In a digital economy driven by mobility, peer to peer interactions, rapidly changing end user requirements, where trust must be established, safeguarding individual privacy and creating interactions that protects both parties while delivering a pleasant user experience across multiple computing environments; the problem is that current identity and authentication methods are unable to meet the current demand, therefore becoming a bottleneck for innovation and growth.
Privacy breaches and on going leaks have undermined individuals trust on organizations and their ability to safeguard information. The use of complex passwords or authentication methods increase application abandonment and adoption.
Part of the problem is the ever burgeon number of applications that end users must access, all using similar authentication methodologies of user name and passwords. The value and integrity of the password approach starts to deteriorate rapidly, due to the reuse of passwords, leaving the perceived front door to applications wide open for malicious access.
Attackers have identified the weakest link in any organization; the human link. Creating sophisticated attacks (i.e.: behavior, phishing, social, etc.) that leverage the knowledge and information gathered in unrelated activities and apply them for targeted attacks into asset rich organizations or enterprises.
Organizations response, is implementing increasing complex password requirements and user training, compounding the problem by adding to the user frustration and password reuse. Instead they should be looking at modern identity and authentication methods and applying them to their environments, focusing on a achieving a good user experience while implementing strong authentication methods that no longer rely on passwords.
“The advantages of a digital ID outweigh the concerns over not having access if a phone’s battery dies, a new OWI Labs survey has found, as 61 percent of respondents indicated they would use a digital-only driver’s license” .
The advent of a digital identity that is issued by a trusted authority and under the control of the individual (i.e.: digital driver’s license) is a step forward. Addressing one of the greatest security weakness: the use of passwords for authentication and access to consumer or enterprise systems.
The pace of innovation is uprooting the whole identity ecosystem, with multiple approaches to solving this problem. In my opinion, a problem that will not be solved by a single method, but by the aggregation, interaction of multiple ones, leveraging interoperating standards driven by the issuance of digital identities that have been properly vetted, issued in a method that is trusted, recognized by relying parties and any other organizations requiring access to the information to allow for secure access and interaction to their services.
Countries like Estonia, India, Korea, China and others are paving the way for the ubiquitous use of digital identities as innovation drivers and we should be learning from their successes and shortcomings.
At the core, the strategy is driven by the issuance of digital identities. Identities that are in control of the individual and that are issued by a recognized and trusted organization. This approach provides a new level of assurance to relying parties, minimizing their risk, reducing their operational cost for user management while creating a pleasant experience for the end user.
Some of the key components are:
Digital identities – Vetted and issued by a trusted authority, like a government agency or other recognized institution (banks) and bound to the individual is a key component of this upcoming transition to a new identity model.
The immutable ledger that the blockchain protocol provides can be a path for external organizations that interact with the individual (i.e.: education systems that issue credentials, financial institutions that have regular interaction, medical institutions that treat the individual) to provide knowledge based assertions on the individual. Binding the assertion to an immutable record that is rooted on the vetted identity. Providing a verifiable method for the proper relying party to access.
Personas are a way for individuals to interact with relying parties. They are constructed to meet the requirements of the relying parties. Today, they are being generated by the relying party, by moving them under the control of the individual, who has the ability to select what attributes of their identity can be shared, retained or used for a specific time, enhancing privacy by controlling the use of information shared for a given transaction.
An additional role that personas provide is that they performed as a bridge between the current and modern technology, leveraging the best of both areas to meet todays needs, while the new methods are being developed. For examples, current digital identities are grounded on the PKI standard or other legacy technologies, and personas can expand the value of the identity by incorporating attributes created by the efforts around self sovereign identities ( i.e: Sovring, Everyn, Veres ) creating a strong and transparent model for relying parties that enhance their risk evaluation models and improve their decision making methods.
Modern based authentication methods that can leverage sensorial information, biometric, face recognition and other capabilities are becoming much more prevalent. Creating a ubiquitous experience between all computing environments - i.e.: FIDO Alliance new FIDO2 protocol. This new approach is providing an opportunity to deliver strong authentication that is based on a given persona, rooted on a vetted identity, supported by fresh and verifiable attributes all reducing end user friction and lower operational cost.
The use of multiple technologies and methods, where users have control of their identity, share the information that is relevant and relying parties can trust and verify the information provided, it is opening up new methods of user interactions that are no longer constrained by passwords, dated information, complex recovery activities and compliance requirements.
The impact of moving the identity conversation from current methods to one that is modern, mobile and distributed provides an innovation platform that is rooted on security and privacy and driven by a digital identity properly vetted and issued by trusted parties under the control of the individual, moves the conversation identity from and afterthought to the forefront of any discussion around product development, computing architecture and other technology advancements.