Posted on by David Harrison

Digital Identity

We’ve touched on this topic in number of ways “over the years”, but never specifically looked at Identity – our identity and how it is handled, and yes mistreated, in the digital world.

I don’t intend to go over old ground again, but will provide a basis to introduce what will be the main subject of today – Passkeys, which Iain will present. I will do that through referencing previous posts on this website.

We start with the first post I wrote way back in 2015, aptly entitled “Let’s start at the beginning …“. In this I go through the basic steps in creating a strong password and a few other things besides.

Then in 2020 we discussed using Password Managers in the post “Using a Password Manager and implementing Two Factor Authentication” which again reviews setting a password before moving into the area of using password managers – which have the advantage of your passwords being configurable to be available on any many machine, anywhere as they’re held in encrypted form, in the cloud. This post also introduces the idea of Two Factor Authentication (2FA) whereby having logged into a website you’re challenged to use an application (usually held on your smartphone), eg Google’s Authenticator or Authy (the one I use) to provide a second credential to the website to confirm you are who you said you are! [I’m afraid the images appear to be missing, but I’ll try and find them!!!]

Earlier this year (in January, I touched on Passkeys) in this post “Prevention and protection from Scams“, which also referenced my main post on the subject – “Keeping safe online” – which I’ve tried to keep up-to-date and will review again in the near future.

And then, in March 2025, I made you aware of the value of having an Apple ID and account – even if you’re not an Apple user, as a means of getting a set of user credentials (Identity) that you can use instead of supplying your regular email address, and creating a password, when requested, when visiting a website – often for purchases. Apple is well recognised for its privacy and security concerns, and unlike Microsoft, Google, Facebook or X, is more likely than any of the others to not use your Identity for any other purpose other than providing you with a digital identity.

That leads nicely into a bit of history from my working life at Cardiff University that I’ve never shared with you before which I’m very pleased to have been part of. Let me paint a picture, you need to go back 20 years; I’ll share a number of scenarios.

First. You’re a student, or a member of staff, you want an email address, you want to access file store, you want to access the growing number of resources available from the internet through the library, or even just manage your library subscription. You need a UserID and Password, or multiple UserIDs and Passwords to do what you want to do online. Nothing new here, it’s what you experience every time you access a new website! But quite a drudge when you’re in the same institution.

Solution. The IT department creates a unified Identity system that all departments can use. A single UserID and Password for each user.

However. If the staff member or student (on vacation at home say) wants to access their email, file store, whatever from another institution, they most normally couldn’t and the best they could hope for was applying for a “temporary”, or “guest user” account which would at best only provide limited privileges to the visited institution. Rather frustrating.

Solution. Cardiff University through the work of a young researcher – Rhys Smith (who’s tragically not with us anymore) – investigated and implemented (with external funding from JISC) the possibility of using a technology which went by the name of Shibboleth, but more accurately used Security Assertion Markup Language (SAML) architecture to provide Single Sign On to all resources within an organisation in the first instance …

In information technologyShibboleth is a community-wide password that enables members of that community to access an online resource without revealing their individual identities. The origin server can vouch for the identity of the individual user without giving the target server any further identifying information.[25] Hence the individual user does not know the password that is actually employed – it is generated internally by the origin server – and so cannot betray it to outsiders.

… but then by binding other organisations together into Federations, allowed all users of a federated organisation to access the resources they were entitled to use (from their host organisations’ permission policies) from any other institution in the same federation. In the UK this became the UK HE Federation. Nirvana! [Following on from this in due course, individual Federations applied to become members of more universal federated access and Microsoft and Google (for instance) implemented federated access using SAML v.2]

But how about WiFi, wasn’t that the solution anyway? Well yes, it was in one sense but if you wanted to move from one campus to another and use that institutions’ WiFi network you still had to apply for a separate UserID and Password. The work Cardiff did was to extend their work with SAML/Shibboleth to provide WiFi Roaming which meant that you could move between institutions and your host institution would provide the credentials that allowed you to login on different campuses.

End of history, but a fine exemplar of the implementation of Single Sign On. My role … I led a UK project to encourage and develop good practice in Identity Management within institutions, and then to encourage the institutions to take-up Shibboleth and Federated Access Management. For more information on this you can refer to Perplexity (of course!!!)

And so to Passkeys …

2025-07-22-U3A-DM-Passkeys-v01


Link to the Google video on YouTube about Passkeys.

Finally, a couple of links to hardware implementations of Identity Security …

Claude

Can you detail and describe physical devices used for identity purposes to allow access to systems, ie dongles or USB-stick based devices

Physical identity devices for system access come in several forms, each with different security mechanisms and use cases:

Hardware Security Keys

FIDO2/WebAuthn Keys (like YubiKey, Google Titan, SoloKeys)

  • Small USB, NFC, or Bluetooth devices that implement open authentication standards
  • Generate cryptographic signatures to prove identity without transmitting secrets
  • Often feature a physical button that must be pressed to authorize access
  • Resistant to phishing attacks since they’re bound to specific domains
  • Support multiple authentication protocols (FIDO2, U2F, PIV, OATH)

Smart Cards and Tokens

PIV/CAC Cards

  • Credit card-sized devices with embedded chips
  • Common in government and enterprise environments
  • Require PIN entry and card reader
  • Store certificates and cryptographic keys securely

USB Cryptographic Tokens

  • Larger than security keys, often with displays and keypads
  • Can store multiple certificates and keys
  • Some generate time-based one-time passwords (TOTP)
  • Examples include SafeNet eToken, Nitrokey Pro

Biometric Devices

USB Fingerprint Readers

  • Standalone devices that authenticate users via fingerprint
  • Often used with Windows Hello or similar systems
  • Can be integrated into keyboards or mice

Facial Recognition Dongles

  • Less common but emerging technology
  • Small cameras that perform facial authentication

Specialized Security Dongles

Software License Dongles

  • Protect expensive software from piracy
  • Contain encrypted keys that applications check
  • Examples include HASP dongles, Sentinel keys

Cryptocurrency Hardware Wallets

  • Secure devices for managing digital currency private keys
  • Examples include Ledger, Trezor devices
  • Often require physical confirmation for transactions

Technical Characteristics

These devices typically feature:

  • Tamper-resistant hardware that protects stored secrets
  • Secure elements or trusted platform modules (TPMs)
  • Various connectivity options (USB-A, USB-C, NFC, Bluetooth)
  • Battery-free operation (powered by host device)
  • Cross-platform compatibility

The main security advantage is that sensitive cryptographic material never leaves the device, making them highly resistant to remote attacks and credential theft compared to software-only solutions.

… and from ChatGPT.

Leave a Reply

Your email address will not be published. Required fields are marked *