Workday Credentials: Exciting Times for Identity and Authentication Assurance Vendors?

Leon's Tech Insight

Workday recently announced Credentials, an advanced network of verified credentials powered by a blockchain-based credentialing platform. I’ve always held Workday’s product and engineering disciplines in very high regard, and this announcement cemented this perspective even further. This also got me excited about the possibilities this could have in the Identity and Access management world, building on my recent series of blogs on the NIST-800-63-3 guidelines on Digital Identity.

The online world is fraught with fraud – whether it’s related to e-commerce or to account creation or takeovers. The foreign government interference in the 2016 presidential elections via fake accounts created on social media is one glaring example of the damage that can be inflicted by account creation fraud. Similarly, there have been innumerable reports on how your identity is available for sale on the dark web. And it’s not just e-commerce, social or consumer websites getting impacted – enterprises, too, have to constantly deal with account takeovers and authentication fraud.

One way to combat account creation or takeover fraud is through better enrollment and identity proofing processes, and by ensuring strong authentication assurance. In the IAM world, enrollment and identity proofing (NIST 800-63-A) is about ensuring that a digital representation or identity that a real-world user creates or claims in an online service is verified, validated against the user’s real-world credentials and other data. Increasingly, these credentials are also being used in the digital authentication process (NIST 800-63-B), which historically was about proof of possession of authenticators such as OTP tokens, phones, smart cards, derived credentials, etc. Next-gen authentication models like Gartner’s CARTA or Zero Trust Network Access are active proponents of using this real-world information and credentials in the authentication process.

At Idaptive, one of the key product strengths in our IDaaS portfolio is adaptive access —capabilities driven by our machine learning based User Behavior Analytics engine. This engine has the ability to consume not just Idaptive event data along with the user, network, location and time-based context, but also third-party threat data such as network logging data from Palo Alto Networks Cortex. This data is then used to create behavior models of users, which in turn can be leveraged to enforce multi-factor authentication as users attempt to access critical applications and data. What’s truly exciting about Workday Credentials is that along with leveraging the current authenticators as part of the adaptive access use case that we already support, we could now leverage Workday Credentials to drive even greater identity and authentication assurance. As an example, as part of the authentication and authorization process, Idaptive requests and verifies sensitive information about a user’s credentials through Workday that only the user may have or know. And given that only the end user will have control over with whom they can share credentials, an organization will have a high degree of confidence in the credentials’ authenticity and users’ privacy. 

Another interesting use case is one related to compliance – ensuring that a user has the right credentials (certifications and such) and allowing or denying the user from being authorized to use an application depending on the verification of those credentials. This could either be done at the time of access, or even as part of an access certification campaign. As an example, a financial advisor, whose Certified Financial Planner (CFP) credential has expired, can be prevented from accessing a system either at the time of access or could have her access suspended or terminated as part of an access certification campaign runs on a regular basis.

At the outset, there clearly are some synergies for IAM vendors to explore with Workday Credentials. And the fact that Workday is actively working with organizations like W3C and the Decentralized Identity Foundation (DIF) to ensure that these credentials are compatible with other standards-based platforms, makes me hopeful that interoperability with vendors like Idaptive will not be a challenge once Workday gets to a point here where they’re ready to engage with partners. I’m genuinely looking forward to hearing about and following Workday’s progress as it evolves Credentials from an alpha to a generally available product.

*** This is a Security Bloggers Network syndicated blog from Articles authored by Archit Lohokare. Read the original post at: