systems. FFIEC was established in March 1979 to prescribe uniform reporting principles and standards and promote uniformity in financial institutions’ supervision. The new guidance replaces the FFIEC Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011). The two publications provided risk management Guidance to financial institutions that offered internet-based products and services. This article will discuss some of the tips and Guidance practices below.

11 Tips for Authentication and Access to Financial Systems from FFIEC Guidance

The Purpose for the New Guidance

The new Guidance set aims to provide direction for access to digital banking services and information systems. The guidance offers examples of practical risk management principles and practices that are useful for authentication and access. They also help financial institution management bodies to evaluate new authentication threats and control practices.

The new guidance addresses issues such as:

1. The need to perform risk assessment by authenticating users and customers to protect information systems, accounts and data from risks associated with cybersecurity threats.
2. The importance of extending authentication practices beyond customers to include employees, third parties and service accounts accessing financial institution systems and services.
3. The use of multi-factor Authentication (MFA), or controls of equivalent strength, to mitigate risks of unauthorized access effectively.
4. Alignment with other safety and soundness standards and other laws and regulations governing financial institutions.

Section One: Highlights of Guidance

In this section, the guidance identifies two main parties that require authentication. The first group is the users that access the financial institution’s information system. Users include the employees, third parties, board members, service accounts, installed applications and devices. The second group is the customers and consumers granted access to the digital banking services offered.

The level of authentication practices required by the financial institution depends on factors such as the operational and technological complexity of the institution: the risk environment assessment: the risk appetite, and the risk tolerance of the institution.

Some of the best practice tips highlighted include:

1. Conduct a thorough risk assessment of the digital banking and information system environment for the access and authentication issues that might arise.
2. Take note of all users and customers that access the financial institution’s systems and services and those that require advanced authentication and access controls.
3. Monitor the activities of the users and customers and implement layered security controls to prevent unauthorized access.
4. Ensure that the identity of all users and customers get verified before getting access to the financial institution systems and services.
5. Evaluate the effectiveness of the user and customer authentication controls put in place from time to time.
6. Maintain awareness and education programs to users and customers on the importance of access authentication.

Section Two: Threat Landscape

In this section, the guide points out that financial institutions are increasingly exposed to authentication risks. The risks arise from the evolution of new technologies that enable third parties to access information systems and remotely access the institution’s information system. Some of the latest technologies that pose significant risks include cloud computing service providers and Application Programming Interface (API). These system entry access points increase the opportunity of malicious users to gain access to commit data breaches to the financial institutions’ affiliates.

Specific control measures can be put across in financial institutions to reduce the authentication risk because of increased access points. The use of out-of-band communication and encryption protocols to support secure authentication is one way of doing that. The attackers use sophisticated technologies such as automated password cracking tools, which renders specific controls previously thought to be effective as useless. An example of an inadequate control technique is the single-factor authentication system. Nowadays, multi-factor authentication, in combination with other layered security controls, is more effective.

Section Three: Risk Assessment

In this section, the guide emphasizes the need for financial institutions to conduct risk assessments before implementing new financial services. For example, when introducing a digital payment service, it is vital to assess the access and authentication risks that might arise from that. Also, the assessment should be done against other business and non-business variables. A risk assessment identifies the threat opportunities and vulnerabilities exposed to access and authentication practices. The evaluation also leads to controls regarding authentication techniques and access management practices. It is important to note that this risk assessment should be done periodically during the financial institution’s product or service.

Some areas listed that require risk assessments include:

1. The inventory of all information systems and their components that need authentication. This includes the hardware, the operating system, applications, infrastructure devices and other information systems provided by third parties such as cloud service providers.
2. The inventory of digital banking services, customers and transactions that require authentication. This involves the uniqueness of the service, the customer or the transaction and what amount of risk they pose to the institution.
3. Customers involved in high-risk transactions, determined by the dollar amount or the frequency of transactions. They pose a higher potential of financial loss risk or breach of data.
4. The users of the financial institution’s information system and data. They include the employees, third parties and service accounts.
5. High-risk users that warrant advanced authentication. They include privileged users with access to critical systems and data.
6. Threats that can potentially affect the financial institution’s system, data, user accounts, and customer accounts.
7. The design and effectiveness of the controls adopted.

Section Four: Layered Security

In this section, the guidance outlines various controls that financial institutions can adopt to prevent, detect, and correct potential weaknesses in their systems. Depending on the level of risk involved, the layered security approach offers authentication solutions suitable for each need.

Some of the controls outlined include:
● Multi-factor Authentication
● User time-out
● System hardening
● Network segmentation
● Monitoring processes
● Transaction amount limits
● Assigning user’s access rights

Section Five: Multi-Factor Authentication as Part of a Layered Security

In this section, the guidance indicates that an MFA, or controls of equivalent strength, as part of layered security, is more effective in mitigating risk. According to NIST, MFA is defined as an authentication system that requires more than one authentication factor to be successful. The factors include memorized or look-up secrets, out-of-band devices, one-time password devices, biometric identifiers, or cryptographic keys. Whatever authentication factors a financial institution decides to work with, they should ensure that they are user-friendly, convenient, and provide the desired security strength for users.

Section Six: Monitoring, Logging, and Reporting

In this section, the guidance emphasizes financial institutions’ importance in having controls and processes in place to monitor, activity logging, and report. The procedures are crucial in determining whether there was any attempted or realized access by an unauthorized party. They also ensure timely response and investigation of unusual activities through logging details.

Section Seven: Email Systems and Internet Browsers

In this section, the guidance points out how email accounts and internet browser history are used to gain unauthorized access. Using social engineering and phishing techniques, the attackers take advantage of misconfigured applications and other unpatched vulnerabilities as access points to gain access to the financial institution systems and data.

Some tips on how to mitigate risks from email and browser history include:
● Implement secure configurations
● Implement layered security techniques
● Patch vulnerabilities
● Block browser pop-ups and redirects
● Limit the running of scripting languages

Section Eight: Call Center and It Help Desk Authentication

The guidance notes that a standard method threat-actors gain access to unauthorized information deceives customer call center and IT help desk representatives. To mitigate that risk, financial institutions should invest in educating their users on the processes.

Section Nine: Data Aggregators and Other Customer-Permissioned Entities (CPE)

In this section, the guidance informs on how CPE providers pose a threat to a financial institution’s customers. They access the credentials of a customer’s account information directly from the customers. They can also gain the information through other parties like API-based or token-based access. Financial institutions should assess risk factors and put-up controls that mitigate the risk of CPE’s access to digital banking services to manage such authentication issues.

Section Ten: User and Customer Awareness Education

The section tasks financial institutions the responsibility to put in place regular user and customer awareness education programs. The program educates the users and customers on the authentication risks and other security concerns when using digital banking services. When an institution educates its stakeholders, the additional authentication and access control measures will work more effectively.

Section Eleven: Customer and User Identity Verification

In this section, the guidance emphasizes the importance of financial institutions implementing reliable verification methods. Identity verification reduces the risk of incidences of identity theft, fraudulent account activities and the existence of transactions and agreements that are not enforceable.

identity and access management certifications
Identity and Access Management Certifications

Zero-knowledge identity proof is a cryptographic technique which allows us to prove our digital identities without revealing private information about us while we interact and engage with various kinds of transactions online.

Zero-knowledge identity proof without revealing personal data

The zero-knowledge identity proof technique offers a way of verifying or providing proof of our identity whereby one party proves to know a particular piece of information without revealing other private information. Some examples of the zero-knowledge proof protocol include submitting proof of identity without disclosing your address or demonstrating that your bank account is sufficient for a particular transaction without revealing its balance.

In this article, we will focus on the use cases of zero-knowledge identity proof, benefits, and some statistics regarding the topic. In addition, we will present information on how zero-knowledge identity proof works to replace passwords. First, let’s look at what a zero-knowledge identity proof is.

What is Zero Knowledge Identity Proof?

A zero-knowledge identity proof is a term used to refer to an authentication scheme where one party proves to the other to have a particular piece of knowledge that proves ownership of the identity. The prover verifies the required information without further disclosing any additional sensitive or personal information. This ensures that you maintain ownership of your sensitive private data.

Zero-knowledge proof (ZKP) alerts the verifier that the prover has the required information to confirm his identity. The method was introduced during the 80s by MIT researchers and is used to further enhance blockchain functionality. Zero knowledge identity proof is categorized into two areas: interactive and non-interactive.

The interactive version involves a sequence of tasks to be completed by the prover for verifying knowledge of some information. The method usually involves mathematical probability concepts to provide self-sovereign identity.

A non-interactive zero knowledge proof involves decentralized identity management that does not require any prover and verifier interaction.

The above two versions of zero knowledge proof involve the following three crucial prerequisites:

• Completeness; the verifier is convinced that the prover possesses the required information when the correct statement is submitted.

• Soundness; if the prover inputs the incorrect information or does not input any information at all, the verifier cannot be convinced as the statement can never be falsified.

• Zero-knowledge; the verifier cannot discover any other information concerning the prover; thus, personal data and sensitive data are kept anonymous.

Pros and Cons of Zero Knowledge Identity Proof


• The technique is simple as it requires no complicated methods of encryption.

• It improves the users’ privacy by keeping vital information anonymous.

• It replaces the ineffective methods of authentication to strengthen information security.

• It improves scalability in the blockchain.


• It is potentially vulnerable to sophisticated technologies such as quantum computing.

• Has strict restrictions since the entire information gets lost when the transaction’s originator forgets some information.

• Zero-knowledge proof requires a significant computing power of around 2000 computations in one transaction.

• The technique is limited to mathematical equations and numerical answers; thus, using another method requires a translation.

Zero Knowledge Proof Use Cases

Zero-knowledge identity proof offers flexibility to users who wish to control some of their sensitive information. Thus, the technique has numerous uses when combined with blockchain. Some of the uses include:


End-to-end encryption is pretty important for messaging as no one can access the encrypted message except the intended one. Messaging platforms enhance data security by requesting the users to verify identities.

As the zero knowledge proof technique advances, particular messaging platforms will find it easier to build end-to-end encryption without giving out any additional information. Using ZKP in messaging is among the popular emerging trends in blockchain.


Zero-knowledge proof is used in facilitating the transmittance of sensitive data like authentication information. ZKP helps build a secure channel where users can fill in their personal information without revealing it, thus preventing data leakage to malicious parties.

Storage Protection

The storage utility field is another crucial area in which a ZKP can be deployed. Generally, a zero-knowledge proof has a protocol for safeguarding the storage unit and the information contained in the unit. Besides, it provides a seamless, secure experience by protecting the access channels.

Blockchain Transactions

Private blockchain transactions should never be revealed to a third party. However, the traditional methods of sending these transactions usually have numerous loopholes.

In this case, a ZKP comes in handy to close these loopholes. When integrated efficiently, the concept makes it challenging to hack or intercept blockchain transactions.

Complex Documentation

The fact that a zero-knowledge proof can encrypt massive data makes it ideal for controlling certain blocks that grant access to a particular user while refusing the same for another user. This way, complex documentation is protected from unauthorized users.

File System Control

Zero-knowledge proof is also implemented in file systems, where it adds security layers to different files, users, and logins. The security layers ensure that the stored data is difficult to hack or manipulate.

Securing Sensitive Blockchain Information

Lastly, the zero-knowledge proof is widely used in blockchain technology to revamp transactions. The various ZKP tools add high security to each block containing sensitive banking information. For this reason, the banks can only manipulate the required blocks when certain information is requested. The other blocks remain untouched and protected.

Benefits of Zero-Knowledge Proof

• Zero-knowledge cryptography technique involves simple encryption.

• It is much secure since it requires no party to reveal any information.

• ZKPs significantly shortens blockchain transactions as users do not have to worry about the information’s storage.

Zero-Knowledge Proof Scheme

The idea of zero-knowledge proof can be applied in more practical cryptography. For example, Tom wants Mary to prove that she knows the value of x in gx mod p = y, without revealing the actual value of x, which in this case, serves as a proof of identity, and its value can be revealed later to further distinguish Mary.

Let’s say Mary gives out a random number r to Tom to serve as x, then, C = gr mod p. After receiving C, Tom can request Mary to disclose the values of either r or (x + r) mod (p – 1). In either case, Mary will provide another random value but not the exact x value.

Similarly, Tom can verify any of the answers quickly. If the requested answer was r, then gr mod p should equal C. if the request was (x + r) mod (p – 1), then g (x + r) mod (p – 1) should equal the value of C.

In this case, (x + r) mod (p – 1) value can be viewed as an encryption for x mod (p – 1). When a random value is distributed equally between zero and (p – 1), the actual x value is not revealed.

How Zero-Knowledge Identity Proof Replaces Passwords


In the ZKP protocol, both parties must follow the set rules correctly for the statement to be true. Thus, the verifier finds no difficulty in verifying it without further assistance.

With password verification, even if the password is leaked, the verifier will not know if an unauthorized user is trying to access the system. The worst even happens in unlimited login sessions depending on the established frequency to allow multiple access from the same device without entering the password. In this case, anyone accessing a device can get entry to much of the sensitive data.

Thus, zero knowledge identity proof is ideal for use over password for authentication. Even if a third party accesses some information, the verifier will still detect them as they lack specific information, which is not the case with compromised passwords.


If the required statement is incorrect, the verifier immediately identifies the prover as a pseudo. Thus, access will not be granted in this case since the prover has failed to provide the correct information. The verifier cannot be convinced, even if the prover insists that the provided information is the absolute truth.

With a “remember device” feature to automatically log in to some information after providing a password for the first time, anyone accessing the device can decide to view much of the information as the verifier already validated and entrusted the device. This cannot happen with zero-knowledge proof, as the prover has to provide specific information to convince the verifier.

Identity and Access Management certifications -Identity Management Institute IAM certifications
Get Certified