Usernames and passwords are an integral part of our work and personal life. In just the past few years, it’s been reported that the average person has 17 personal passwords and 8.5 work passwords, according to a 2012 survey published in TechCrunch. And it’s safe to say that the number of passwords has only increased over the past four years.
To further its goal to deliver innovative solutions to reduce risk, create market efficiencies and reduce costs, The Depository Trust & Clearing Corporation (DTCC), over the past year, has begun laying the foundation for a robust, user-friendly digital ID (aka digital certificate) management system. The initial use of the system will be to manage the digital IDs used by DTCC clients and internal facing web services platforms to ensure that digital IDs do not expire. If a digital ID for a DTCC application expires, clients will not be able to access the application. The use of digital IDs will also deliver added benefits to an already robust DTCC security protocol.
Users must have the certificate and the key before they can access DTCC applications. Having one without the other is not enough.
Digital Certificates: How they work
Digital certificates allow DTCC and its clients to utilize the security applications of our Public Key Infrastructure (PKI). A PKI establishes and maintains a trustworthy networking environment by providing key and certificate management services that enable encryption and digital signature capabilities across applications. Digital certificates allow DTCC and client web servers to identify and validate each other without the need for usernames and passwords.
Digital certificates are the next phase of cyber security, said Chris Koutras, DTCC Director, Technology Risk Management Security Architecture and Technology. “The technology of the user name and password has not kept pace with the evolution of our digital world,” he said. “Our digital world has grown more complex and with that so has the need for a stronger authentication process that is more secure.”
Think of it as the evolution from the horse and buggy to the automobile. The horse and buggy (username and password) served as the primary mode of transportation until it was surpassed by a more efficient way to travel - the automobile (digital IDs).
Digital IDs provide a wealth of advantages over traditional usernames and passwords:
- Avoid the fat finger – multiple log-in attempts with incorrect user name/password combination that would lock a client out of the system.
- Digital IDs are more secure.
- Digital IDs are more efficient because the certificate validation lasts longer (less updating/renewing).
- With a username/password system, many systems do not send an alert that credentials are expiring.
- Certificates can be renewed by clients through a self service portal.
- Certificates are in line with good business practices.
Koutras said a growing number of clients have been asking about digital IDs as a way to reduce the alphabet soup of usernames and passwords they have to manage at work.
“The benefits of digital IDs touch multiple sides of the business,” Koutras said. “On one side, the technical departments appreciate the security benefits, while the business side appreciates the efficiency and alignment with good business practices.”
Putting digital certificates to work at DTCC
Currently, DTCC has approximately 2,000 digital certificates for client-facing applications that exchange encrypted data. The goal is to have the infrastructure in place by the end of 2016 to automate the digital ID renewal process in 2017.
Koutras noted that DTCC may never get to a point where it eliminates the use of all usernames/passwords in favor of digital certificates. “Usernames and passwords have been with us a long time,” he said. “I have no illusion that they’ll go away, but where we can employ digital IDs, we’ll certainly look to do so.”
For 2017, Koutras said DTCC is focused on updating digital certificates for all client-facing web applications. “These initial changes should be transparent to our clients,” he said. “As we look to make wider use of Digital ID’s there will be more communication with the clients on what to expect.”