Holding the Keys to Identifying Who’s Who in the Metaverse
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Tim Callan of Sectigo explains the importance of being able to tell who’s who in the Age of the Metaverse.
Secure online transactions today require a strong notion of digital trust in human and machine (i.e., software, bots, devices, etc.) identities. Think of every email that gets sent, every electronic financial transaction that moves funds from one person or business to another, and every IoT device gathering and relaying data at this very moment. None of this is possible without verifying the identity of the person or machine involved in that information exchange. A weak digital identity is susceptible to attack. Without proper identity-security controls, bad actors will compromise identities to gain access and steal digital assets like sensitive data, NFTs, currency, and more.
Securing and managing digital identities is a complex undertaking for enterprises because the number of identities accessing data in the workplace continues to grow. In 2023, the situation will become even more complicated as the reality of interacting both as a consumer and employee in the metaverse inches closer to reality. Similar to today’s internet, the hope for the metaverse is that it will use the same best practices for security and privacy, rooted in strong identities. If the metaverse is built on fragile identity security methods, adoption will suffer, and this virtual world won’t reach its full potential.
What Is the Metaverse?
Before discussing what the metaverse’s identity security should look like, it’s vital to first understand what the metaverse is, as definitions vary. There’s general agreement that it’s an immersive digital world where participants can carry out many of the same functions as they do in the physical world– everything from work and education to commerce and entertainment. Games like Second Life and Fortnite have already offered a preview of what the metaverse will look like, as has Meta’s new offering Horizon Worlds. These digital worlds contain not just avatars that represent the individuals entering the metaverse and interacting with others, but also scores of digital objects that populate these worlds, from cars and clothing to comedy clubs. While full of exciting possibilities, these new worlds present significant challenges from an identity security perspective.
For instance, how can you be sure that the “Mark Zuckerberg” you’re encountering in one of these virtual worlds is actually Meta founder and CEO Mark Zuckerberg and not a random impostor? How can you be sure that the digital Prada shoes you purchase for your avatar are actually from Prada and not a knock-off retailer? How can you be sure that the different partners and colleagues you’re reviewing CAD files with in a virtual collaboration workspace are who they say they are? Identifying who’s who is just as important in the metaverse as it is in the physical world or the current digital world– and public key infrastructure (PKI) has a critical role to play.
The core technology enabling PKI is public key cryptography, an encryption mechanism that relies upon the use of two related keys, a public key and a private key. Public keys are created using a complex asymmetric algorithm to pair them with an associated private key. Unlike the publicly accessible public key, the private key is a secret key known only by its owner, generated using the same algorithms that create public keys. These two in tandem give us strong keys that are bonded mathematically. One of the unique advantages of PKI is that it can establish, verify and secure the identity of humans and machines. In fact, digital certificates (which use PKI) are the gold standard when it comes to establishing digital trust and verifying and securing digital identities. They even improve security by replacing passwords, which attackers have become increasingly adept at stealing.
Establishing Identity Definitively
Consider some of the metaverse use cases listed earlier. A digital certificate could be used to establish the identity of Mark Zuckerberg – the Meta founder and CEO who resides in Silicon Valley – and differentiate him beyond a shadow of a doubt from Mark Zuckerberg the vacuum salesman from Dayton, Ohio – if they both happen to be traversing a virtual space like Horizon Worlds. Even more intriguing, PKI can help maintain a consistent identity across virtual spaces. In the same way that a passport in the physical world allows Mark Zuckerberg to travel from the United States to Spain, and then on to Malaysia while verifying and proving his identity along the way, a digital certificate would allow Mark to maintain a verifiable identity across Horizon Worlds, Fortnite, and other virtual spaces.
Likewise, a successful business like a comedy club in the metaverse that has built up a reputation as a purveyor of quality comedy – let’s call it The Laugh House – would be able to establish itself as the Laugh House using digital certificates to distinguish itself from both pale imitators hoping to cash in on its reputation and entirely independent businesses that happen to have the same name. People entering the metaverse looking for laughs, in turn, would know that they were entering the establishment they actually planned on visiting rather than some other entity.
To make this a reality, enterprises doing business in the metaverse need to ensure that they are incorporating digital certificates from day one, taking an identity-first approach. There are some lessons to be learned here from when enterprises first moved online and started doing business on the web: Those companies that wove security into the fabric of their websites, e-commerce functions, and services right from the beginning were better positioned than those who had to retroactively enable secure transactions. The same principle applies for the metaverse: Those companies that embrace digital certificates will be able to establish identity and securely transact business in this new realm. Of course, with this increased volume of digital certificates, there will be a need for enterprises to use automated Certificate Lifecycle Management (CLM) solutions to handle the massive new set of decentralized identities in the metaverse. Without this essential piece of the puzzle, it will be difficult to manage digital identities in a scalable manner for the ever-expanding metaverse and all of the use cases that have yet to be discovered.
The Confidence to Transact Securely in the Metaverse
The risk of identity theft and impersonation is just as dangerous in the metaverse as it is in the current physical and digital worlds. PKI should be woven into the fabric of the metaverse right from the beginning and utilized in conjunction with CLM as a proactive measure against fraud and deception. In this way, individuals and enterprises can boldly move forward in this new realm, confident that they actually know who’s who in the metaverse.
- Holding the Keys to Identifying Who’s Who in the Metaverse - February 24, 2023