The bad guys understand identities and identity system much better than the so-called experts that design and operate them.

Our identity access management systems operate as if they were designed for ease of penetration by the bad guys.

“What?!!! You don’t mean that?”

“Yes, I do. I have yet to see an identity management system that does not favor the attacker. There is one very basic fact that attackers understand but seems to elude IAM system designers and operators.”

“What is that?”

“There is no actual connection between people’s identities and any credential.”

“That can’t be true. We take great steps to authenticate identities. Just look at the requirements like FIPS 201 or HSPD 12.”

“That is exactly my point – let’s look at how our system works in reality. I have several level for PIV CAC cards that I carry. These are the strongest credentials the government issues. They are fully compliant with both FIPS 201 and HSPD 12.”

“I see those cards. You had to use one to get into this office. It even has your fingerprint on it.”

“Some time I’ll show you how you can use a utility bill to get a Level IV PIV card. But now, let me prove to you that none of these credential has any actual connection to me. I see you have an industrial grade shredder in your office.”

“Yes, it can shred nearly anything.”

“Could it shred one of my CAC cards?”


“It has blades the will cut my card into tiny unrecognizable bits. I bet if you stuck your finger in there it would be most unpleasant.”

“It sure would. You would not want any part of you in that thing!”

“OK, here is my CAC card – it even has a chip with my fingerprint on it. Do you still believe it has any connection to me and my identity?’

“Of course.”

“OK, stick the card in the shredder.”

“What? OK.”

(Loud grinding and shredding noises…)

“In guess my CAC card is toast, huh?”


“I didn’t feel a thing. I think my identity is unchanged and my actual fingers that leave fingerprints are unscathed by the shredding. Where is the connection between my CAC card and me and my identity? Let’s try something else with another CAC card I have around my neck. Can I put it on your desk?”


“OK, I want you to watch it carefully, especially my picture on the card.”


I set the card on the desk and walk to the other side of the room and am now facing in the opposite direction.

“You can tell that I moved to the other side of your office and am facing a different direction, right?”


“While I did that, you watched my CAC card carefully. Did it move? Is my picture on the card turned around?’

“Of course not.”

“So we are also unconnected in that way as well. Would you mind placing a call to our Director of Security? Would you ask him if he has noticed any change in my records in his system?”

“Why would I do that?”

“Well, if there was some sort of connection between my identity information and my identity elsewhere he should be able to detect that.”

“Of course there is no connection”

“Now do you understand? It is this lack of actual connectivity that bad guys get to exploit to come in here and eat our lunch!”

Back to blog listing


© 2016 On!iUs Inc., 15250 Heather Mill Lane, Haymarket, Virginia 20169, USA. All Rights Reserved.