Identifiers vs. Authenticators: Stanford CISO Says We Need New Approach

Michael Duff, AVP and CISO at Stanford University, says the InfoSec community needs to be talking about new approaches to authenticating people in a digital world, especially after the Equifax breach and other mega breaches.

Duff has some ideas on what would replace it and other personally identifying information (PII).

He’ll share those ideas during his keynote at SecureWorld Bay Area this Thursday, October 5, at the Santa Clara Convention Center.

His session title is "Identifiers vs. Authenticators, and the Initial Authentication Problem." We asked him three questions about it:

SW: What do you mean by ‘Identifiers vs. Authenticators’?

MD: Identifiers (such as SSNs, usernames, email addresses, and account numbers) should only be used to uniquely identify a person, whereas authenticators are used to prove one's identity. 

SW: How do you see the ‘Initial Authentication Problem?

MD: Many online services need to establish a person's identity upon registration, and these services have been using Social Security Numbers, date of birth, and other (now) readily available information to authenticate the registrant. In the wake of the Equifax and other large-scale breaches, we need a new approach that online services can use to validate the identity of their users. 

SW: Do you believe your peers and their security teams have something to learn from the Equifax breach?

MD: There are many lessons to learn from the Equifax breach, but none of them are new. The more important story is that our personally identifiable information has now been breached many times over, and it therefore no longer has value for authenticating us.

Here is the complete agenda for the Bay Area conference. You can also explore attendee options and register here for a day of powerful takeaways to help you secure your organization.