Out-of-Band Authentication (OOBA)

Out-of-band authentication (OOBA) is a type of multi-factor authentication which unlike traditional MFA requires two communication channels. This type of authentication is often used by financial institutions and other high-risk organizations to make it much more difficult for a hacker to access systems and data. An example of out-of-band authentication would be using the computer and a smartphone for authentication. A smartphone can be used to receive an SMS code or use an authentication app.

Out-of-band authentication is important in identity and access management because it greatly reduces the chances of what’s called a “man-in-the-middle attack”. In cases of a MITM attack, hackers can take over the communication channel between the sender and the receiver to intercept the communication data. We often overestimate the security of passwords which can be stolen or intercepted during authentication data exchange. Through use of technology, hackers can exploit weaknesses in communication channels to steal authentication data which could expose passwords. This illustrates the importance of using other forms of authentication and verification methods.

Using two different communication channels for authentication in access management lowers the chance of a MITM attack and keeps the transmitted information safe.

Out-of-band authentication can be thought of as a more secure method of 2FA. In a traditional authentication method, 2FA does not have to use a separate communication channel. For example, an email may be used as the second form of verification. While this is more secure than only using a password, the same communication channel is used to authenticate using the second factor. This increases the possibility of system access compromise.

Out of Band Authentication Methods

In a multi-factor authentication (MFA) setting, the system uses at least two different methods to confirm identity. Some methods used to achieve this authentication include:

  • Password
  • Biometric authentication (fingerprint scans, voice verification, or facial recognition)
  • QR codes
  • SMS
  • Token (authentication app)
  • Push notifications

It is important to note that some authentication methods are more secure than others. SMS code messages are among the least secure methods for authentication because they have a higher risk of interception and are susceptible to social engineering attacks.

Out of Band Authentication Implementation

To implement out of band authentication, consider the following steps:

  1. Identify what needs protection
  2. Choose the authentication channels
  3. Identify what users need to use this form of authentication

One security breech can cost a company an average of $3.92 million dollars. The average cost of implementing a strong authentication method is minimal in comparison. Some users might feel inconvenienced by the need to spend several more seconds to log in, however most users are on board as they understand the security weakness in using just a password for accessing systems.

When planning to integrate a strong authentication into a business or organization, there are a variety of providers that can help achieve that goal. Depending on the business, it is important to know if the company has a global reach that offers support and compatibility with different mobile networks, country codes, etc. Quality user support and customer service is extremely important during and after an out-of-band authentication implementation. No one wants to have downtime due to authentication issues, therefore, having the right support when something goes wrong is vital.

There are some regulations which require businesses such as banks to use multiple forms of authentication. For example, in some countries, banks are required to use strong authentication in certain instances such as when accessing an online payment system, setting up an electronic payment transaction, or initiating a payment through a remote channel with increased risks of fraud.

Using multiple authentication channels is a clear choice for any company or organization looking to improve security. It protects customer data and prevents security breaches. It benefits all parties; customers are at a lower risk of stolen data, and businesses have a lower chance of a data breach with major consequences.

Identity and access management certifications

Digital Identity Guidelines

This article summarizes the Digital Identity Guidelines published by The National Institute of Standards and Technology (NIST) to provide direction on securely managing digital identities. Digital identity as the online equivalent of physical identity is a set of data that uniquely identifies an individual or entity and can be used to authenticate and authorize access to online resources.

The Digital Identity Guidelines are divided into three parts, including 800-63-A, which covers enrollment and identity proofing, 800-63-B, which covers authentication and lifecycle management, and 800-63-C, which covers federation and assertions. Each part contains requirements that must be met for an organization to ensure the security of its digital identities.

Digital identity guidelines

Digital Identity Guidelines Part A: Enrollment and Identity Proofing


The first part of the digital identity guidelines, 800-63-A, covers enrollment and identity proofing. This part contains requirements for how organizations should collect and verify information about an individual’s identity. Also, this part of the guidelines covers what type of information should be collected during enrollment. The requirements in this part are designed to ensure that only legitimate users are able to access online resources.

Organizations must first decide what information they need to collect in order to verify an individual’s identity. This information can include but is not limited to name, physical address, email address, Social Security Number, and date of birth. This decision should be based on the sensitivity of the information being protected and the level of assurance that is needed. This will enable the organization to appropriately balance security and privacy.

Next, the organization must collect the required information from the individual. This can be done through in-person interactions, online forms, or other means. The in-person interaction should take place in a secure location, such as a government office or bank. The individual’s identity should be verified using at least two kinds of identification. These identification forms can include a driver’s license, passport, or birth certificate. The online forms should be hosted on a secure website. The individual’s identity should be verified using strong authentication, such as two-factor authentication.

Once the required information has been collected, the organization must verify that the individual is who they claim to be. The organization must then put in place processes and systems to collect and verify the collected information. This includes ensuring that the data is compiled from a reliable source, such as an official government document. The organization must also attest that the information collected is accurate and up to date. This can be done using various methods, such as automated checks, manual reviews, or third-party verification.

Manual checks should be conducted for high-risk situations, such as when an individual is attempting to access sensitive information. Automated checks can be used for low-risk situations, such as when an individual is trying to access non-sensitive information. Third-party verification can be used when the organization does not have the capability to verify the collected data.

After the organization has verified the individual’s identity, it must issue a credential to the individual. This credential can be in the form of a username and password, a digital certificate, or a physical token. The certification should be issued in a secure manner, such as through a secure website or in-person interaction. The credential should be unique to the individual and should not be shared with anyone else.

Finally, the guidelines require that organizations take steps to protect the collected information. This includes storing the information in a secure location, such as a locked filing cabinet or a secure database. The information should only be accessed by authorized personnel. The organization should also have procedures in place to ensure that the data is appropriately disposed of when it is no longer needed.

Part B: Authentication and Lifecycle Management


The second part of the digital identity guidelines, 800-63-B, covers authentication. Authentication is the process of verifying that an individual is who they claim to be. This part of the guidelines provides requirements for four levels of assurance, including low, moderate, high, and special.

Low assurance is an authentication process that provides a reasonable level of confidence in the asserted identity. This level is typically used for situations where the risks are low, such as when an individual is accessing non-sensitive information. Moderate assurance is an authentication process that provides a high level of confidence in the asserted identity. This level is typically used for situations where the risks are moderate, such as when an individual is accessing sensitive information. High assurance is an authentication process that provides a very high level of confidence in the asserted identity. This level is typically used for situations where the risks are high, such as when an individual is accessing critical information. Special assurance is an authentication process that provides an extremely high level of confidence in the asserted identity. This level is typically used for situations where the risks are very high, such as when an individual is accessing information that could have a significant negative impact if it were to fall into the wrong hands.

The guidelines also specify the types of authentication factors that can be used to verify an individual’s identity. These factors are divided into three categories, including something you know, something you have, and something you are.

Something you know includes information that only the individual knows, such as a password or a PIN. Something you have includes an object that only the individual has, such as a key or a token. Something you are includes a characteristic that only the individual has, such as a fingerprint or a retina scan.

The guidelines also specify the minimum number of authentication factors that must be used for each level of assurance. For low assurance, one authentication factor must be used. For moderate assurance, two authentication factors must be used, with one being something you know and the other being either something you have or something you are. For high assurance, three authentication factors must be used, with one being something you know, one being something you have, and one being something you are. For special assurance, four authentication factors must be used, with two being something you know and two being either something you have or something you are.

Part C: Federation and Assertions


The third part of the digital identity guidelines, 800-63-C, covers federation and identity management. Federation is the process of sharing information between organizations to verify an individual’s identity. This part of the guidelines provides an overview of how federation works and what standards are used to ensure compatibility between different federated systems. Identity management is the process of managing digital identities, including creating, updating, and deleting them. This part of the guidance provides information on using digital signatures to verify the identity of individuals who are requesting access to resources. The guidelines cover two main types of authorization, including static authorization and dynamic authorization.

Static authorization, which is based on the identity of the individual and does not change over time, is the simplest form of authorization. In this type of authorization, an individual is granted access to a resource without having to go through an approval process each time they wish to access the resource. For example, an employee might be given static authorization to access their company’s email server. This type of authorization is typically used for resources that do not need to be protected from unauthorized access and do not require frequent updates. Organizations must take care when using static authorization, as it can be easy to grant too much access to individuals. It is essential to only give individuals the level of access that they need to perform their job duties.

Dynamic authorization, on the other hand, is based on the individual’s current situation and can change over time. This type of authorization is typically used for resources that need to be protected from unauthorized access and require frequent updates. For example, an individual might be given dynamic approval to access their bank account information. This type of authorization would allow the individual to view their account balance and transactions but would not allow them to transfer funds.

Dynamic authorization can be used to control the level of access that individuals have to resources. It is essential to carefully consider the level of access that each individual needs before granting them dynamic authorization to a resource. For instance, digital signatures can be used to verify the identity of individuals who are requesting access to resources and verify the identity of the individual who signed a document.

Digital signatures are created using a public key and a private key. The public key is used to verify the signature, while the private key is used to create the signature.

Organizations can use digital signatures to verify the identity of individuals who are requesting access to resources. This type of verification can be used to control the level of access that individuals have to resources. It is essential to carefully consider the level of access that each individual needs before granting them access to a resource.

Overall, the goal of these guidelines is to ensure that only legitimate users are able to access online resources. By collecting and verifying information about an individual’s identity, organizations can ensure that only those authorized to access the resources can do so. By taking steps to transform digital identity and protect the collected data, organizations can further reduce the risk of unauthorized access.

Certified Identity Management Professional (CIMP) certification
Get Certified in Identity Management

CIAM and CIMP Certifications

This article explains the CIAM and CIMP certifications as they are among the top IAM certifications offered by Identity Management Institute. Identity and access management certifications by IMI are ideal for those professionals who are looking to become expert identity specialists to pursue an identity management career or complement their existing career paths.

Identity and access management certifications are vital for active professionals and job seekers who are looking to gain new knowledge, validate their skills, seek rewarding careers, and network with peers. IAM plays a crucial role in helping organizations onboard users, manage their access to systems and data, and prevent security breaches.

CIAM and CIMP certifications

CIAM and. CIMP Certifications – The Difference

The Certified Identity and Access Manager (CIAM) program is designed for IAM process and risk management professionals who help an organization transform and improve identity and access management within an organization. A CIAM professional understands the IAM concepts of onboarding, access management, and policy enforcement, and is capable of completing a comprehensive risk assessment, designing IAM programs, communicating risk assessment results and, reporting the state of IAM to various stakeholders. 

CIAM certified experts are experienced professionals who demonstrates the ability to design, improve, implement and manage IAM processes and programs. Their proposals help transform identity lifecycle to streamline IAM procedures, implement activity tracking, and improve workflow.

On the other hand, Certified Identity Management Professional (CIMP) experts are technical experts who provide technical and system solutions to support the IAM program and policies.

The CIMP certification is for any technical expert who designs, develops, and implements IAM systems to facilitate the authorization and authentication of digital identities and their access across an organization.

CIMP technical experts can propose technical solutions, help select and implement IAM products that meet the needs of their organizations, manage projects, and develop systems in accordance with secure coding practices and digital identity guidelines.

The best candidates to become CIMP members are technical professionals with an interest or passion for gathering system requirements based on identity and access management needs, risk assessment results, and emerging threats. The CIMP certification program helps candidates develop and implement scalable IAM technologies and solutions that automate and streamline IAM processes, strengthen cybersecurity, and improve access management workflow and control.

Certification Process

If you’re looking to pursue an IAM certification program, you must be a member of Identity Management Institute and pass an online examination. Upon passing the exam, you will be a certified IAM expert in your domain and serve global organizations, and government agencies to design, manage, improve, or implement identity and access management programs and processes. To maintain your certification, certified experts must renew annual membership and maintain 60 hours of continuing education every 3 years.

Understanding the CIAM and CIMP certification scope, objectives, and critical risk domains will help you choose the right certification program that meets your needs. When analyzing the fundamentals of the CIAM and CIMP certifications, you recognize a few factors that make one program differ from the other.

By joining IMI and becoming a certified member, you demonstrate a commitment to the identity and access management field, showcase your professional skills, and engage in professional networking.

Visit our certification page to learn more about CIAM and CIMP certifications or watch this video for a quick overview of both certifications.

Identity and access management certifications


Top 10 Metaverse Risks

This article covers the top 10 metaverse risks as we prepare to expand our internet experience and enter a virtual world where we do everything that we do today in our physical world – almost everything. Although the technology is still a few years out, it’s becoming increasingly clear that the groundwork is being laid for the new metaverse-based Internet.

However, just as with the Internet today, there are some inherent risks and security issues that will need to be addressed as we progress into a world of digital connectedness. While the full potential of virtual reality worlds is still being imagined and assessed, the metaverse security consultants are urging caution.

Top 10 metaverse and security risks

Below is the list of top 10 metaverse risks:

Cyberbullying and Harassment

The issue of mental health and mental well-being in the metaverse has made news before. Cyberbullying still remains a serious threat to young adults and teenagers. In fact, the effects of cyberbullying are well-documented and can include anything from low sense of self-worth to suicidal tendencies, especially in teenagers. In February 2022, a woman claimed that she (her avatar) was harassed in a virtual game by 3-4 male avatars. Experts suggest that because the human experience in the metaverse is as real as our experience in the real world, the pain and suffering is also real and as intense.

Mental Health Issues

There are other threats that are more difficult to avoid in a virtual world. For instance, ads are used to drive the development of many free-to-play games. Malicious individuals could theoretically replace the ads with images that can induce motion sickness or even epileptic seizures. Such images could be broadcast to a person’s virtual reality headset.

Identity Theft

Many experts are concerned about the possibility that identity theft may become even easier in the metaverse if strict security measures are not implemented. Identity theft is already a multibillion-dollar industry in the real world; a study released just last month placed losses to identity theft at approximately $24 billion. Worse, the number of cases has grown over 50 percent from 2020’s figures, according to cybersecurity research.

Unauthorized Data Collection by Companies

Legitimate companies also collect your personal information. However, virtual reality has the potential to take information collection to a point that may be a few steps out of bounds for some people. For example, virtual reality headsets theoretically allow third parties to gather increasingly sensitive personal information such as voiceprint data, biometric information and even facial geometry.

Ransomware Attacks

Ransomware is a type of malicious software that has the ability to encrypt your personal files and block you or anyone from accessing them. It will then display a message urging you to pay a certain amount of money to get your data back, hence the name ‘ransomware’. You can probably imagine how this would be problematic in a metaverse setting. Your metaverse profile is set to contain a lot more information than just a standard social media profile; it will contain all manner of sensitive information as well. Imagine not being able to access your bank accounts or even your personal data. That can become quite problematic in a metaverse setting.

Changes in Perception of the Real World

A study conducted by researchers at Stanford University has discovered that both virtual reality and augmented reality, two of the cornerstones that will form the foundation of the metaverse, can have an impact on how people perceive the real world. For example, participants in that study avoided sitting on a chair where they had seen a computer-generated avatar sit in their AR environment.

Deepfake Videos

In a world that thrives on the consumption of information, experts are also worried about false information campaigns provided via deepfaked audio and video clips threatening the security of our nation. Deepfakes are video or audio clips that have been manipulated to look and/or sound like someone else. Deepfaking works similarly to face swapping but uses sophisticated artificial intelligence algorithms to gather data on individuals from several different angles so that they can be overlayed on existing video.

Social Engineering Attacks

Social engineering is the practice of psychologically manipulating people into divulging sensitive information. With the amount of personal data that will be stored in the metaverse, it could potentially become a gold mine for hackers looking to sell personal information on the Dark Web. Ultimately, the basis for metaverse security management will be education. You can have the greatest security system in the world, but if the operator doesn’t know how to use the system or is irresponsible, it will do them no good.

Shared Spaces Have Their Own Risks

The metaverse is driven around bringing people closer together. While in some ways this can be a good thing, it can also present concerns. In today’s Internet, you can find groups of like-minded people and create fantastic communities. In the metaverse, however, you will also need to deal with people that have opposing ideals. Studies have shown that people will act differently in a virtual world as opposed to the real world. This manifests rather heavily in the massively multiplayer online role-playing game (MMORPG) world, where experienced players tend to badmouth new players and will even bully females.

New Applications Will Need to Be Vetted

Just like on today’s Internet, new applications have the potential to cause havoc on our digital lives. In a metaverse setting, however, the damage can become even more disastrous with the sheer amount of sensitive data that will be kept. We will need to develop measures to have all new applications checked for malicious code.

Conclusion

These are just our top 10 metaverse risks which include security concerns. The list will surely expand and evolve as we build our virtual real life where almost everything will gradually be done in the digital world. Watch this video to learn about the Metaverse Security Center as well as the Certified Metaverse Security Consultant (CMSC) certification.

Metaverse Security Center

Certified Identity Management Professional Certification

The Certified Identity Management Professional certification is designed and administered by Identity Management Institute for technical information technology, cybersecurity, and identity management professionals who design, develop, implement, and manage identity and access management systems and technical solutions. As the number of users, systems, and product solutions grows, demand for CIMP technical experts also grows to help meet business requirements and user needs for improved identity and access management, reduced access risks, tracking user activities, and complying with regulations.

Certified Identity Management Professional (CIMP) certification

Growth Factors

Some of the key factors that contribute to the increasing demand for Certified Identity Management Professional certification are as follows:

  • First, security threats require an understanding of threat modeling techniques and analysis skills to mitigate evolving risks with technical solutions. Becoming a Certified Identity Management Professional requires knowledge of common identity and access management risks and the ability to propose technical solutions to control access, prevent attacks, detect anomalies, and respond to incidents.
  • Second, as CIMP experts deploy systems and solutions to counter identity and access threats, they must be aware of various international standards for ensuring optimum identity and access management architecture and cloud security by utilizing Secure Software Development Framework and best practices in SDLC, product implementation, and project management.
  • Third, as the number of IoT devices grows and businesses embrace cloud computing, SaaS applications, remote workforce, BYOD, and blockchain technology, CIMP experts must ensure secure API and access controls exist by deploying advanced systems such as multi-factor and biometric authentication, machine learning, and artificial intelligence.
  • Lastly, managing access for dispersed and diverse users such as employees, customers, and business partners to systems whether hosted internally or externally is another challenge as users require quick access while businesses and regulators need assurances that users are properly identified and authorized. Meeting the needs of users for speedy and seamless access, secure onboarding and KYC, system security, and regulatory compliance introduces technical challenges that CIMP experts must address.

Why Pursue a CIMP Certification?

Identity management is a collection of technology, processes and people. In order to address various identity management risks and challenges, organizations are increasingly considering technology solutions to improve security and automate identity and access management as much as possible.

Although the rewards of implementing an identity management solution are immense, such initiatives are often very challenging and require the expertise of technical identity management experts to create and manage project teams, gather the requirements to design and develop systems, help select an external product solution, develop project plans, and oversee the successful implementation and deployment of IAM systems.

In summary, identity management is a growing career field which helps businesses streamline, automate, and manage system access. By earning the Certified Identity Management Professional certification, IMI members demonstrate their expertise in gathering system requirements, proposing product solutions, and managing IAM projects.

Who Should Pursue The CIMP Certification?

Certified Identity Management Professionals are technical experts who typically work as System Architect, System Engineer, System Programmer, Technical Consultant, and Project Manager.

CIMP Critical Risk Domains

The CIMP study guide chapters and examination are organized in the following Critical Risk Domains:

  1. Threat Management
  2. Project Management
  3. Product Selection and Implementation
  4. Software Security
  5. Cloud Security
  6. IAM, Architecture, Protocols, and Standards
  7. IoT and API Security
  8. Artificial Intelligence and Machine Learning
  9. Compliance Assurance
  10. Digital Identity Guidelines

Let’s now explore each domain for additional details:

Threat Management

A large part of a Certified Identity Management Professional job duties is to manage identity and access management risks which requires knowledge of threat modeling and analysis, gap identification, and IAM solutions. CIMP certification prepares IT professionals to become threat management experts in identity and access management.

Project Management

CIMP candidates must be aware of project management best practices and be able to propose a project strategy and roadmap, define business requirements, and have technical writing, communication, and team management skills. They must be able to translate business requirements into technical requirements for the technical staff who are involved with coding, testing, and implementation to make sure the system operates in accordance with the requirements as they monitor the project plan.

Product Selection and Implementation

When third party IAM software products must be evaluated and selected for implementation, the criteria for how to select an IAM product must be established and used in alignment with business objectives and requirements. System integration and product features must be considered along with the vendor reputation, support, and sustainability as well as product certification, independent quality assessments, and consumer reviews. CIMP experts must be able to select and implement the right product to solve their unique IAM challenges.

Software Security

When a new IAM product is developed, or features of an existing application are modified, or when an organization must develop an Application Programming Interface for a selected product, many critical areas must be considered such as business requirements and objectives, Software Development Kit, infrastructure, secure software coding practices including mobile apps, product development framework, web application security, DevOps segregation of duties, software design and architecture, Service-Oriented Architecture, system and user acceptance testing, change management, and post implementation tasks.

Cloud Security

As organizations move their applications and data into global cloud computing environments, CIMPs must be aware of top cloud providers and their IAM capabilities and leverage Cloud Access Security Broker to interject and expand enterprise security policies in the cloud.

IAM Architecture, Protocols and Standards

CIMPs must be familiar with and apply international IAM protocols and standards in their jobs and projects. Formalized international IAM protocols exist to support strong IAM policies. Generally known as “Authentication, Authorization, and Accounting”, these identity management protocols provide standards for security to strengthen and simplify access management, aid in compliance, and create a uniform system for handling interactions between users and systems.

IoT and API Security

As Internet of Things devices continue to be deployed by businesses and households with advanced features and data retention capabilities, CIMPs must be aware of the access risks within IoT and their connectivity with other systems and devices to ensure proper identification, authentication, and data integrity.

Artificial Intelligence and Machine Learning

With knowledge of advances in artificial intelligence and machine learning, CIMPs can improve their products and processes through automated machine learning to achieve certain goals quickly and effectively such as when detecting threats and analyzing user behavior for context-based identity management. Automated monitoring is essential for detecting unauthorized access, violation of policies, and system malfunctions.

Compliance Assurance

There are many regulatory requirements related to identity management which certain companies must comply with including in the area of user identification and activity tracking. CIMPs must establish continuous audit procedures to ensure than not only regulatory requirements are being complied with but also systems and processes are operating as designed and follow the established standards.

Digital Identity Guidelines

The digital identity guidelines provide technical requirements for government agencies and organizations implementing digital identity services. The guidelines define technical requirements in each of the areas of identity proofing, registration, management processes, authentication protocols, federation, and related assertions.

Certified Identity Management Professional Certification Process

To become a Certified Identity Management Professional, candidates must become members of Identity Management Institute, and pass an examination. For CIMP eligibility, application submission, cost, exam, and certification maintenance, please visit the CIMP page on the IMI website. Watch the CIMP overview video.